Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
installer.msi

Overview

General Information

Sample name:installer.msi
Analysis ID:1565756
MD5:772813518aea3a48271080b42d5c6264
SHA1:19c152151a15a8ada30dce65648755c60d1ab9d6
SHA256:a7253143b6d8a97b7b1aba868dac4bd902bd077a5279dea702dfb836f9d6c0b2
Tags:LegionLoadermsiRobotDroppersearch-keys-comuser-aachum
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7304 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7336 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7432 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7708 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • openvpn.exe (PID: 7972 cmdline: "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe" MD5: 5E807B5DAD1B6C81982037C714DC9AEF)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7432, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7708, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7432, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7708, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7432, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7708, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.42.101, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7432, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7432, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7708, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7432, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7708, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-30T18:43:19.825809+010028292021A Network Trojan was detected192.168.2.849706104.21.42.101443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: installer.msiReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5DE90 EVP_CIPHER_CTX_new,EVP_des_ede3_ecb,EVP_EncryptInit_ex,EVP_EncryptUpdate,EVP_EncryptFinal,_exit,EVP_CIPHER_CTX_free,8_2_00007FF655E5DE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5E590 MultiByteToWideChar,malloc,MultiByteToWideChar,CertFindExtension,CryptDecodeObject,malloc,CryptDecodeObject,_stricmp,free,CryptFindOIDInfo,CryptFindOIDInfo,_stricmp,free,free,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,isxdigit,isxdigit,strncmp,CertFindCertificateInStore,CertVerifyTimeValidity,CertFindCertificateInStore,free,OBJ_sn2nid,EVP_PKEY_get_bits,NCryptSignHash,SetLastError,strcmp,NCryptSignHash,SetLastError,calloc,CertOpenStore,CertCloseStore,CertOpenStore,CertCloseStore,CertGetNameStringW,malloc,CertGetNameStringW,d2i_X509,CryptAcquireCertificatePrivateKey,X509_free,NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,free,free,X509_get_pubkey,free,free,8_2_00007FF655E5E590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5E520 NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,8_2_00007FF655E5E520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E94D00 SetConsoleOutputCP,memset,memset,__acrt_iob_func,__acrt_iob_func,CRYPTO_get_ex_new_index,OPENSSL_init_crypto,memset,malloc,calloc,8_2_00007FF655E94D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E60C90 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,8_2_00007FF655E60C90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5D7B0 BIO_new_mem_buf,_exit,PEM_read_bio,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,8_2_00007FF655E5D7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDF380 malloc,EVP_CipherInit_ex,EVP_CipherUpdate,_exit,EVP_CipherFinal,malloc,malloc,EVP_MAC_init,_exit,EVP_MAC_update,EVP_MAC_update,EVP_MAC_CTX_get_mac_size,EVP_MAC_final,CRYPTO_memcmp,malloc,malloc,htonl,htonl,free,free,ERR_clear_error,free,free,8_2_00007FF655EDF380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E7DB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,8_2_00007FF655E7DB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,SystemTimeToFileTime,SystemTimeToTzSpecificLocalTimeEx,PrepareTape,SetEvent,SetWaitableTimerEx,FindFirstFileExW,GetSystemDefaultLCID,WriteFileEx,GetProcessAffinityMask,PeekNamedPipe,GetThreadPreferredUILanguages,GetNumaProcessorNode,SetConsoleCursorPosition,GetLogicalProcessorInformationEx,LCMapStringW,GetNumaNodeProcessorMaskEx,OpenProcess,FindFirstFileW,RemoveVectoredContinueHandler,lstrcmpiW,SetFileBandwidthReservation,GetErrorMode,CreateSemaphoreW,CloseHandle,CloseThreadpoolWait,GlobalDeleteAtom,CreateTimerQueueTimer,QueryIdleProcessorCycleTime,GetConsoleScreenBufferInfoEx,LocalFlags,CreateFileMappingFromApp,GetConsoleDisplayMode,GetSystemTimeAsFileTime,EnumLanguageGroupLocalesW,ReadFile,InitializeProcThreadAttributeList,GetConsoleProcessList,GetConsoleScreenBufferInfo,GetNLSVersion,GetLocalTime,GetNamedPipeClientProcessId,FindFirstStreamW,GetTimeZoneInformation,GetFileInformationByHandleEx,GetConsoleDisplayMode,GetModuleHandleExW,GetVersion,UnlockFileEx,LockFile,OpenFile,GetDefaultCommConfigW,FlushViewOfFile,GetConsoleAliasesW,GetDriveTypeW,EnumCalendarInfoExEx,IsThreadAFiber,SetConsoleTextAttribute,MapViewOfFileExNuma,DeleteCriticalSection,GlobalGetAtomNameW,SetProcessAffinityUpdateMode,LocalAlloc,OpenEventW,CopyFileW,VirtualProtect,8_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88E008 CryptAcquireContextW,8_2_00007FFBBB88E008
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FBC50 CRYPTO_free,8_2_00007FFBBB8FBC50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B9C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,8_2_00007FFBBB8B9C50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B1C50 CRYPTO_zalloc,8_2_00007FFBBB8B1C50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B3C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8B3C40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92BC70 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,8_2_00007FFBBB92BC70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90DBD0 CRYPTO_memcmp,8_2_00007FFBBB90DBD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B7BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB8B7BEE
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B1BE0 CRYPTO_zalloc,8_2_00007FFBBB8B1BE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CBC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,8_2_00007FFBBB8CBC10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929B55 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,8_2_00007FFBBB929B55
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929B83 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB929B83
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D7B60 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,8_2_00007FFBBB8D7B60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929B6C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,8_2_00007FFBBB929B6C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB917AC0 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB917AC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CDAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8CDAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB901A39 CRYPTO_malloc,CRYPTO_free,8_2_00007FFBBB901A39
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91BA40 CRYPTO_free,8_2_00007FFBBB91BA40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B9A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,8_2_00007FFBBB8B9A20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BDA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,8_2_00007FFBBB8BDA50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929A2F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB929A2F
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3A70 CRYPTO_get_ex_data,8_2_00007FFBBB8D3A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F1A70 CRYPTO_free,8_2_00007FFBBB8F1A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C3A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8C3A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB923A90 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,8_2_00007FFBBB923A90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91BA90 CRYPTO_free,8_2_00007FFBBB91BA90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB911A60 CRYPTO_free,8_2_00007FFBBB911A60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F19B0 CRYPTO_malloc,8_2_00007FFBBB8F19B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E79E0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8E79E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C1950 CRYPTO_free,CRYPTO_strdup,8_2_00007FFBBB8C1950
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB925930 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB925930
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92B8B0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,8_2_00007FFBBB92B8B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB919900 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB919900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E78E0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8E78E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EB8E0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8EB8E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB926050 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB926050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB918050 CRYPTO_malloc,COMP_expand_block,8_2_00007FFBBB918050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F0020 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free,8_2_00007FFBBB8F0020
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DA040 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,8_2_00007FFBBB8DA040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4070 CRYPTO_free,CRYPTO_memdup,8_2_00007FFBBB8D4070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E5FB0 CRYPTO_realloc,8_2_00007FFBBB8E5FB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91DFB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,8_2_00007FFBBB91DFB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BBFF0 CRYPTO_THREAD_run_once,8_2_00007FFBBB8BBFF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB908010 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB908010
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F2010 CRYPTO_free,8_2_00007FFBBB8F2010
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D9F40 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy,8_2_00007FFBBB8D9F40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92BF80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,8_2_00007FFBBB92BF80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB905F70 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB905F70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BDF70 CRYPTO_malloc,BIO_snprintf,8_2_00007FFBBB8BDF70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903F60 CRYPTO_malloc,CRYPTO_free,8_2_00007FFBBB903F60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B9F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,8_2_00007FFBBB8B9F90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929F76 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB929F76
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DDEB0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,8_2_00007FFBBB8DDEB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FBEB0 CRYPTO_zalloc,8_2_00007FFBBB8FBEB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B1EC0 CRYPTO_free,8_2_00007FFBBB8B1EC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3F00 CRYPTO_free,CRYPTO_strdup,8_2_00007FFBBB8D3F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB921E40 CRYPTO_realloc,8_2_00007FFBBB921E40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3E50 CRYPTO_free,CRYPTO_memdup,8_2_00007FFBBB8D3E50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E9E70 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFBBB8E9E70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929E91 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,8_2_00007FFBBB929E91
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91FE60 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB91FE60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB905E80 CRYPTO_free,8_2_00007FFBBB905E80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F1E80 CRYPTO_realloc,8_2_00007FFBBB8F1E80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929E7A ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,8_2_00007FFBBB929E7A
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B5DB0 CRYPTO_malloc,8_2_00007FFBBB8B5DB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B7DA0 CRYPTO_free,8_2_00007FFBBB8B7DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB939E10 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB939E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D9E10 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,8_2_00007FFBBB8D9E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BDE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8BDE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,8_2_00007FFBBB8D3D70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903D80 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB903D80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D9CD0 EVP_MAC_CTX_free,CRYPTO_free,8_2_00007FFBBB8D9CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EFCC0 CRYPTO_free,8_2_00007FFBBB8EFCC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929D03 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,8_2_00007FFBBB929D03
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929D1A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB929D1A
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DD450 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8DD450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB939470 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB939470
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B13A0 CRYPTO_free,8_2_00007FFBBB8B13A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FF3E0 CRYPTO_realloc,8_2_00007FFBBB8FF3E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DD320 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8DD320
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB905320 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free,8_2_00007FFBBB905320
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903350 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFBBB903350
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BD360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8BD360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C7360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,8_2_00007FFBBB8C7360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9212B0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB9212B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D32C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D32C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92B310 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,8_2_00007FFBBB92B310
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9052E0 BIO_free,CRYPTO_free,8_2_00007FFBBB9052E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EB2E0 CRYPTO_free,8_2_00007FFBBB8EB2E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D9300 CRYPTO_realloc,memcpy,8_2_00007FFBBB8D9300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F3230 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8F3230
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,8_2_00007FFBBB8B321D
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B5240 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8B5240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB901277 CRYPTO_realloc,8_2_00007FFBBB901277
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90F280 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,8_2_00007FFBBB90F280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB931260 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB931260
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9391A0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB9391A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B1B0 CRYPTO_free,8_2_00007FFBBB91B1B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E51F0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFBBB8E51F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B210 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB91B210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D1210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,8_2_00007FFBBB8D1210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C9120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,8_2_00007FFBBB8C9120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DD150 CRYPTO_free,CRYPTO_malloc,8_2_00007FFBBB8DD150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB927130 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB927130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB913130 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB913130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FD140 CRYPTO_realloc,8_2_00007FFBBB8FD140
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903190 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,8_2_00007FFBBB903190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91F170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,8_2_00007FFBBB91F170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9030B0 EVP_EncryptUpdate,OPENSSL_LH_retrieve,8_2_00007FFBBB9030B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BB0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,8_2_00007FFBBB8BB0B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E50E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFBBB8E50E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8ED110 CRYPTO_free,8_2_00007FFBBB8ED110
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903820 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB903820
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C3820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc,8_2_00007FFBBB8C3820
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB931820 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB931820
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B9850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,8_2_00007FFBBB8B9850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8D3840
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C5840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,8_2_00007FFBBB8C5840
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB921880 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB921880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B7870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,8_2_00007FFBBB8B7870
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB917870 CRYPTO_free,8_2_00007FFBBB917870
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91D7C0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,8_2_00007FFBBB91D7C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B7B0 CRYPTO_free,8_2_00007FFBBB91B7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9197F0 CRYPTO_malloc,ERR_new,ERR_set_debug,8_2_00007FFBBB9197F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB907720 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB907720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93B730 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB93B730
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B1740 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8B1740
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B760 CRYPTO_free,8_2_00007FFBBB91B760
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB919770 CRYPTO_free,8_2_00007FFBBB919770
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C5780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host,8_2_00007FFBBB8C5780
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91D6B0 ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB91D6B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9276B0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB9276B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B36C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,8_2_00007FFBBB8B36C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB919700 OPENSSL_cleanse,CRYPTO_free,8_2_00007FFBBB919700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E56E0 CRYPTO_zalloc,8_2_00007FFBBB8E56E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C3700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8C3700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D3650 CRYPTO_THREAD_unlock,8_2_00007FFBBB8D3650
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CD68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free,8_2_00007FFBBB8CD68B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B670 CRYPTO_free,CRYPTO_free,8_2_00007FFBBB91B670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B15D0 CRYPTO_free,8_2_00007FFBBB8B15D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B35C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,8_2_00007FFBBB8B35C8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D75C0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,8_2_00007FFBBB8D75C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB921600 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,8_2_00007FFBBB921600
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91B5F0 CRYPTO_free,8_2_00007FFBBB91B5F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EB600 CRYPTO_free,8_2_00007FFBBB8EB600
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92B540 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,8_2_00007FFBBB92B540
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB935530 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB935530
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D5560 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,8_2_00007FFBBB8D5560
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B9590 CRYPTO_free,CRYPTO_memdup,8_2_00007FFBBB8B9590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929570 ERR_new,ERR_set_debug,CRYPTO_clear_free,8_2_00007FFBBB929570
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9034D0 CRYPTO_free,8_2_00007FFBBB9034D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EB4C0 CRYPTO_zalloc,8_2_00007FFBBB8EB4C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D34E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,8_2_00007FFBBB8D34E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C5500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,8_2_00007FFBBB8C5500
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BB500 CRYPTO_free,8_2_00007FFBBB8BB500
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B8C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,8_2_00007FFBBB8B8C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B2C60 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8B2C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB936BB0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,8_2_00007FFBBB936BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E6BC0 CRYPTO_malloc,8_2_00007FFBBB8E6BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB926C00 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB926C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90AC00 CRYPTO_realloc,8_2_00007FFBBB90AC00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB916C00 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB916C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8CABF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E6B40 CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8E6B40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BCB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,8_2_00007FFBBB8BCB70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB924B90 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB924B90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DCB90 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8DCB90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BAB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,8_2_00007FFBBB8BAB80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FEAB0 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,8_2_00007FFBBB8FEAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BCAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,8_2_00007FFBBB8BCAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90AAD0 CRYPTO_zalloc,8_2_00007FFBBB90AAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CAAD0 CRYPTO_set_ex_data,8_2_00007FFBBB8CAAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB922B00 CRYPTO_realloc,8_2_00007FFBBB922B00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4A30 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB8D4A30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB922A50 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB922A50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93AA80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB93AA80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E4A70 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,8_2_00007FFBBB8E4A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C4A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8C4A72
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FAA60 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFBBB8FAA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93CA60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,8_2_00007FFBBB93CA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C6A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,8_2_00007FFBBB8C6A90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B2A80 CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8B2A80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DC9B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8DC9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9089A0 CRYPTO_realloc,8_2_00007FFBBB9089A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB92C9B0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,8_2_00007FFBBB92C9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CE9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,8_2_00007FFBBB8CE9C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C49F0 CRYPTO_memdup,CRYPTO_free,8_2_00007FFBBB8C49F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90A9E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB90A9E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB912940 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFBBB912940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB906921 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,8_2_00007FFBBB906921
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB900920 CRYPTO_malloc,memcpy,CRYPTO_free,8_2_00007FFBBB900920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FA920 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFBBB8FA920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90E920 CRYPTO_free,8_2_00007FFBBB90E920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB904950 OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFBBB904950
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B2940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,8_2_00007FFBBB8B2940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FE960 CRYPTO_zalloc,8_2_00007FFBBB8FE960
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90E8C0 CRYPTO_free,8_2_00007FFBBB90E8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DA8C0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,8_2_00007FFBBB8DA8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9008C0 CRYPTO_clear_free,CRYPTO_free,8_2_00007FFBBB9008C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F68C0 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8F68C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B1030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,8_2_00007FFBBB8B1030
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D5050 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB8D5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB903050 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,8_2_00007FFBBB903050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C5050 CRYPTO_set_ex_data,8_2_00007FFBBB8C5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C5070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8C5070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90F060 CRYPTO_malloc,CRYPTO_free,8_2_00007FFBBB90F060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B6FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,8_2_00007FFBBB8B6FC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BD010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8BD010
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D1000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8D1000
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB930F50 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB930F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C2F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,8_2_00007FFBBB8C2F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90EF60 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB90EF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D0EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8D0EF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DCEE0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB8DCEE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB902F00 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFBBB902F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93CE30 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB93CE30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB924E90 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB924E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90EE90 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB90EE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB918E60 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a,8_2_00007FFBBB918E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B4E80 CRYPTO_free,8_2_00007FFBBB8B4E80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BEDB0 CRYPTO_THREAD_run_once,8_2_00007FFBBB8BEDB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FADA0 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,8_2_00007FFBBB8FADA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CCDC0 CRYPTO_malloc,CRYPTO_clear_free,8_2_00007FFBBB8CCDC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB918D50 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free,8_2_00007FFBBB918D50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DCD20 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8DCD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E4D40 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,8_2_00007FFBBB8E4D40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB928D60 CRYPTO_free,CRYPTO_memdup,8_2_00007FFBBB928D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB930CA0 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB930CA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FACD0 CRYPTO_free,8_2_00007FFBBB8FACD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,8_2_00007FFBBB8BECD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90ECB0 CRYPTO_free,8_2_00007FFBBB90ECB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4CC0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy,8_2_00007FFBBB8D4CC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91CD00 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,8_2_00007FFBBB91CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB930D00 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB930D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB902CF0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert,8_2_00007FFBBB902CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB920CF0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,8_2_00007FFBBB920CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D0450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,8_2_00007FFBBB8D0450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB912480 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB912480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB930490 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB930490
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B2460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free,8_2_00007FFBBB8B2460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F2480 CRYPTO_zalloc,8_2_00007FFBBB8F2480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B23C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8B23C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FA410 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFBBB8FA410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E8410 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf,8_2_00007FFBBB8E8410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F2400 CRYPTO_free,8_2_00007FFBBB8F2400
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CA330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8CA330
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90A320 CRYPTO_realloc,8_2_00007FFBBB90A320
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E4340 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFBBB8E4340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EA340 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFBBB8EA340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91C360 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,8_2_00007FFBBB91C360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB936360 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,8_2_00007FFBBB936360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4390 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D4390
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C02B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,8_2_00007FFBBB8C02B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DC2D0 CRYPTO_free,8_2_00007FFBBB8DC2D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C42D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8C42D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9082B0 CRYPTO_memdup,8_2_00007FFBBB9082B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B62C0 CRYPTO_clear_free,8_2_00007FFBBB8B62C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB904300 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert,8_2_00007FFBBB904300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB920240 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,8_2_00007FFBBB920240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CE220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,8_2_00007FFBBB8CE220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FC220 CRYPTO_free,8_2_00007FFBBB8FC220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4270 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D4270
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB900280 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB900280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9181A0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFBBB9181A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F21F0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl,8_2_00007FFBBB8F21F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C81E0 CRYPTO_get_ex_data,8_2_00007FFBBB8C81E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4130 CRYPTO_set_ex_data,8_2_00007FFBBB8D4130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C0130 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFBBB8C0130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB900120 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB900120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D8150 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8D8150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93C180 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,8_2_00007FFBBB93C180
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4170 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D4170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C6190 CRYPTO_malloc,CRYPTO_free,8_2_00007FFBBB8C6190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB922100 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB922100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E40F0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFBBB8E40F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C40E0 CRYPTO_get_ex_data,8_2_00007FFBBB8C40E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4850 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D4850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FC850 CRYPTO_malloc,memcmp,memcpy,memcpy,8_2_00007FFBBB8FC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B2860 CRYPTO_zalloc,InitializeCriticalSection,8_2_00007FFBBB8B2860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90E860 CRYPTO_malloc,8_2_00007FFBBB90E860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB902890 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free,8_2_00007FFBBB902890
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BE880 CRYPTO_THREAD_run_once,8_2_00007FFBBB8BE880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FE7B0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8FE7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB922800 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB922800
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B27F0 DeleteCriticalSection,CRYPTO_free,8_2_00007FFBBB8B27F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B8812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,8_2_00007FFBBB8B8812
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B8720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB8B8720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93C770 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB93C770
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB902780 OPENSSL_cleanse,CRYPTO_free,8_2_00007FFBBB902780
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9326D0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,8_2_00007FFBBB9326D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FA710 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFBBB8FA710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB902700 OPENSSL_cleanse,CRYPTO_free,8_2_00007FFBBB902700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BE700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8BE700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93861C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFBBB93861C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB934630 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,8_2_00007FFBBB934630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D4670 CRYPTO_free,CRYPTO_malloc,memcpy,8_2_00007FFBBB8D4670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E45B0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,8_2_00007FFBBB8E45B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C25A0 CRYPTO_strdup,CRYPTO_free,8_2_00007FFBBB8C25A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CC610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFBBB8CC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9385E4 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,8_2_00007FFBBB9385E4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9385F6 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,8_2_00007FFBBB9385F6
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EE520 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free,8_2_00007FFBBB8EE520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D8590 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB8D8590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D44A0 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,8_2_00007FFBBB8D44A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C24D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,8_2_00007FFBBB8C24D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91A4B0 RAND_bytes_ex,CRYPTO_malloc,memset,8_2_00007FFBBB91A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9384B7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,8_2_00007FFBBB9384B7
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB920510 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,8_2_00007FFBBB920510
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F84E0 CRYPTO_free,8_2_00007FFBBB8F84E0
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.42.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1646635036.00007FFBAAABC000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1655931611.00007FFBC3221000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: installer.msi
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, MSI107A.tmp.2.dr, MSI2FBD.tmp.2.dr, MSI104A.tmp.2.dr, MSIFCC.tmp.2.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,SystemTimeToFileTime,SystemTimeToTzSpecificLocalTimeEx,PrepareTape,SetEvent,SetWaitableTimerEx,FindFirstFileExW,GetSystemDefaultLCID,WriteFileEx,GetProcessAffinityMask,PeekNamedPipe,GetThreadPreferredUILanguages,GetNumaProcessorNode,SetConsoleCursorPosition,GetLogicalProcessorInformationEx,LCMapStringW,GetNumaNodeProcessorMaskEx,OpenProcess,FindFirstFileW,RemoveVectoredContinueHandler,lstrcmpiW,SetFileBandwidthReservation,GetErrorMode,CreateSemaphoreW,CloseHandle,CloseThreadpoolWait,GlobalDeleteAtom,CreateTimerQueueTimer,QueryIdleProcessorCycleTime,GetConsoleScreenBufferInfoEx,LocalFlags,CreateFileMappingFromApp,GetConsoleDisplayMode,GetSystemTimeAsFileTime,EnumLanguageGroupLocalesW,ReadFile,InitializeProcThreadAttributeList,GetConsoleProcessList,GetConsoleScreenBufferInfo,GetNLSVersion,GetLocalTime,GetNamedPipeClientProcessId,FindFirstStreamW,GetTimeZoneInformation,GetFileInformationByHandleEx,GetConsoleDisplayMode,GetModuleHandleExW,GetVersion,UnlockFileEx,LockFile,OpenFile,GetDefaultCommConfigW,FlushViewOfFile,GetConsoleAliasesW,GetDriveTypeW,EnumCalendarInfoExEx,IsThreadAFiber,SetConsoleTextAttribute,MapViewOfFileExNuma,DeleteCriticalSection,GlobalGetAtomNameW,SetProcessAffinityUpdateMode,LocalAlloc,OpenEventW,CopyFileW,VirtualProtect,8_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769F00 IsSystemResumeAutomatic,EscapeCommFunction,GetNamedPipeClientProcessId,lstrcatW,CreateSymbolicLinkTransactedW,CheckRadioButton,EndDeferWindowPos,DlgDirSelectComboBoxExW,GetFileMUIPath,AttachConsole,SetThreadpoolTimer,HiliteMenuItem,GetLocalTime,CreateEventW,GetPrivateProfileSectionNamesW,SetThreadDescription,GetLargestConsoleWindowSize,GetCommProperties,SetProcessPriorityBoost,GetOverlappedResult,QueryPerformanceCounter,GetApplicationRecoveryCallback,TransactNamedPipe,ReplaceFileW,StrokePath,GetFullPathNameTransactedW,SearchPathW,CloseThreadpoolIo,IsBadReadPtr,GetSystemDefaultUILanguage,OpenProcess,CheckRemoteDebuggerPresent,SetThreadLocale,InitializeCriticalSection,LCIDToLocaleName,PeekConsoleInputW,GlobalFree,AddResourceAttributeAce,GetCalendarInfoW,SetThreadpoolThreadMinimum,GetTapeStatus,GetProcessVersion,Wow64EnableWow64FsRedirection,GetVolumeInformationByHandleW,GetConsoleWindow,AttachConsole,GetThreadPreferredUILanguages,AddVectoredExceptionHandler,SetThreadContext,FillConsoleOutputAttribute,ConnectNamedPipe,GetLogicalProcessorInformationEx,SetCommBreak,BuildCommDCBAndTimeoutsW,GetCPInfoExW,FlushViewOfFile,FreeResource,OpenThread,GetHandleInformation,ReleaseSRWLockExclusive,SetThreadPriorityBoost,CopyFile2,SetEvent,UnregisterWaitEx,FindFirstFileW,VirtualFreeEx,DebugActiveProcess,EnumDateFormatsExEx,GetLocalTime,GlobalFindAtomW,GetConsoleAliasExesLengthW,GlobalAddAtomW,RemoveVectoredExceptionHandler,VirtualQueryEx,CreateThreadpoolCleanupGroup,SetDynamicTimeZoneInformation,EnumSystemFirmwareTables,DebugSetProcessKillOnExit,GetProcAddress,GetShortPathNameW,QueryPerformanceFrequency,QueryThreadCycleTime,GetLongPathNameTransactedW,LocaleNameToLCID,GetStartupInfoW,lstrlenW,WritePrivateProfileStructW,GetCalendarInfoEx,GetThreadDescription,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,DeleteFileTransactedW,AllocateUserPhysicalPages,CancelSynchronousIo,CompareFileTime,TerminateProcess,GetCPInfo,GetFullPathNameW,AddSIDToBoundaryDescriptor,CloseThreadpoolTimer,MessageBeep,DestroyCursor,GetThreadContext,GetProcessWindowStation,GetSystemDefaultLocaleName,ShowOwnedPopups,CloseThreadpoolCleanupGroupMembers,GetSystemFileCacheSize,LCMapStringEx,GetMessageW,GetThreadIOPendingFlag,GetMenuState,EmptyClipboard,GetWindowsDirectoryW,GetApplicationRestartSettings,ShowWindowAsync,DrawTextExW,SetConsoleMode,8_2_00007FFBBB769F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769930 WriteConsoleInputW,SetSearchPathMode,LockResource,IsDBCSLeadByteEx,GetSystemPreferredUILanguages,GetFirmwareType,GetWindowRect,LoadBitmapW,GetScrollInfo,WaitForThreadpoolWaitCallbacks,GetWindowRect,MoveWindow,SetComputerNameExW,SetConsoleOutputCP,CountClipboardFormats,CreateRemoteThread,GetRegisteredRawInputDevices,CloseThreadpool,CloseThreadpoolWork,LoadLibraryExW,GetLocalTime,CloseThreadpoolWork,SoundSentry,SetClipboardData,ExpandEnvironmentStringsW,TrackPopupMenu,GetLargestConsoleWindowSize,CreateEventExW,VirtualLock,GetVolumeInformationByHandleW,EnumResourceTypesW,SetProcessWorkingSetSizeEx,SetFileBandwidthReservation,ConvertThreadToFiber,SetFirmwareEnvironmentVariableExW,GetNumaProcessorNode,SetProcessMitigationPolicy,lstrcatW,GetVolumeNameForVolumeMountPointW,CreateDirectoryExW,EnumSystemGeoID,EnumSystemFirmwareTables,IsBadReadPtr,HeapQueryInformation,SetFilePointerEx,ReleaseMutexWhenCallbackReturns,FindFirstFileTransactedW,CreateWaitableTimerExW,GetNumberOfConsoleMouseButtons,EndUpdateResourceW,GetThreadPreferredUILanguages,GetLogicalProcessorInformationEx,GetConsoleOriginalTitleW,GetFileTime,EnumSystemCodePagesW,ResetWriteWatch,CreateThreadpool,BuildCommDCBAndTimeoutsW,CreateTapePartition,WriteConsoleInputW,PowerClearRequest,SystemTimeToTzSpecificLocalTimeEx,SetFileAttributesW,SetThreadIdealProcessor,FindFirstFileW,VirtualAllocEx,ReadConsoleOutputW,DeleteTimerQueueEx,GetConsoleProcessList,OpenSemaphoreW,StartThreadpoolIo,GetCommProperties,HeapValidate,GetPrivateProfileIntW,GetUserGeoID,CloseThreadpoolWait,IsNLSDefinedString,WritePrivateProfileStringW,DeleteTimerQueueTimer,OpenFileById,ScrollConsoleScreenBufferW,GetLongPathNameTransactedW,InterlockedPushListSListEx,LoadPackagedLibrary,SetThreadIdealProcessor,8_2_00007FFBBB769930
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB766900 EnumSystemLocalesEx,GetUserDefaultUILanguage,SetProcessShutdownParameters,MoveFileTransactedW,AttachConsole,SetThreadpoolTimerEx,Wow64SetThreadContext,GetCurrencyFormatW,GetCommState,FindNextFileW,LocalUnlock,GetUILanguageInfo,CopyFileExW,SetConsoleWindowInfo,SetThreadGroupAffinity,GetFileAttributesTransactedW,SetErrorMode,OpenWaitableTimerW,GetNumaProcessorNodeEx,GetDateFormatW,GetProcessIdOfThread,GlobalSize,GetEnvironmentVariableW,GetApplicationRestartSettings,AppendMenuW,SetConsoleTextAttribute,CreateRemoteThread,CreateProcessW,GetCursorInfo,RemoveDllDirectory,SetCommState,LeaveCriticalSectionWhenCallbackReturns,DeferWindowPos,FindWindowW,BeginDeferWindowPos,IsThreadAFiber,SetCalendarInfoW,EnumSystemLocalesW,CreateDirectoryW,GetHandleInformation,GetIconInfo,IsBadCodePtr,ReadFileEx,GetProcessHeaps,PrepareTape,InterlockedFlushSList,GetComboBoxInfo,SwitchToThread,BeginUpdateResourceW,GetProcessAffinityMask,WakeConditionVariable,CloseThreadpoolCleanupGroup,GetCommConfig,FlsSetValue,AddScopedPolicyIDAce,CheckNameLegalDOS8Dot3W,TerminateThread,GetPriorityClass,CreateNamedPipeW,IsNLSDefinedString,SetComputerNameExW,SetProcessDEPPolicy,SizeofResource,DuplicateHandle,SetMailslotInfo,GetNumaNodeProcessorMask,MapUserPhysicalPagesScatter,LocaleNameToLCID,CreateFileMappingW,MoveFileWithProgressW,SetFileCompletionNotificationModes,GetLongPathNameW,GetConsoleSelectionInfo,SetFileApisToANSI,SetMailslotInfo,SetProtectedPolicy,VirtualAllocEx,SetFileAttributesW,PowerSetRequest,DisableThreadProfiling,GetProcessPriorityBoost,IsValidCodePage,FindFirstVolumeW,FindFirstStreamTransactedW,CreateMutexW,DeleteFileW,InvertRgn,GetCurrencyFormatW,CloseEnhMetaFile,ArcTo,WaitForThreadpoolIoCallbacks,GetNativeSystemInfo,VirtualProtectEx,CreateWaitableTimerExW,GetProcessorSystemCycleTime,SetThreadpoolWaitEx,EnumSystemLanguageGroupsW,Wow64RevertWow64FsRedirection,GetFileAttributesExW,RegisterApplicationRecoveryCallback,LocalFlags,SetSystemFileCacheSize,GetThreadLocale,HeapWalk,SystemTimeToTzSpecificLocalTimeEx,LocalReAlloc,FreeLibraryWhenCallbackReturns,QueryFullProcessImageNameW,FindFirstFileNameTransactedW,GetLongPathNameW,FindFirstVolumeMountPointW,AddDllDirectory,ReadThreadProfilingData,GetCommandLineW,InterlockedFlushSList,TzSpecificLocalTimeToSystemTime,GetConsoleOriginalTitleW,DrawFrameControl,EnumCalendarInfoExW,PurgeComm,PeekMessageW,CallMsgFilterW,SubmitThreadpoolWork,GetUserPreferredUILanguages,GetMaximumProcessorGroupCount,GetLastActivePopup,GetSubMenu,GetUserObjectSecurity,GetNumaProximityNode,GetFirmwareEnvironmentVariableW,CancelIo,GetCommState,FlushProcessWriteBuffers,GetClipboardFormatNameW,SetSystemCursor,EnableWindow,SetComputerNameExW,RaiseException,CreateFileW,GetTimeZoneInformation,AssignProcessToJobObject,IsWow64Message,OpenProcess,SetDefaultCommConfigW,SleepConditionVariableSRW,BackupSeek,TerminateJobObject,QueryProcessCycleTime,DeleteSynchronizationBarrier,EnumResourceNamesW,8_2_00007FFBBB766900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F058 FindFirstFileW,8_2_00007FFBBB88F058
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F8E6C FindFirstFileExW,8_2_00007FFBBB7F8E6C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764DA0 VirtualProtect,GetConsoleCursorInfo,DisableThreadProfiling,VirtualProtect,GlobalFindAtomW,GetNamedPipeServerSessionId,EnumResourceLanguagesExW,AttachConsole,AssignProcessToJobObject,PeekConsoleInputW,AcquireSRWLockShared,CallNamedPipeW,SetDllDirectoryW,VirtualLock,GetVolumeNameForVolumeMountPointW,FreeUserPhysicalPages,CompareFileTime,OpenEventW,GetThreadContext,SetFilePointerEx,InitializeCriticalSectionEx,GetOEMCP,FindFirstFileNameW,VirtualProtect,VirtualQuery,8_2_00007FFBBB764DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB768E10 GetDateFormatW,GetFileBandwidthReservation,InitializeCriticalSectionEx,GetConsoleOutputCP,IsBadReadPtr,QueryIdleProcessorCycleTime,GetNumberOfConsoleMouseButtons,SetFileAttributesW,FindFirstFileExW,SetCalendarInfoW,MapViewOfFileExNuma,FileTimeToLocalFileTime,GetNumaAvailableMemoryNodeEx,FindNLSStringEx,GetConsoleProcessList,VirtualLock,SetSearchPathMode,OutputDebugStringA,8_2_00007FFBBB768E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88E158 FindFirstFileExW,8_2_00007FFBBB88E158
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB76AE10 GetThreadTimes,CallbackMayRunLong,InitOnceExecuteOnce,SetProcessPriorityBoost,EnumResourceTypesW,CreateIoCompletionPort,TerminateThread,FlushProcessWriteBuffers,SetThreadUILanguage,PurgeComm,EnumCalendarInfoExEx,GetThreadDescription,PostQueuedCompletionStatus,IsValidNLSVersion,GetLogicalDriveStringsW,GetNumaNodeNumberFromHandle,GetTimeFormatW,ConnectNamedPipe,FillConsoleOutputAttribute,SetConsoleCtrlHandler,ReadConsoleOutputCharacterW,GetConsoleCP,GetProcessVersion,SetProcessPriorityBoost,GlobalAlloc,WriteFile,HeapQueryInformation,SetDynamicTimeZoneInformation,OutputDebugStringA,8_2_00007FFBBB76AE10

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.8:49706 -> 104.21.42.101:443
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: openvpn.exe.2.drStatic PE information: Found NDIS imports: FwpmFilterAdd0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmGetAppIdFromFileName0, FwpmEngineClose0
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655ECA700 send,select,recv,8_2_00007FF655ECA700
Source: global trafficDNS traffic detected: DNS query: search-keys.com
Source: unknownHTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: search-keys.comContent-Length: 48Cache-Control: no-cache
Source: vlc.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: vlc.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: vlc.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000006.00000002.1574925503.0000000007000000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1574710510.0000000006FC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1569699239.0000000000544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vlc.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: vlc.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: vlc.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: vlc.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vlc.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: vlc.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: vlc.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: libwinpthread-1.dll.2.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: vlc.exe.2.dr, libcrypto-3-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: vlc.exe.2.drString found in binary or memory: http://ocsp.digicert.com0N
Source: vlc.exe.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: libcrypto-3-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://openvpn.net/faq.html#dhcpclientserv
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://openvpn.net/howto.html#mitm
Source: powershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1570573527.0000000004821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: vlc.exe.2.dr, libcrypto-3-x64.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: vlc.exe.2.drString found in binary or memory: http://www.videolan.org/
Source: powershell.exe, 00000006.00000002.1570573527.0000000004821000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: libgpg-error-0.dll.2.drString found in binary or memory: https://gnu.org/licenses/
Source: libgpg-error-0.dll.2.drString found in binary or memory: https://gnu.org/licenses/gpl.html
Source: powershell.exe, 00000006.00000002.1570573527.000000000504B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: installer.msiString found in binary or memory: https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Params
Source: vlc.exe.2.drString found in binary or memory: https://win.crashes.videolan.org/reportsCONOUT$
Source: vlc.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: openvpn.exeString found in binary or memory: https://www.openssl.org/
Source: openvpn.exe, 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 00000008.00000002.1654521008.00007FFBAABBF000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.2.drString found in binary or memory: https://www.openssl.org/H
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 104.21.42.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764100 VirtualProtect,FindNextFileNameW,CopyFileW,BuildCommDCBW,SetThreadContext,HeapLock,GetConsoleTitleW,ReadFile,VirtualAllocEx,DebugBreak,ReleaseSRWLockExclusive,RaiseException,IsValidLanguageGroup,ResetWriteWatch,LocalFlags,CheckTokenMembershipEx,GetCompressedFileSizeTransactedW,GetIconInfo,EnumDateFormatsExW,UnregisterHotKey,GetTempPathW,SetMenuDefaultItem,UnpackDDElParam,QueryUnbiasedInterruptTime,GetSystemDefaultUILanguage,AreFileApisANSI,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetAsyncKeyState,OpenDesktopW,ApplicationRecoveryInProgress,IsImmersiveProcess,ShowCursor,GetFinalPathNameByHandleW,CharUpperBuffW,FileTimeToDosDateTime,LocalLock,GetProcessHeap,ReleaseSemaphoreWhenCallbackReturns,GetSystemInfo,GlobalFree,lstrlenW,SetConsoleTitleW,AcquireSRWLockExclusive,HeapAlloc,SetVolumeLabelW,SetFirmwareEnvironmentVariableExW,GetLongPathNameTransactedW,SetCommMask,DebugBreak,SetThreadUILanguage,GetNumberOfConsoleInputEvents,SetMailslotInfo,SetDefaultCommConfigW,AddResourceAttributeAce,CommConfigDialogW,DefineDosDeviceW,FreeResource,LockFileEx,OpenWaitableTimerW,CreatePrivateNamespaceW,InitAtomTable,SetCommMask,FatalExit,AcquireSRWLockShared,DisableThreadLibraryCalls,HeapUnlock,FlushConsoleInputBuffer,VirtualAlloc,IsDebuggerPresent,GetConsoleAliasExesLengthW,FlushInstructionCache,GetStringTypeW,GetFirmwareType,BindIoCompletionCallback,SetThreadErrorMode,EnumTimeFormatsEx,LocaleNameToLCID,LoadLibraryW,GetLocalTime,RemoveDllDirectory,RemoveDirectoryW,SetConsoleScreenBufferInfoEx,CreateTimerQueue,WaitForMultipleObjects,StartThreadpoolIo,ConnectNamedPipe,ReadConsoleOutputW,CheckNameLegalDOS8Dot3W,8_2_00007FFBBB764100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EA26A0: CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,malloc,_exit,free,OpenSSL_version,atoi,8_2_00007FF655EA26A0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6a05b9.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF1F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI104A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI107A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10C9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2210.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI40B7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A6C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B77.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6a05bc.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6a05bc.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIF1F.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02BB22DF6_2_02BB22DF
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EEEF108_2_00007FF655EEEF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDE7108_2_00007FF655EDE710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EF26F08_2_00007FF655EF26F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E78EBD8_2_00007FF655E78EBD
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EEEAB08_2_00007FF655EEEAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E716B08_2_00007FF655E716B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EBBAA08_2_00007FF655EBBAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDD2A08_2_00007FF655EDD2A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EE7E908_2_00007FF655EE7E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E562908_2_00007FF655E56290
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E86A608_2_00007FF655E86A60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC96508_2_00007FF655EC9650
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EFA2408_2_00007FF655EFA240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E556408_2_00007FF655E55640
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EF16308_2_00007FF655EF1630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EA3A208_2_00007FF655EA3A20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EFBE108_2_00007FF655EFBE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDAA108_2_00007FF655EDAA10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC16008_2_00007FF655EC1600
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655ED6DF08_2_00007FF655ED6DF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDA1E08_2_00007FF655EDA1E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EB25B08_2_00007FF655EB25B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EE9DA08_2_00007FF655EE9DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E721A08_2_00007FF655E721A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5E5908_2_00007FF655E5E590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E69D708_2_00007FF655E69D70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E78D608_2_00007FF655E78D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5AD608_2_00007FF655E5AD60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EE65408_2_00007FF655EE6540
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EEA1308_2_00007FF655EEA130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E5BD208_2_00007FF655E5BD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E94D008_2_00007FF655E94D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC48D08_2_00007FF655EC48D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E748C08_2_00007FF655E748C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EF34A08_2_00007FF655EF34A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDE4708_2_00007FF655EDE470
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EB60608_2_00007FF655EB6060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E594608_2_00007FF655E59460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E534408_2_00007FF655E53440
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655ED5C208_2_00007FF655ED5C20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E7A3F08_2_00007FF655E7A3F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EF57E08_2_00007FF655EF57E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655ED3FE08_2_00007FF655ED3FE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDABD08_2_00007FF655EDABD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655ED37C08_2_00007FF655ED37C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EE53C08_2_00007FF655EE53C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E72BC08_2_00007FF655E72BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E827C08_2_00007FF655E827C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC0BA08_2_00007FF655EC0BA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EE6F808_2_00007FF655EE6F80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EDF3808_2_00007FF655EDF380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EEFF608_2_00007FF655EEFF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E7DB608_2_00007FF655E7DB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E51F608_2_00007FF655E51F60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EEE3508_2_00007FF655EEE350
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF08_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E9B188_2_00007FFBBB7E9B18
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769F008_2_00007FFBBB769F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7634908_2_00007FFBBB763490
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7657B08_2_00007FFBBB7657B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB76AE108_2_00007FFBBB76AE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7641008_2_00007FFBBB764100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7FDC608_2_00007FFBBB7FDC60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E5B288_2_00007FFBBB7E5B28
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E1B408_2_00007FFBBB7E1B40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7FFB508_2_00007FFBBB7FFB50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7699308_2_00007FFBBB769930
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F58A48_2_00007FFBBB7F58A4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E60348_2_00007FFBBB7E6034
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F80908_2_00007FFBBB7F8090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E7F608_2_00007FFBBB7E7F60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7EBD888_2_00007FFBBB7EBD88
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F33688_2_00007FFBBB7F3368
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7FB2948_2_00007FFBBB7FB294
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7ED2088_2_00007FFBBB7ED208
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7EF12C8_2_00007FFBBB7EF12C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB76F6C08_2_00007FFBBB76F6C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7676908_2_00007FFBBB767690
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E0C848_2_00007FFBBB7E0C84
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E0A808_2_00007FFBBB7E0A80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E28D88_2_00007FFBBB7E28D8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7669008_2_00007FFBBB766900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F50588_2_00007FFBBB7F5058
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E10948_2_00007FFBBB7E1094
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F8E6C8_2_00007FFBBB7F8E6C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E0E908_2_00007FFBBB7E0E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764DA08_2_00007FFBBB764DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F4DDC8_2_00007FFBBB7F4DDC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB768E108_2_00007FFBBB768E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7EAD4C8_2_00007FFBBB7EAD4C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F2CE88_2_00007FFBBB7F2CE8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7FC4108_2_00007FFBBB7FC410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7EA1BC8_2_00007FFBBB7EA1BC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8001EC8_2_00007FFBBB8001EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB76E8308_2_00007FFBBB76E830
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F28548_2_00007FFBBB7F2854
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E08748_2_00007FFBBB7E0874
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E87AC8_2_00007FFBBB7E87AC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E06708_2_00007FFBBB7E0670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E24D48_2_00007FFBBB7E24D4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B3C408_2_00007FFBBB8B3C40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90DC608_2_00007FFBBB90DC60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BFBB08_2_00007FFBBB8BFBB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929A2F8_2_00007FFBBB929A2F
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB923A908_2_00007FFBBB923A90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CB9508_2_00007FFBBB8CB950
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8E20308_2_00007FFBBB8E2030
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8BC0308_2_00007FFBBB8BC030
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9260508_2_00007FFBBB926050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DDEB08_2_00007FFBBB8DDEB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB931F008_2_00007FFBBB931F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB929E918_2_00007FFBBB929E91
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB915DB08_2_00007FFBBB915DB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB939E108_2_00007FFBBB939E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9394708_2_00007FFBBB939470
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90D3F08_2_00007FFBBB90D3F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B74008_2_00007FFBBB8B7400
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B53808_2_00007FFBBB8B5380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D32C08_2_00007FFBBB8D32C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90F2808_2_00007FFBBB90F280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9272708_2_00007FFBBB927270
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9131308_2_00007FFBBB913130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CB8308_2_00007FFBBB8CB830
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9158708_2_00007FFBBB915870
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9136508_2_00007FFBBB913650
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FF5708_2_00007FFBBB8FF570
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9114A08_2_00007FFBBB9114A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB936BB08_2_00007FFBBB936BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8DCAA08_2_00007FFBBB8DCAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8C0EB08_2_00007FFBBB8C0EB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FEF108_2_00007FFBBB8FEF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB924E908_2_00007FFBBB924E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB914E608_2_00007FFBBB914E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB908CB08_2_00007FFBBB908CB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91CD008_2_00007FFBBB91CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93C4508_2_00007FFBBB93C450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FC3608_2_00007FFBBB8FC360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8D22E08_2_00007FFBBB8D22E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8EC2508_2_00007FFBBB8EC250
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB90E2808_2_00007FFBBB90E280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9181A08_2_00007FFBBB9181A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8B22108_2_00007FFBBB8B2210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8FC8508_2_00007FFBBB8FC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91A8808_2_00007FFBBB91A880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9207208_2_00007FFBBB920720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB9107208_2_00007FFBBB910720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91E6B08_2_00007FFBBB91E6B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8F87108_2_00007FFBBB8F8710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8CC6108_2_00007FFBBB8CC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB91A4B08_2_00007FFBBB91A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBC32175088_2_00007FFBC3217508
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93EA66 appears 148 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93EA72 appears 128 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93EAF6 appears 36 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB8F92F0 appears 105 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93EFC0 appears 849 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB8E8340 appears 65 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E2DA appears 59 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB8E83D0 appears 71 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E2D4 appears 461 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E39A appears 1340 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF655E62CE0 appears 934 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF655E63310 appears 49 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E44E appears 39 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF655E526F0 appears 77 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E448 appears 32 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB7DA72C appears 216 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFBBB93E2CE appears 63 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF655E63290 appears 515 times
Source: libgpg-error-0.dll.2.drStatic PE information: Number of sections : 12 > 10
Source: vlc.exe.2.drStatic PE information: Number of sections : 14 > 10
Source: libwinpthread-1.dll.2.drStatic PE information: Number of sections : 12 > 10
Source: libassuan-0.dll.2.drStatic PE information: Number of sections : 12 > 10
Source: api-ms-win-crt-multibyte-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.2.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Source: installer.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameSecureProp.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs installer.msi
Source: installer.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs installer.msi
Source: classification engineClassification label: mal80.troj.evad.winMSI@10/153@1/1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7BB4B0 GetDiskFreeSpaceExA,8_2_00007FFBBB7BB4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769F00 IsSystemResumeAutomatic,EscapeCommFunction,GetNamedPipeClientProcessId,lstrcatW,CreateSymbolicLinkTransactedW,CheckRadioButton,EndDeferWindowPos,DlgDirSelectComboBoxExW,GetFileMUIPath,AttachConsole,SetThreadpoolTimer,HiliteMenuItem,GetLocalTime,CreateEventW,GetPrivateProfileSectionNamesW,SetThreadDescription,GetLargestConsoleWindowSize,GetCommProperties,SetProcessPriorityBoost,GetOverlappedResult,QueryPerformanceCounter,GetApplicationRecoveryCallback,TransactNamedPipe,ReplaceFileW,StrokePath,GetFullPathNameTransactedW,SearchPathW,CloseThreadpoolIo,IsBadReadPtr,GetSystemDefaultUILanguage,OpenProcess,CheckRemoteDebuggerPresent,SetThreadLocale,InitializeCriticalSection,LCIDToLocaleName,PeekConsoleInputW,GlobalFree,AddResourceAttributeAce,GetCalendarInfoW,SetThreadpoolThreadMinimum,GetTapeStatus,GetProcessVersion,Wow64EnableWow64FsRedirection,GetVolumeInformationByHandleW,GetConsoleWindow,AttachConsole,GetThreadPreferredUILanguages,AddVectoredExceptionHandler,SetThreadContext,FillConsoleOutputAttribute,ConnectNamedPipe,GetLogicalProcessorInformationEx,SetCommBreak,BuildCommDCBAndTimeoutsW,GetCPInfoExW,FlushViewOfFile,FreeResource,OpenThread,GetHandleInformation,ReleaseSRWLockExclusive,SetThreadPriorityBoost,CopyFile2,SetEvent,UnregisterWaitEx,FindFirstFileW,VirtualFreeEx,DebugActiveProcess,EnumDateFormatsExEx,GetLocalTime,GlobalFindAtomW,GetConsoleAliasExesLengthW,GlobalAddAtomW,RemoveVectoredExceptionHandler,VirtualQueryEx,CreateThreadpoolCleanupGroup,SetDynamicTimeZoneInformation,EnumSystemFirmwareTables,DebugSetProcessKillOnExit,GetProcAddress,GetShortPathNameW,QueryPerformanceFrequency,QueryThreadCycleTime,GetLongPathNameTransactedW,LocaleNameToLCID,GetStartupInfoW,lstrlenW,WritePrivateProfileStructW,GetCalendarInfoEx,GetThreadDescription,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,DeleteFileTransactedW,AllocateUserPhysicalPages,CancelSynchronousIo,CompareFileTime,TerminateProcess,GetCPInfo,GetFullPathNameW,AddSIDToBoundaryDescriptor,CloseThreadpoolTimer,MessageBeep,DestroyCursor,GetThreadContext,GetProcessWindowStation,GetSystemDefaultLocaleName,ShowOwnedPopups,CloseThreadpoolCleanupGroupMembers,GetSystemFileCacheSize,LCMapStringEx,GetMessageW,GetThreadIOPendingFlag,GetMenuState,EmptyClipboard,GetWindowsDirectoryW,GetApplicationRestartSettings,ShowWindowAsync,DrawTextExW,SetConsoleMode,8_2_00007FFBBB769F00
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML4C38.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF7A8240728B1B03B4.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: installer.msiReversingLabs: Detection: 21%
Source: openvpn.exeString found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exeString found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exeString found in binary or memory: Use --help for more information.
Source: openvpn.exeString found in binary or memory: Use --help for more information.
Source: openvpn.exeString found in binary or memory: tun-stop
Source: openvpn.exeString found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exeString found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exeString found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: openvpn.exeString found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901ADJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libssl-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libcrypto-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libpkcs11-helper-1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libcrypto-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: cryptbase.dllJump to behavior
Source: vlc.lnk.2.drLNK file: ..\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}Jump to behavior
Source: installer.msiStatic file information: File size 56124928 > 1048576
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1646635036.00007FFBAAABC000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: installer.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1655931611.00007FFBC3221000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.2.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: installer.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: installer.msi
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: installer.msi
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: installer.msi
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: installer.msi, MSI107A.tmp.2.dr, MSI2FBD.tmp.2.dr, MSI104A.tmp.2.dr, MSIFCC.tmp.2.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source: vlc.exe.2.drStatic PE information: 0xA6D0A6C0 [Sun Sep 8 06:27:12 2058 UTC]
Source: vlc.exe.2.drStatic PE information: section name: .buildid
Source: vlc.exe.2.drStatic PE information: section name: .xdata
Source: vlc.exe.2.drStatic PE information: section name: /4
Source: VCRUNTIME140.dll.2.drStatic PE information: section name: _RDATA
Source: libassuan-0.dll.2.drStatic PE information: section name: .xdata
Source: libgpg-error-0.dll.2.drStatic PE information: section name: .xdata
Source: libwinpthread-1.dll.2.drStatic PE information: section name: .xdata
Source: SecureProp.dll.2.drStatic PE information: section name: .fptable
Source: UnRar.exe.2.drStatic PE information: section name: _RDATA
Source: libpkcs11-helper-1.dll.2.drStatic PE information: section name: .hdata
Source: MSI40B7.tmp.2.drStatic PE information: section name: .fptable
Source: MSIF1F.tmp.2.drStatic PE information: section name: .fptable
Source: MSIFCC.tmp.2.drStatic PE information: section name: .fptable
Source: MSI104A.tmp.2.drStatic PE information: section name: .fptable
Source: MSI107A.tmp.2.drStatic PE information: section name: .fptable
Source: MSI10C9.tmp.2.drStatic PE information: section name: .fptable
Source: MSI2210.tmp.2.drStatic PE information: section name: .fptable
Source: MSI2FBD.tmp.2.drStatic PE information: section name: .fptable
Source: MSI2FFC.tmp.2.drStatic PE information: section name: .fptable
Source: MSI4A6C.tmp.2.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02BBAE9B pushad ; ret 6_2_02BBAEA3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02BB0DAD push edi; ret 6_2_02BB0DD2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_02BBBD8B push esp; ret 6_2_02BBBD93
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E6D2CD push rbx; iretd 8_2_00007FF655E6D2CE
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E3F80 push rbp; retf 8_2_00007FFBBB88F00B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E3F8C push rbp; retf 8_2_00007FFBBB88F00B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F138 push rbp; retf 8_2_00007FFBBB88F143
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F128 push rsi; retf 8_2_00007FFBBB88F12B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F120 push rdi; retf 8_2_00007FFBBB88F123
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F140 push rbp; retf 8_2_00007FFBBB88F143
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F168 push rbp; retf 8_2_00007FFBBB88F173
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F0D8 push rsi; retf 8_2_00007FFBBB88F0FB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F0D0 push rsi; retf 8_2_00007FFBBB88F0FB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F0F0 push rsi; retf 8_2_00007FFBBB88F0F3
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F0E8 push rsi; retf 8_2_00007FFBBB88F0EB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F110 push rbp; retf 8_2_00007FFBBB88F113
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7D967C push r14; retf 8_2_00007FFBBB88EF7B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7D967C push rbp; retf 8_2_00007FFBBB88EF9B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7D967C push rbp; retf 8_2_00007FFBBB88EFB3
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC30 push rbp; retf 8_2_00007FFBBB88EC53
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC20 push rbp; retf 8_2_00007FFBBB88EC33
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC58 push rsi; retf 8_2_00007FFBBB88EC5B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC40 push rsi; retf 8_2_00007FFBBB88EC43
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC88 push rsi; retf 8_2_00007FFBBB88EC8B
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EBA0 push rbp; retf 8_2_00007FFBBB88EBA3
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EBC0 push rdi; retf 8_2_00007FFBBB88EBCB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EBF0 push rsi; retf 8_2_00007FFBBB88EBF3
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EBE0 push rsi; retf 8_2_00007FFBBB88EBFB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC18 push rsi; retf 8_2_00007FFBBB88EBFB
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC18 push rbp; retf 8_2_00007FFBBB88EC33
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EC10 push rsi; retf 8_2_00007FFBBB88EC13
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF1F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI104A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI107A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI40B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A6C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2210.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10C9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI10C9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF1F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI104A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI107A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI40B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4A6C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FFC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2210.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetAdaptersInfo,malloc,GetAdaptersInfo,malloc,8_2_00007FF655EE7970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3150Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI104A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF1F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI107A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI40B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4A6C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2210.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI10C9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFCC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FFC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 3150 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 239 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,SystemTimeToFileTime,SystemTimeToTzSpecificLocalTimeEx,PrepareTape,SetEvent,SetWaitableTimerEx,FindFirstFileExW,GetSystemDefaultLCID,WriteFileEx,GetProcessAffinityMask,PeekNamedPipe,GetThreadPreferredUILanguages,GetNumaProcessorNode,SetConsoleCursorPosition,GetLogicalProcessorInformationEx,LCMapStringW,GetNumaNodeProcessorMaskEx,OpenProcess,FindFirstFileW,RemoveVectoredContinueHandler,lstrcmpiW,SetFileBandwidthReservation,GetErrorMode,CreateSemaphoreW,CloseHandle,CloseThreadpoolWait,GlobalDeleteAtom,CreateTimerQueueTimer,QueryIdleProcessorCycleTime,GetConsoleScreenBufferInfoEx,LocalFlags,CreateFileMappingFromApp,GetConsoleDisplayMode,GetSystemTimeAsFileTime,EnumLanguageGroupLocalesW,ReadFile,InitializeProcThreadAttributeList,GetConsoleProcessList,GetConsoleScreenBufferInfo,GetNLSVersion,GetLocalTime,GetNamedPipeClientProcessId,FindFirstStreamW,GetTimeZoneInformation,GetFileInformationByHandleEx,GetConsoleDisplayMode,GetModuleHandleExW,GetVersion,UnlockFileEx,LockFile,OpenFile,GetDefaultCommConfigW,FlushViewOfFile,GetConsoleAliasesW,GetDriveTypeW,EnumCalendarInfoExEx,IsThreadAFiber,SetConsoleTextAttribute,MapViewOfFileExNuma,DeleteCriticalSection,GlobalGetAtomNameW,SetProcessAffinityUpdateMode,LocalAlloc,OpenEventW,CopyFileW,VirtualProtect,8_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769F00 IsSystemResumeAutomatic,EscapeCommFunction,GetNamedPipeClientProcessId,lstrcatW,CreateSymbolicLinkTransactedW,CheckRadioButton,EndDeferWindowPos,DlgDirSelectComboBoxExW,GetFileMUIPath,AttachConsole,SetThreadpoolTimer,HiliteMenuItem,GetLocalTime,CreateEventW,GetPrivateProfileSectionNamesW,SetThreadDescription,GetLargestConsoleWindowSize,GetCommProperties,SetProcessPriorityBoost,GetOverlappedResult,QueryPerformanceCounter,GetApplicationRecoveryCallback,TransactNamedPipe,ReplaceFileW,StrokePath,GetFullPathNameTransactedW,SearchPathW,CloseThreadpoolIo,IsBadReadPtr,GetSystemDefaultUILanguage,OpenProcess,CheckRemoteDebuggerPresent,SetThreadLocale,InitializeCriticalSection,LCIDToLocaleName,PeekConsoleInputW,GlobalFree,AddResourceAttributeAce,GetCalendarInfoW,SetThreadpoolThreadMinimum,GetTapeStatus,GetProcessVersion,Wow64EnableWow64FsRedirection,GetVolumeInformationByHandleW,GetConsoleWindow,AttachConsole,GetThreadPreferredUILanguages,AddVectoredExceptionHandler,SetThreadContext,FillConsoleOutputAttribute,ConnectNamedPipe,GetLogicalProcessorInformationEx,SetCommBreak,BuildCommDCBAndTimeoutsW,GetCPInfoExW,FlushViewOfFile,FreeResource,OpenThread,GetHandleInformation,ReleaseSRWLockExclusive,SetThreadPriorityBoost,CopyFile2,SetEvent,UnregisterWaitEx,FindFirstFileW,VirtualFreeEx,DebugActiveProcess,EnumDateFormatsExEx,GetLocalTime,GlobalFindAtomW,GetConsoleAliasExesLengthW,GlobalAddAtomW,RemoveVectoredExceptionHandler,VirtualQueryEx,CreateThreadpoolCleanupGroup,SetDynamicTimeZoneInformation,EnumSystemFirmwareTables,DebugSetProcessKillOnExit,GetProcAddress,GetShortPathNameW,QueryPerformanceFrequency,QueryThreadCycleTime,GetLongPathNameTransactedW,LocaleNameToLCID,GetStartupInfoW,lstrlenW,WritePrivateProfileStructW,GetCalendarInfoEx,GetThreadDescription,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,DeleteFileTransactedW,AllocateUserPhysicalPages,CancelSynchronousIo,CompareFileTime,TerminateProcess,GetCPInfo,GetFullPathNameW,AddSIDToBoundaryDescriptor,CloseThreadpoolTimer,MessageBeep,DestroyCursor,GetThreadContext,GetProcessWindowStation,GetSystemDefaultLocaleName,ShowOwnedPopups,CloseThreadpoolCleanupGroupMembers,GetSystemFileCacheSize,LCMapStringEx,GetMessageW,GetThreadIOPendingFlag,GetMenuState,EmptyClipboard,GetWindowsDirectoryW,GetApplicationRestartSettings,ShowWindowAsync,DrawTextExW,SetConsoleMode,8_2_00007FFBBB769F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769930 WriteConsoleInputW,SetSearchPathMode,LockResource,IsDBCSLeadByteEx,GetSystemPreferredUILanguages,GetFirmwareType,GetWindowRect,LoadBitmapW,GetScrollInfo,WaitForThreadpoolWaitCallbacks,GetWindowRect,MoveWindow,SetComputerNameExW,SetConsoleOutputCP,CountClipboardFormats,CreateRemoteThread,GetRegisteredRawInputDevices,CloseThreadpool,CloseThreadpoolWork,LoadLibraryExW,GetLocalTime,CloseThreadpoolWork,SoundSentry,SetClipboardData,ExpandEnvironmentStringsW,TrackPopupMenu,GetLargestConsoleWindowSize,CreateEventExW,VirtualLock,GetVolumeInformationByHandleW,EnumResourceTypesW,SetProcessWorkingSetSizeEx,SetFileBandwidthReservation,ConvertThreadToFiber,SetFirmwareEnvironmentVariableExW,GetNumaProcessorNode,SetProcessMitigationPolicy,lstrcatW,GetVolumeNameForVolumeMountPointW,CreateDirectoryExW,EnumSystemGeoID,EnumSystemFirmwareTables,IsBadReadPtr,HeapQueryInformation,SetFilePointerEx,ReleaseMutexWhenCallbackReturns,FindFirstFileTransactedW,CreateWaitableTimerExW,GetNumberOfConsoleMouseButtons,EndUpdateResourceW,GetThreadPreferredUILanguages,GetLogicalProcessorInformationEx,GetConsoleOriginalTitleW,GetFileTime,EnumSystemCodePagesW,ResetWriteWatch,CreateThreadpool,BuildCommDCBAndTimeoutsW,CreateTapePartition,WriteConsoleInputW,PowerClearRequest,SystemTimeToTzSpecificLocalTimeEx,SetFileAttributesW,SetThreadIdealProcessor,FindFirstFileW,VirtualAllocEx,ReadConsoleOutputW,DeleteTimerQueueEx,GetConsoleProcessList,OpenSemaphoreW,StartThreadpoolIo,GetCommProperties,HeapValidate,GetPrivateProfileIntW,GetUserGeoID,CloseThreadpoolWait,IsNLSDefinedString,WritePrivateProfileStringW,DeleteTimerQueueTimer,OpenFileById,ScrollConsoleScreenBufferW,GetLongPathNameTransactedW,InterlockedPushListSListEx,LoadPackagedLibrary,SetThreadIdealProcessor,8_2_00007FFBBB769930
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB766900 EnumSystemLocalesEx,GetUserDefaultUILanguage,SetProcessShutdownParameters,MoveFileTransactedW,AttachConsole,SetThreadpoolTimerEx,Wow64SetThreadContext,GetCurrencyFormatW,GetCommState,FindNextFileW,LocalUnlock,GetUILanguageInfo,CopyFileExW,SetConsoleWindowInfo,SetThreadGroupAffinity,GetFileAttributesTransactedW,SetErrorMode,OpenWaitableTimerW,GetNumaProcessorNodeEx,GetDateFormatW,GetProcessIdOfThread,GlobalSize,GetEnvironmentVariableW,GetApplicationRestartSettings,AppendMenuW,SetConsoleTextAttribute,CreateRemoteThread,CreateProcessW,GetCursorInfo,RemoveDllDirectory,SetCommState,LeaveCriticalSectionWhenCallbackReturns,DeferWindowPos,FindWindowW,BeginDeferWindowPos,IsThreadAFiber,SetCalendarInfoW,EnumSystemLocalesW,CreateDirectoryW,GetHandleInformation,GetIconInfo,IsBadCodePtr,ReadFileEx,GetProcessHeaps,PrepareTape,InterlockedFlushSList,GetComboBoxInfo,SwitchToThread,BeginUpdateResourceW,GetProcessAffinityMask,WakeConditionVariable,CloseThreadpoolCleanupGroup,GetCommConfig,FlsSetValue,AddScopedPolicyIDAce,CheckNameLegalDOS8Dot3W,TerminateThread,GetPriorityClass,CreateNamedPipeW,IsNLSDefinedString,SetComputerNameExW,SetProcessDEPPolicy,SizeofResource,DuplicateHandle,SetMailslotInfo,GetNumaNodeProcessorMask,MapUserPhysicalPagesScatter,LocaleNameToLCID,CreateFileMappingW,MoveFileWithProgressW,SetFileCompletionNotificationModes,GetLongPathNameW,GetConsoleSelectionInfo,SetFileApisToANSI,SetMailslotInfo,SetProtectedPolicy,VirtualAllocEx,SetFileAttributesW,PowerSetRequest,DisableThreadProfiling,GetProcessPriorityBoost,IsValidCodePage,FindFirstVolumeW,FindFirstStreamTransactedW,CreateMutexW,DeleteFileW,InvertRgn,GetCurrencyFormatW,CloseEnhMetaFile,ArcTo,WaitForThreadpoolIoCallbacks,GetNativeSystemInfo,VirtualProtectEx,CreateWaitableTimerExW,GetProcessorSystemCycleTime,SetThreadpoolWaitEx,EnumSystemLanguageGroupsW,Wow64RevertWow64FsRedirection,GetFileAttributesExW,RegisterApplicationRecoveryCallback,LocalFlags,SetSystemFileCacheSize,GetThreadLocale,HeapWalk,SystemTimeToTzSpecificLocalTimeEx,LocalReAlloc,FreeLibraryWhenCallbackReturns,QueryFullProcessImageNameW,FindFirstFileNameTransactedW,GetLongPathNameW,FindFirstVolumeMountPointW,AddDllDirectory,ReadThreadProfilingData,GetCommandLineW,InterlockedFlushSList,TzSpecificLocalTimeToSystemTime,GetConsoleOriginalTitleW,DrawFrameControl,EnumCalendarInfoExW,PurgeComm,PeekMessageW,CallMsgFilterW,SubmitThreadpoolWork,GetUserPreferredUILanguages,GetMaximumProcessorGroupCount,GetLastActivePopup,GetSubMenu,GetUserObjectSecurity,GetNumaProximityNode,GetFirmwareEnvironmentVariableW,CancelIo,GetCommState,FlushProcessWriteBuffers,GetClipboardFormatNameW,SetSystemCursor,EnableWindow,SetComputerNameExW,RaiseException,CreateFileW,GetTimeZoneInformation,AssignProcessToJobObject,IsWow64Message,OpenProcess,SetDefaultCommConfigW,SleepConditionVariableSRW,BackupSeek,TerminateJobObject,QueryProcessCycleTime,DeleteSynchronizationBarrier,EnumResourceNamesW,8_2_00007FFBBB766900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88F058 FindFirstFileW,8_2_00007FFBBB88F058
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7F8E6C FindFirstFileExW,8_2_00007FFBBB7F8E6C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764DA0 VirtualProtect,GetConsoleCursorInfo,DisableThreadProfiling,VirtualProtect,GlobalFindAtomW,GetNamedPipeServerSessionId,EnumResourceLanguagesExW,AttachConsole,AssignProcessToJobObject,PeekConsoleInputW,AcquireSRWLockShared,CallNamedPipeW,SetDllDirectoryW,VirtualLock,GetVolumeNameForVolumeMountPointW,FreeUserPhysicalPages,CompareFileTime,OpenEventW,GetThreadContext,SetFilePointerEx,InitializeCriticalSectionEx,GetOEMCP,FindFirstFileNameW,VirtualProtect,VirtualQuery,8_2_00007FFBBB764DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB768E10 GetDateFormatW,GetFileBandwidthReservation,InitializeCriticalSectionEx,GetConsoleOutputCP,IsBadReadPtr,QueryIdleProcessorCycleTime,GetNumberOfConsoleMouseButtons,SetFileAttributesW,FindFirstFileExW,SetCalendarInfoW,MapViewOfFileExNuma,FileTimeToLocalFileTime,GetNumaAvailableMemoryNodeEx,FindNLSStringEx,GetConsoleProcessList,VirtualLock,SetSearchPathMode,OutputDebugStringA,8_2_00007FFBBB768E10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88E158 FindFirstFileExW,8_2_00007FFBBB88E158
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB76AE10 GetThreadTimes,CallbackMayRunLong,InitOnceExecuteOnce,SetProcessPriorityBoost,EnumResourceTypesW,CreateIoCompletionPort,TerminateThread,FlushProcessWriteBuffers,SetThreadUILanguage,PurgeComm,EnumCalendarInfoExEx,GetThreadDescription,PostQueuedCompletionStatus,IsValidNLSVersion,GetLogicalDriveStringsW,GetNumaNodeNumberFromHandle,GetTimeFormatW,ConnectNamedPipe,FillConsoleOutputAttribute,SetConsoleCtrlHandler,ReadConsoleOutputCharacterW,GetConsoleCP,GetProcessVersion,SetProcessPriorityBoost,GlobalAlloc,WriteFile,HeapQueryInformation,SetDynamicTimeZoneInformation,OutputDebugStringA,8_2_00007FFBBB76AE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764100 VirtualProtect,FindNextFileNameW,CopyFileW,BuildCommDCBW,SetThreadContext,HeapLock,GetConsoleTitleW,ReadFile,VirtualAllocEx,DebugBreak,ReleaseSRWLockExclusive,RaiseException,IsValidLanguageGroup,ResetWriteWatch,LocalFlags,CheckTokenMembershipEx,GetCompressedFileSizeTransactedW,GetIconInfo,EnumDateFormatsExW,UnregisterHotKey,GetTempPathW,SetMenuDefaultItem,UnpackDDElParam,QueryUnbiasedInterruptTime,GetSystemDefaultUILanguage,AreFileApisANSI,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetAsyncKeyState,OpenDesktopW,ApplicationRecoveryInProgress,IsImmersiveProcess,ShowCursor,GetFinalPathNameByHandleW,CharUpperBuffW,FileTimeToDosDateTime,LocalLock,GetProcessHeap,ReleaseSemaphoreWhenCallbackReturns,GetSystemInfo,GlobalFree,lstrlenW,SetConsoleTitleW,AcquireSRWLockExclusive,HeapAlloc,SetVolumeLabelW,SetFirmwareEnvironmentVariableExW,GetLongPathNameTransactedW,SetCommMask,DebugBreak,SetThreadUILanguage,GetNumberOfConsoleInputEvents,SetMailslotInfo,SetDefaultCommConfigW,AddResourceAttributeAce,CommConfigDialogW,DefineDosDeviceW,FreeResource,LockFileEx,OpenWaitableTimerW,CreatePrivateNamespaceW,InitAtomTable,SetCommMask,FatalExit,AcquireSRWLockShared,DisableThreadLibraryCalls,HeapUnlock,FlushConsoleInputBuffer,VirtualAlloc,IsDebuggerPresent,GetConsoleAliasExesLengthW,FlushInstructionCache,GetStringTypeW,GetFirmwareType,BindIoCompletionCallback,SetThreadErrorMode,EnumTimeFormatsEx,LocaleNameToLCID,LoadLibraryW,GetLocalTime,RemoveDllDirectory,RemoveDirectoryW,SetConsoleScreenBufferInfoEx,CreateTimerQueue,WaitForMultipleObjects,StartThreadpoolIo,ConnectNamedPipe,ReadConsoleOutputW,CheckNameLegalDOS8Dot3W,8_2_00007FFBBB764100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: jdk.attach.jmod.2.drBinary or memory string: n/QBclasses/sun/tools/attach/VirtualMachineImpl$PipedInputStream.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q5classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QWclasses/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QEclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/HotSpotVirtualMachine.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: n/Q1classes/sun/tools/attach/VirtualMachineImpl.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: classes/com/sun/tools/attach/VirtualMachineDescriptor.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QEclasses/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/VirtualMachineImpl$PipedInputStream.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q4classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q6classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q%classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.2.drBinary or memory string: .classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QIclasses/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.jdi.jmod.2.drBinary or memory string: HWJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q4classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.attach.jmod.2.drBinary or memory string: (classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.attach.jmod.2.drBinary or memory string: n/Q4classes/sun/tools/attach/HotSpotVirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QEclasses/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q4classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QAclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: Wclasses/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q3classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QQclasses/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.attach.jmod.2.drBinary or memory string: T-4G3classes/sun/tools/attach/HotSpotVirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.classPK
Source: jdk.jconsole.jmod.2.drBinary or memory string: n/Q4classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q0classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QIclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: n/QTclasses/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.attach.jmod.2.drBinary or memory string: n/Q;classes/com/sun/tools/attach/VirtualMachineDescriptor.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/VirtualMachineImpl.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/HotSpotVirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q3classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: n/Q1classes/com/sun/tools/attach/VirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.jdi.jmod.2.drBinary or memory string: ;%Eclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QVclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q<classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q8classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QFclasses/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.2.drBinary or memory string: :B:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q-classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q;classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/VirtualMachineImpl.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/VirtualMachineImpl$PipedInputStream.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/VirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QLclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.jdi.jmod.2.drBinary or memory string: Et?classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QPclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/com/sun/tools/attach/VirtualMachine.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.jdi.jmod.2.drBinary or memory string: )classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: 5classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q<classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/Q<classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.jdi.jmod.2.drBinary or memory string: Qclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.jconsole.jmod.2.drBinary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocatorPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QEclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.2.drBinary or memory string: Bv"classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/VirtualMachineManager.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QLclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.class;
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/common/JVMCIError.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: B4Iclasses/sun/tools/attach/VirtualMachineImpl$PipedInputStream.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QJclasses/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q2classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QOclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QFclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.attach.jmod.2.drBinary or memory string: classes/com/sun/tools/attach/VirtualMachine.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QDclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCI.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.attach.jmod.2.drBinary or memory string: Lclasses/sun/tools/attach/VirtualMachineImpl.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q)classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.classPK
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QJclasses/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QEclasses/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.jconsole.jmod.2.drBinary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q9classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/QSclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q(classes/com/sun/jdi/VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/com/sun/tools/attach/VirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/jdi/VirtualMachine.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.classPK
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.attach.jmod.2.drBinary or memory string: classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.classPK
Source: jdk.jdi.jmod.2.drBinary or memory string: n/Q/classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.internal.vm.compiler.jmod.2.drBinary or memory string: n/QAclasses/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.class;
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: n/QGclasses/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.internal.vm.ci.jmod.2.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.classPK
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB769F00 IsSystemResumeAutomatic,EscapeCommFunction,GetNamedPipeClientProcessId,lstrcatW,CreateSymbolicLinkTransactedW,CheckRadioButton,EndDeferWindowPos,DlgDirSelectComboBoxExW,GetFileMUIPath,AttachConsole,SetThreadpoolTimer,HiliteMenuItem,GetLocalTime,CreateEventW,GetPrivateProfileSectionNamesW,SetThreadDescription,GetLargestConsoleWindowSize,GetCommProperties,SetProcessPriorityBoost,GetOverlappedResult,QueryPerformanceCounter,GetApplicationRecoveryCallback,TransactNamedPipe,ReplaceFileW,StrokePath,GetFullPathNameTransactedW,SearchPathW,CloseThreadpoolIo,IsBadReadPtr,GetSystemDefaultUILanguage,OpenProcess,CheckRemoteDebuggerPresent,SetThreadLocale,InitializeCriticalSection,LCIDToLocaleName,PeekConsoleInputW,GlobalFree,AddResourceAttributeAce,GetCalendarInfoW,SetThreadpoolThreadMinimum,GetTapeStatus,GetProcessVersion,Wow64EnableWow64FsRedirection,GetVolumeInformationByHandleW,GetConsoleWindow,AttachConsole,GetThreadPreferredUILanguages,AddVectoredExceptionHandler,SetThreadContext,FillConsoleOutputAttribute,ConnectNamedPipe,GetLogicalProcessorInformationEx,SetCommBreak,BuildCommDCBAndTimeoutsW,GetCPInfoExW,FlushViewOfFile,FreeResource,OpenThread,GetHandleInformation,ReleaseSRWLockExclusive,SetThreadPriorityBoost,CopyFile2,SetEvent,UnregisterWaitEx,FindFirstFileW,VirtualFreeEx,DebugActiveProcess,EnumDateFormatsExEx,GetLocalTime,GlobalFindAtomW,GetConsoleAliasExesLengthW,GlobalAddAtomW,RemoveVectoredExceptionHandler,VirtualQueryEx,CreateThreadpoolCleanupGroup,SetDynamicTimeZoneInformation,EnumSystemFirmwareTables,DebugSetProcessKillOnExit,GetProcAddress,GetShortPathNameW,QueryPerformanceFrequency,QueryThreadCycleTime,GetLongPathNameTransactedW,LocaleNameToLCID,GetStartupInfoW,lstrlenW,WritePrivateProfileStructW,GetCalendarInfoEx,GetThreadDescription,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,DeleteFileTransactedW,AllocateUserPhysicalPages,CancelSynchronousIo,CompareFileTime,TerminateProcess,GetCPInfo,GetFullPathNameW,AddSIDToBoundaryDescriptor,CloseThreadpoolTimer,MessageBeep,DestroyCursor,GetThreadContext,GetProcessWindowStation,GetSystemDefaultLocaleName,ShowOwnedPopups,CloseThreadpoolCleanupGroupMembers,GetSystemFileCacheSize,LCMapStringEx,GetMessageW,GetThreadIOPendingFlag,GetMenuState,EmptyClipboard,GetWindowsDirectoryW,GetApplicationRestartSettings,ShowWindowAsync,DrawTextExW,SetConsoleMode,8_2_00007FFBBB769F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764100 VirtualProtect,FindNextFileNameW,CopyFileW,BuildCommDCBW,SetThreadContext,HeapLock,GetConsoleTitleW,ReadFile,VirtualAllocEx,DebugBreak,ReleaseSRWLockExclusive,RaiseException,IsValidLanguageGroup,ResetWriteWatch,LocalFlags,CheckTokenMembershipEx,GetCompressedFileSizeTransactedW,GetIconInfo,EnumDateFormatsExW,UnregisterHotKey,GetTempPathW,SetMenuDefaultItem,UnpackDDElParam,QueryUnbiasedInterruptTime,GetSystemDefaultUILanguage,AreFileApisANSI,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetAsyncKeyState,OpenDesktopW,ApplicationRecoveryInProgress,IsImmersiveProcess,ShowCursor,GetFinalPathNameByHandleW,CharUpperBuffW,FileTimeToDosDateTime,LocalLock,GetProcessHeap,ReleaseSemaphoreWhenCallbackReturns,GetSystemInfo,GlobalFree,lstrlenW,SetConsoleTitleW,AcquireSRWLockExclusive,HeapAlloc,SetVolumeLabelW,SetFirmwareEnvironmentVariableExW,GetLongPathNameTransactedW,SetCommMask,DebugBreak,SetThreadUILanguage,GetNumberOfConsoleInputEvents,SetMailslotInfo,SetDefaultCommConfigW,AddResourceAttributeAce,CommConfigDialogW,DefineDosDeviceW,FreeResource,LockFileEx,OpenWaitableTimerW,CreatePrivateNamespaceW,InitAtomTable,SetCommMask,FatalExit,AcquireSRWLockShared,DisableThreadLibraryCalls,HeapUnlock,FlushConsoleInputBuffer,VirtualAlloc,IsDebuggerPresent,GetConsoleAliasExesLengthW,FlushInstructionCache,GetStringTypeW,GetFirmwareType,BindIoCompletionCallback,SetThreadErrorMode,EnumTimeFormatsEx,LocaleNameToLCID,LoadLibraryW,GetLocalTime,RemoveDllDirectory,RemoveDirectoryW,SetConsoleScreenBufferInfoEx,CreateTimerQueue,WaitForMultipleObjects,StartThreadpoolIo,ConnectNamedPipe,ReadConsoleOutputW,CheckNameLegalDOS8Dot3W,8_2_00007FFBBB764100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764100 VirtualProtect,FindNextFileNameW,CopyFileW,BuildCommDCBW,SetThreadContext,HeapLock,GetConsoleTitleW,ReadFile,VirtualAllocEx,DebugBreak,ReleaseSRWLockExclusive,RaiseException,IsValidLanguageGroup,ResetWriteWatch,LocalFlags,CheckTokenMembershipEx,GetCompressedFileSizeTransactedW,GetIconInfo,EnumDateFormatsExW,UnregisterHotKey,GetTempPathW,SetMenuDefaultItem,UnpackDDElParam,QueryUnbiasedInterruptTime,GetSystemDefaultUILanguage,AreFileApisANSI,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetAsyncKeyState,OpenDesktopW,ApplicationRecoveryInProgress,IsImmersiveProcess,ShowCursor,GetFinalPathNameByHandleW,CharUpperBuffW,FileTimeToDosDateTime,LocalLock,GetProcessHeap,ReleaseSemaphoreWhenCallbackReturns,GetSystemInfo,GlobalFree,lstrlenW,SetConsoleTitleW,AcquireSRWLockExclusive,HeapAlloc,SetVolumeLabelW,SetFirmwareEnvironmentVariableExW,GetLongPathNameTransactedW,SetCommMask,DebugBreak,SetThreadUILanguage,GetNumberOfConsoleInputEvents,SetMailslotInfo,SetDefaultCommConfigW,AddResourceAttributeAce,CommConfigDialogW,DefineDosDeviceW,FreeResource,LockFileEx,OpenWaitableTimerW,CreatePrivateNamespaceW,InitAtomTable,SetCommMask,FatalExit,AcquireSRWLockShared,DisableThreadLibraryCalls,HeapUnlock,FlushConsoleInputBuffer,VirtualAlloc,IsDebuggerPresent,GetConsoleAliasExesLengthW,FlushInstructionCache,GetStringTypeW,GetFirmwareType,BindIoCompletionCallback,SetThreadErrorMode,EnumTimeFormatsEx,LocaleNameToLCID,LoadLibraryW,GetLocalTime,RemoveDllDirectory,RemoveDirectoryW,SetConsoleScreenBufferInfoEx,CreateTimerQueue,WaitForMultipleObjects,StartThreadpoolIo,ConnectNamedPipe,ReadConsoleOutputW,CheckNameLegalDOS8Dot3W,8_2_00007FFBBB764100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EFC9F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF655EFC9F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7D9488 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBBB7D9488
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB7E9534 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBBB7E9534
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB88EFB8 SetUnhandledExceptionFilter,8_2_00007FFBBB88EFB8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93FC20 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFBBB93FC20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB93F040 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFBBB93F040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBC322004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFBC322004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss412f.ps1" -propfile "c:\users\user\appdata\local\temp\msi412c.txt" -scriptfile "c:\users\user\appdata\local\temp\scr412d.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr412e.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss412f.ps1" -propfile "c:\users\user\appdata\local\temp\msi412c.txt" -scriptfile "c:\users\user\appdata\local\temp\scr412d.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr412e.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EF4560 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateSemaphoreA,WaitForSingleObject,_exit,8_2_00007FF655EF4560
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB8029E0 cpuid 8_2_00007FFBBB8029E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetTempPathA,GetTempFileNameA,SetPaletteEntries,CreateTimerQueue,CancelThreadpoolIo,GetQueuedCompletionStatus,SetThreadStackGuarantee,GetCompressedFileSizeW,CreateFileTransactedW,EnterSynchronizationBarrier,OffsetClipRgn,SetThreadLocale,SwapBuffers,GetFileType,GetTextExtentPointW,GetNativeSystemInfo,EnumFontsW,QueryPerformanceCounter,CreateDIBSection,WaitCommEvent,GetFontData,GetThreadPriorityBoost,SetThreadpoolThreadMinimum,GetNumaHighestNodeNumber,SetMiterLimit,CreateFontIndirectExW,GetErrorMode,FindNLSStringEx,CancelSynchronousIo,SetConsoleCtrlHandler,GetTempFileNameW,GetDurationFormatEx,VirtualUnlock,BackupSeek,GetACP,GetLocaleInfoW,TryAcquireSRWLockExclusive,GetLogicalProcessorInformationEx,GetUserPreferredUILanguages,GetConsoleScreenBufferInfo,GetCommandLineW,lstrlenW,RemoveDirectoryW,CheckTokenMembershipEx,GlobalLock,SetConsoleCP,GetCPInfo,RegOpenKeyExA,CreateFiberEx,SetEvent,GetProcessId,CreateTimerQueueTimer,CreateFileTransactedW,ReadDirectoryChangesW,GetLogicalDrives,Wow64DisableWow64FsRedirection,ReadConsoleInputW,ConvertThreadToFiber,GetUserPreferredUILanguages,GetCommProperties,SetLocalTime,WritePrivateProfileStringW,SetVolumeLabelW,IsProcessInJob,CreateThreadpool,RegisterApplicationRecoveryCallback,GetConsoleOutputCP,AreFileApisANSI,CreateMutexW,RegQueryValueExA,GetUserDefaultLangID,GetConsoleDisplayMode,LocaleNameToLCID,GetFileTime,GetNumaAvailableMemoryNode,lstrlenW,GetUserPreferredUILanguages,GetThreadId,EnumTimeFormatsW,FindCloseChangeNotification,CreateFiber,SystemTimeToTzSpecificLocalTimeEx,GetProfileIntW,HeapValidate,RegCloseKey,OutputDebugStringA,8_2_00007FFBBB763490
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFBBB7F18D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFBBB7F1E68
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FFBBB7FD3E8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFBBB7FD2B4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00007FFBBB7FD204
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFBBB7FD0AC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFBBB88EB90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,8_2_00007FFBBB7FC9A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesEx,GetUserDefaultUILanguage,SetProcessShutdownParameters,MoveFileTransactedW,AttachConsole,SetThreadpoolTimerEx,Wow64SetThreadContext,GetCurrencyFormatW,GetCommState,FindNextFileW,LocalUnlock,GetUILanguageInfo,CopyFileExW,SetConsoleWindowInfo,SetThreadGroupAffinity,GetFileAttributesTransactedW,SetErrorMode,OpenWaitableTimerW,GetNumaProcessorNodeEx,GetDateFormatW,GetProcessIdOfThread,GlobalSize,GetEnvironmentVariableW,GetApplicationRestartSettings,AppendMenuW,SetConsoleTextAttribute,CreateRemoteThread,CreateProcessW,GetCursorInfo,RemoveDllDirectory,SetCommState,LeaveCriticalSectionWhenCallbackReturns,DeferWindowPos,FindWindowW,BeginDeferWindowPos,IsThreadAFiber,SetCalendarInfoW,EnumSystemLocalesW,CreateDirectoryW,GetHandleInformation,GetIconInfo,IsBadCodePtr,ReadFileEx,GetProcessHeaps,PrepareTape,InterlockedFlushSList,GetComboBoxInfo,SwitchToThread,BeginUpdateResourceW,GetProcessAffinityMask,WakeConditionVariable,CloseThreadpoolCleanupGroup,GetCommConfig,FlsSetValue,AddScopedPolicyIDAce,CheckNameLegalDOS8Dot3W,TerminateThread,GetPriorityClass,CreateNamedPipeW,IsNLSDefinedString,SetComputerNameExW,SetProcessDEPPolicy,SizeofResource,DuplicateHandle,SetMailslotInfo,GetNumaNodeProcessorMask,MapUserPhysicalPagesScatter,LocaleNameToLCID,CreateFileMappingW,MoveFileWithProgressW,SetFileCompletionNotificationModes,GetLongPathNameW,GetConsoleSelectionInfo,SetFileApisToANSI,SetMailslotInfo,SetProtectedPolicy,VirtualAllocEx,SetFileAttributesW,PowerSetRequest,DisableThreadProfiling,GetProcessPriorityBoost,IsValidCodePage,FindFirstVolumeW,FindFirstStreamTransactedW,CreateMutexW,DeleteFileW,InvertRgn,GetCurrencyFormatW,CloseEnhMetaFile,ArcTo,WaitForThreadpoolIoCallbacks,GetNativeSystemInfo,VirtualProtectEx,CreateWaitableTimerExW,GetProcessorSystemCycleTime,SetThreadpoolWaitEx,EnumSystemLanguageGroupsW,Wow64RevertWow64FsRedirection,GetFileAttributesExW,RegisterApplicationRecoveryCallback,LocalFlags,SetSystemFileCacheSize,GetThreadLocale,HeapWalk,SystemTimeToTzSpecificLocalTimeEx,LocalReAlloc,FreeLibraryWhenCallbackReturns,QueryFullProcessImageNameW,FindFirstFileNameTransactedW,GetLongPathNameW,FindFirstVolumeMountPointW,AddDllDirectory,ReadThreadProfilingData,GetCommandLineW,InterlockedFlushSList,TzSpecificLocalTimeToSystemTime,GetConsoleOriginalTitleW,DrawFrameControl,EnumCalendarInfoExW,PurgeComm,PeekMessageW,CallMsgFilterW,SubmitThreadpoolWork,GetUserPreferredUILanguages,GetMaximumProcessorGroupCount,GetLastActivePopup,GetSubMenu,GetUserObjectSecurity,GetNumaProximityNode,GetFirmwareEnvironmentVariableW,CancelIo,GetCommState,FlushProcessWriteBuffers,GetClipboardFormatNameW,SetSystemCursor,EnableWindow,SetComputerNameExW,RaiseException,CreateFileW,GetTimeZoneInformation,AssignProcessToJobObject,IsWow64Message,OpenProcess,SetDefaultCommConfigW,SleepConditionVariableSRW,BackupSeek,TerminateJobObject,QueryProcessCycleTime,DeleteSynchronizationBarrier,EnumResourceNamesW,8_2_00007FFBBB766900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FFBBB7FCE64
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFBBB7FCDCC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFBBB7FCCFC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFBBB88E518
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB766900 EnumSystemLocalesEx,GetUserDefaultUILanguage,SetProcessShutdownParameters,MoveFileTransactedW,AttachConsole,SetThreadpoolTimerEx,Wow64SetThreadContext,GetCurrencyFormatW,GetCommState,FindNextFileW,LocalUnlock,GetUILanguageInfo,CopyFileExW,SetConsoleWindowInfo,SetThreadGroupAffinity,GetFileAttributesTransactedW,SetErrorMode,OpenWaitableTimerW,GetNumaProcessorNodeEx,GetDateFormatW,GetProcessIdOfThread,GlobalSize,GetEnvironmentVariableW,GetApplicationRestartSettings,AppendMenuW,SetConsoleTextAttribute,CreateRemoteThread,CreateProcessW,GetCursorInfo,RemoveDllDirectory,SetCommState,LeaveCriticalSectionWhenCallbackReturns,DeferWindowPos,FindWindowW,BeginDeferWindowPos,IsThreadAFiber,SetCalendarInfoW,EnumSystemLocalesW,CreateDirectoryW,GetHandleInformation,GetIconInfo,IsBadCodePtr,ReadFileEx,GetProcessHeaps,PrepareTape,InterlockedFlushSList,GetComboBoxInfo,SwitchToThread,BeginUpdateResourceW,GetProcessAffinityMask,WakeConditionVariable,CloseThreadpoolCleanupGroup,GetCommConfig,FlsSetValue,AddScopedPolicyIDAce,CheckNameLegalDOS8Dot3W,TerminateThread,GetPriorityClass,CreateNamedPipeW,IsNLSDefinedString,SetComputerNameExW,SetProcessDEPPolicy,SizeofResource,DuplicateHandle,SetMailslotInfo,GetNumaNodeProcessorMask,MapUserPhysicalPagesScatter,LocaleNameToLCID,CreateFileMappingW,MoveFileWithProgressW,SetFileCompletionNotificationModes,GetLongPathNameW,GetConsoleSelectionInfo,SetFileApisToANSI,SetMailslotInfo,SetProtectedPolicy,VirtualAllocEx,SetFileAttributesW,PowerSetRequest,DisableThreadProfiling,GetProcessPriorityBoost,IsValidCodePage,FindFirstVolumeW,FindFirstStreamTransactedW,CreateMutexW,DeleteFileW,InvertRgn,GetCurrencyFormatW,CloseEnhMetaFile,ArcTo,WaitForThreadpoolIoCallbacks,GetNativeSystemInfo,VirtualProtectEx,CreateWaitableTimerExW,GetProcessorSystemCycleTime,SetThreadpoolWaitEx,EnumSystemLanguageGroupsW,Wow64RevertWow64FsRedirection,GetFileAttributesExW,RegisterApplicationRecoveryCallback,LocalFlags,SetSystemFileCacheSize,GetThreadLocale,HeapWalk,SystemTimeToTzSpecificLocalTimeEx,LocalReAlloc,FreeLibraryWhenCallbackReturns,QueryFullProcessImageNameW,FindFirstFileNameTransactedW,GetLongPathNameW,FindFirstVolumeMountPointW,AddDllDirectory,ReadThreadProfilingData,GetCommandLineW,InterlockedFlushSList,TzSpecificLocalTimeToSystemTime,GetConsoleOriginalTitleW,DrawFrameControl,EnumCalendarInfoExW,PurgeComm,PeekMessageW,CallMsgFilterW,SubmitThreadpoolWork,GetUserPreferredUILanguages,GetMaximumProcessorGroupCount,GetLastActivePopup,GetSubMenu,GetUserObjectSecurity,GetNumaProximityNode,GetFirmwareEnvironmentVariableW,CancelIo,GetCommState,FlushProcessWriteBuffers,GetClipboardFormatNameW,SetSystemCursor,EnableWindow,SetComputerNameExW,RaiseException,CreateFileW,GetTimeZoneInformation,AssignProcessToJobObject,IsWow64Message,OpenProcess,SetDefaultCommConfigW,SleepConditionVariableSRW,BackupSeek,TerminateJobObject,QueryProcessCycleTime,DeleteSynchronizationBarrier,EnumResourceNamesW,8_2_00007FFBBB766900
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EFD3EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00007FF655EFD3EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,SystemTimeToFileTime,SystemTimeToTzSpecificLocalTimeEx,PrepareTape,SetEvent,SetWaitableTimerEx,FindFirstFileExW,GetSystemDefaultLCID,WriteFileEx,GetProcessAffinityMask,PeekNamedPipe,GetThreadPreferredUILanguages,GetNumaProcessorNode,SetConsoleCursorPosition,GetLogicalProcessorInformationEx,LCMapStringW,GetNumaNodeProcessorMaskEx,OpenProcess,FindFirstFileW,RemoveVectoredContinueHandler,lstrcmpiW,SetFileBandwidthReservation,GetErrorMode,CreateSemaphoreW,CloseHandle,CloseThreadpoolWait,GlobalDeleteAtom,CreateTimerQueueTimer,QueryIdleProcessorCycleTime,GetConsoleScreenBufferInfoEx,LocalFlags,CreateFileMappingFromApp,GetConsoleDisplayMode,GetSystemTimeAsFileTime,EnumLanguageGroupLocalesW,ReadFile,InitializeProcThreadAttributeList,GetConsoleProcessList,GetConsoleScreenBufferInfo,GetNLSVersion,GetLocalTime,GetNamedPipeClientProcessId,FindFirstStreamW,GetTimeZoneInformation,GetFileInformationByHandleEx,GetConsoleDisplayMode,GetModuleHandleExW,GetVersion,UnlockFileEx,LockFile,OpenFile,GetDefaultCommConfigW,FlushViewOfFile,GetConsoleAliasesW,GetDriveTypeW,EnumCalendarInfoExEx,IsThreadAFiber,SetConsoleTextAttribute,MapViewOfFileExNuma,DeleteCriticalSection,GlobalGetAtomNameW,SetProcessAffinityUpdateMode,LocalAlloc,OpenEventW,CopyFileW,VirtualProtect,8_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB767AF0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,SystemTimeToFileTime,SystemTimeToTzSpecificLocalTimeEx,PrepareTape,SetEvent,SetWaitableTimerEx,FindFirstFileExW,GetSystemDefaultLCID,WriteFileEx,GetProcessAffinityMask,PeekNamedPipe,GetThreadPreferredUILanguages,GetNumaProcessorNode,SetConsoleCursorPosition,GetLogicalProcessorInformationEx,LCMapStringW,GetNumaNodeProcessorMaskEx,OpenProcess,FindFirstFileW,RemoveVectoredContinueHandler,lstrcmpiW,SetFileBandwidthReservation,GetErrorMode,CreateSemaphoreW,CloseHandle,CloseThreadpoolWait,GlobalDeleteAtom,CreateTimerQueueTimer,QueryIdleProcessorCycleTime,GetConsoleScreenBufferInfoEx,LocalFlags,CreateFileMappingFromApp,GetConsoleDisplayMode,GetSystemTimeAsFileTime,EnumLanguageGroupLocalesW,ReadFile,InitializeProcThreadAttributeList,GetConsoleProcessList,GetConsoleScreenBufferInfo,GetNLSVersion,GetLocalTime,GetNamedPipeClientProcessId,FindFirstStreamW,GetTimeZoneInformation,GetFileInformationByHandleEx,GetConsoleDisplayMode,GetModuleHandleExW,GetVersion,UnlockFileEx,LockFile,OpenFile,GetDefaultCommConfigW,FlushViewOfFile,GetConsoleAliasesW,GetDriveTypeW,EnumCalendarInfoExEx,IsThreadAFiber,SetConsoleTextAttribute,MapViewOfFileExNuma,DeleteCriticalSection,GlobalGetAtomNameW,SetProcessAffinityUpdateMode,LocalAlloc,OpenEventW,CopyFileW,VirtualProtect,8_2_00007FFBBB767AF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC5E60 setsockopt,bind,_exit,8_2_00007FF655EC5E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655EC5660 listen,_exit,free,free,8_2_00007FF655EC5660
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF655E7D370 socket,listen,_exit,getsockname,free,free,8_2_00007FF655E7D370
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFBBB764100 VirtualProtect,FindNextFileNameW,CopyFileW,BuildCommDCBW,SetThreadContext,HeapLock,GetConsoleTitleW,ReadFile,VirtualAllocEx,DebugBreak,ReleaseSRWLockExclusive,RaiseException,IsValidLanguageGroup,ResetWriteWatch,LocalFlags,CheckTokenMembershipEx,GetCompressedFileSizeTransactedW,GetIconInfo,EnumDateFormatsExW,UnregisterHotKey,GetTempPathW,SetMenuDefaultItem,UnpackDDElParam,QueryUnbiasedInterruptTime,GetSystemDefaultUILanguage,AreFileApisANSI,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetAsyncKeyState,OpenDesktopW,ApplicationRecoveryInProgress,IsImmersiveProcess,ShowCursor,GetFinalPathNameByHandleW,CharUpperBuffW,FileTimeToDosDateTime,LocalLock,GetProcessHeap,ReleaseSemaphoreWhenCallbackReturns,GetSystemInfo,GlobalFree,lstrlenW,SetConsoleTitleW,AcquireSRWLockExclusive,HeapAlloc,SetVolumeLabelW,SetFirmwareEnvironmentVariableExW,GetLongPathNameTransactedW,SetCommMask,DebugBreak,SetThreadUILanguage,GetNumberOfConsoleInputEvents,SetMailslotInfo,SetDefaultCommConfigW,AddResourceAttributeAce,CommConfigDialogW,DefineDosDeviceW,FreeResource,LockFileEx,OpenWaitableTimerW,CreatePrivateNamespaceW,InitAtomTable,SetCommMask,FatalExit,AcquireSRWLockShared,DisableThreadLibraryCalls,HeapUnlock,FlushConsoleInputBuffer,VirtualAlloc,IsDebuggerPresent,GetConsoleAliasExesLengthW,FlushInstructionCache,GetStringTypeW,GetFirmwareType,BindIoCompletionCallback,SetThreadErrorMode,EnumTimeFormatsEx,LocaleNameToLCID,LoadLibraryW,GetLocalTime,RemoveDllDirectory,RemoveDirectoryW,SetConsoleScreenBufferInfoEx,CreateTimerQueue,WaitForMultipleObjects,StartThreadpoolIo,ConnectNamedPipe,ReadConsoleOutputW,CheckNameLegalDOS8Dot3W,8_2_00007FFBBB764100

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		12
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
Network Sniffing		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Windows Service		1
Windows Service		1
Deobfuscate/Decode Files or Information		11
Input Capture		11
Peripheral Device Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
Process Injection		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS1
Network Sniffing		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets37
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials121
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Virtualization/Sandbox Evasion		Proc Filesystem21
Virtualization/Sandbox Evasion		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565756 Sample: installer.msi Startdate: 30/11/2024 Architecture: WINDOWS Score: 80 41 search-keys.com 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->51 53 4 other signatures 2->53 9 msiexec.exe 126 172 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\...\openvpn.exe, PE32+ 9->27 dropped 29 C:\Windows\Installer\MSIFCC.tmp, PE32 9->29 dropped 31 C:\Windows\Installer\MSIF1F.tmp, PE32 9->31 dropped 33 40 other files (none is malicious) 9->33 dropped 14 msiexec.exe 38 9->14         started        19 openvpn.exe 1 9->19         started        process6 dnsIp7 43 search-keys.com 104.21.42.101, 443, 49706 CLOUDFLARENETUS United States 14->43 35 C:\Users\user\AppData\Local\...\scr412D.ps1, Unicode 14->35 dropped 37 C:\Users\user\AppData\Local\...\pss412F.ps1, Unicode 14->37 dropped 39 C:\Users\user\AppData\Local\...\msi412C.txt, Unicode 14->39 dropped 45 Bypasses PowerShell execution policy 14->45 21 powershell.exe 17 14->21         started        23 conhost.exe 19->23         started        file8 signatures9 process10 process11 25 conhost.exe 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
installer.msi21%ReversingLabsWin64.Packed.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://win.crashes.videolan.org/reportsCONOUT$0%Avira URL Cloudsafe
https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Params0%Avira URL Cloudsafe
https://search-keys.com/licenseUser.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
search-keys.com
104.21.42.101
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://search-keys.com/licenseUser.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://win.crashes.videolan.org/reportsCONOUT$vlc.exe.2.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://crl.micropowershell.exe, 00000006.00000002.1574925503.0000000007000000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1574710510.0000000006FC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1569699239.0000000000544000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://openvpn.net/howto.html#mitmopenvpn.exe, openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmpfalse
          		high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.1570573527.0000000004821000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://mingw-w64.sourceforge.net/Xlibwinpthread-1.dll.2.drfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000006.00000002.1570573527.000000000504B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/powershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.openssl.org/Hopenvpn.exe, 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 00000008.00000002.1654521008.00007FFBAABBF000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.2.drfalse
                            		high
                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.1573504984.0000000005886000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://gnu.org/licenses/libgpg-error-0.dll.2.drfalse
                                		high
                                https://gnu.org/licenses/gpl.htmllibgpg-error-0.dll.2.drfalse
                                  		high
                                  http://www.videolan.org/vlc.exe.2.drfalse
                                    		high
                                    http://openvpn.net/faq.html#dhcpclientservopenvpn.exe, openvpn.exe, 00000008.00000000.1640413763.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1642535591.00007FF655EFE000.00000002.00000001.01000000.00000006.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1570573527.0000000004821000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.openssl.org/openvpn.exefalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1570573527.0000000004976000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Paramsinstaller.msifalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.21.42.101
                                            		search-keys.comUnited States
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1565756
                                            Start date and time:2024-11-30 18:42:11 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 39s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:14
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:installer.msi
                                            Detection:MAL
                                            Classification:mal80.troj.evad.winMSI@10/153@1/1
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 50
                                            • Number of non-executed functions: 280
                                            Cookbook Comments:
                                            • Found application associated with file extension: .msi

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 7708 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • VT rate limit hit for: installer.msi

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:43:21API Interceptor6x Sleep call for process: powershell.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.165.166
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.165.166
                                            sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                            • 8.47.33.136
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.165.166
                                            mmF9ZzglIn.vbsGet hashmaliciousUnknownBrowse
                                            • 104.16.249.249
                                            sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 1.4.15.184
                                            file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                            • 104.21.16.9
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 104.21.16.9
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 104.21.16.9
                                            https://lapxae.clicks.mlsend.com/tf/c/eyJ2Ijoie1wiYVwiOjEyMDgyNzAsXCJsXCI6MTM5MTY5OTI3NzkzNzM5NDQ1LFwiclwiOjEzOTE2OTkzOTkzNjI0OTU2NH0iLCJzIjoiZjE4YTc4MTcwZGM2NmU1MSJ9Get hashmaliciousUnknownBrowse
                                            • 104.17.108.239

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            37f463bf4616ecd445d4a1937da06e19W3UokmKK3o.msiGet hashmaliciousUnknownBrowse
                                            • 104.21.42.101
                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                            • 104.21.42.101
                                            file.exeGet hashmaliciousVidarBrowse
                                            • 104.21.42.101
                                            RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                                            • 104.21.42.101
                                            file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                                            • 104.21.42.101
                                            siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                            • 104.21.42.101
                                            unique.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                            • 104.21.42.101
                                            Fortexternal.exeGet hashmaliciousUnknownBrowse
                                            • 104.21.42.101
                                            siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                            • 104.21.42.101
                                            file.exeGet hashmaliciousClipboard HijackerBrowse
                                            • 104.21.42.101

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exefile.exeGet hashmaliciousUnknownBrowse
                                              v.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                v.1.5.4__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                  LegionLoader (21).msiGet hashmaliciousUnknownBrowse
                                                    LegionLoader (22).msiGet hashmaliciousUnknownBrowse
                                                      LegionLoader (17).msiGet hashmaliciousUnknownBrowse
                                                        LegionLoader (13).msiGet hashmaliciousUnknownBrowse
                                                          LegionLoader (14).msiGet hashmaliciousUnknownBrowse
                                                            LegionLoader (15).msiGet hashmaliciousUnknownBrowse
                                                              LegionLoader (10).msiGet hashmaliciousUnknownBrowse

                                                                Created / dropped Files

                                                                C:\Config.Msi\6a05bb.rbs

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):23636
                                                                Entropy (8bit):5.869368666234469
                                                                Encrypted:false
                                                                SSDEEP:384:rXq9xmmYUKl4i64BZUQpM2L1hkDjhPRmxF16dA3w9agnZ51RvsAFK2pwjppwit9q:rXq9xmmYUKl4i64BZUQpM2L1hkDjhPRT
                                                                MD5:0E7FB26CB9028B9A909773A1856B62C6
                                                                SHA1:6AE45F27D5548FEDC5D11377976867E69CDD408B
                                                                SHA-256:688B8B0693899DF69477AA7EABDC1A7E402B9EAD4C8D8B97154FEF0510AF43B7
                                                                SHA-512:86AAAA6AFB29C0247939B0A165F9E7F6B3B7C66A57421B35A277B217F5913D9FFEBF9D9BE709D7D304533A2C075B663E7A8BD7A5805C1C6554FA10F84B16ACD4
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:...@IXOS.@.....@le~Y.@.....@.....@.....@.....@.....@......&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}..Oovi Appc..installer.msi.@.....@.....@.....@......icon_27.exe..&.{A4659C21-0233-4410-8FE4-FC29D947059C}.....@.....@.....@.....@.......@.....@.....@.......@......Oovi Appc......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{CBCD90DF-DB36-4D67-AEDD-4171F1E02C1A}&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}.@......&.{8BD726EB-D80E-44BF-87C1-E0FF3732DEBE}&.{5C0A2D89-B02D-

                                                                C:\ProgramData\vlc.lnk

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jun 18 23:44:58 2021, mtime=Sat Nov 30 16:43:27 2024, atime=Fri Jun 18 23:44:58 2021, length=984312, window=hide
                                                                Category:dropped
                                                                Size (bytes):2126
                                                                Entropy (8bit):3.85057274343126
                                                                Encrypted:false
                                                                SSDEEP:48:8iLY5zVfztzSjf4XYH1pStIdu1kpStQ0sCs:8iYlZs1/cKX0sC
                                                                MD5:7414A76D639EAB8AA6C266097A961642
                                                                SHA1:396C730DBE2FCFD6BB5416ED1860C3FC53BDAC47
                                                                SHA-256:F11EB334C33BC27254B453126B8A48BBAC14DC93CC10D044BF840A9177351E08
                                                                SHA-512:E09D8DA433AB9AB720A2F66ADAA0AE9831E35B0FCB9B590CC516C1D1F25BE876AAC18B7B6D20679D2A84F3D129900687C8F51773BCFE140799D722A958A43AA8
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:L..................F.@.. ....a'T.d..tDs\OC...a'T.d..........................$.:..DG..Yr?.D..U..k0.&...&.......y.Yd.....oKOC...%]OC......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B~Yb...........................d...A.p.p.D.a.t.a...B.V.1.....~Yl...Roaming.@......EW)B~Yl...........................q>..R.o.a.m.i.n.g.....^.1.....~Yl...YUWEIQ~1..F......~Yl.~Yl......)....................q>..Y.u.w.e.i. .Q.u.s.i.....\.1.....~Yn...OOVIAP~1..D......~Yl.~Yn......)....................5'K.O.o.v.i. .A.p.p.c.....V.2......R.. .vlc.exe.@.......R..~Yn......T........................v.l.c...e.x.e.......k...............-.......j.............5......C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe..<.....\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.u.w.e.i. .Q.u.s.i.\.O.o.v.i. .A.p.p.c.\.v.l.c...e.x.e.5.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.u.w.e.i. .Q.u.s.i.\.O.o.v.i. .A.p.p.c.\.f.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\licenseUser[1].htm

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):2
                                                                Entropy (8bit):1.0
                                                                Encrypted:false
                                                                SSDEEP:3:u:u
                                                                MD5:E99BB33727D338314912E86FBDEC87AF
                                                                SHA1:6779AFBC3E993C547CA0800A9754F37A6E80E0ED
                                                                SHA-256:6856C5A3A26B5A3F2EAD70CA56870769D1FEE88F9C457F4360812F2203565824
                                                                SHA-512:00FC5A88AB965B5A16D7CA33CFEF247ECE3185560F2C778CFBDD0353FE73505638E300B35F447713D26A5001AB29F6F969622BCEAEF1C100E80913F7430CC085
                                                                Malicious:false
                                                                Preview:0a

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1360
                                                                Entropy (8bit):5.413197223328133
                                                                Encrypted:false
                                                                SSDEEP:24:3UWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:EWSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                                MD5:1A8B62C28399515602DCA9C94C2B2490
                                                                SHA1:384EB5E2AFB32EC137CE02833466A20048E2A689
                                                                SHA-256:B5A234A10D8D76E65C18EA63D097512F3D53FC5739EF7A8099AC8B22FA7C9F00
                                                                SHA-512:095BD0CB3027199DDB62FFDA863673CED39884DFE0F9B9BECDF2A1CC6674D27F8AD8D0E965C1F38E4D63140F7E0DCBCA8D443E5A48E543FE0B13DA2FF2ED5CE8
                                                                Malicious:false
                                                                Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ih3wilws.bbn.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nexzomgd.ru1.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\msi412C.txt

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):120
                                                                Entropy (8bit):3.114265262861381
                                                                Encrypted:false
                                                                SSDEEP:3:QtFKYpjKjKDiAl35Yplf8fp0lfflbYplf955:Q6mfDj0LkS3ELN
                                                                MD5:DF174504EEAED47D591D6E99A2817A15
                                                                SHA1:1F57BA0AA32EC1E9F8F991CEA40ECE29B6BE65E0
                                                                SHA-256:34AAF9D28904E1D6CB3625757A1A489D90FDCBC7A93300D5752CDDAF10CEC1AB
                                                                SHA-512:99F17721EC39515667D4D2CEFC26C54D22109070F20F10AA3013D3325AABEFB2DE848B95B42B9890BE95C096C0C8F749BE15197234D2908D2B04A7241FC558D5
                                                                Malicious:true
                                                                Preview:..H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e. .:.<.-.>.:. .0.a. .<.<.:.>.>. .Q.u.o.t.a.Q. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                C:\Users\user\AppData\Local\Temp\pss412F.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):6668
                                                                Entropy (8bit):3.5127462716425657
                                                                Encrypted:false
                                                                SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                MD5:30C30EF2CB47E35101D13402B5661179
                                                                SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                Malicious:true
                                                                Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                C:\Users\user\AppData\Local\Temp\scr412D.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):266
                                                                Entropy (8bit):3.566480950588478
                                                                Encrypted:false
                                                                SSDEEP:6:Qlfk79idK3fgmfDjl+KiV6QerMTl0x1LlG7JidK3fOlbX:QwElQrMT9NKh
                                                                MD5:673120B53D3EFBCF19B365330F545E47
                                                                SHA1:DD051A8F68FEA474284694620F0FC3A07ED3C8FA
                                                                SHA-256:F688602F60CAA720932287DD3E70C93779C89C30DB3589B884B852F2CD8ABBD6
                                                                SHA-512:6177A404580A6CF9189CA4CF7AF52B37B839620A6321EAE88C7748318229000B1FCA4A1EE22D199900EEE1BC4F269D82954D174C2961ED021D357BA29F6566FE
                                                                Malicious:true
                                                                Preview:..$.s.d.j.h.f. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e.".....$.f.u.i.f.w.o. .=. .[.u.i.n.t.3.2.].(.$.s.d.j.h.f. .-.r.e.p.l.a.c.e. .'.a.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.o.t.a.Q.". .$.f.u.i.f.w.o.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\71da1f76509d9c721d84655251014c87_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):59
                                                                Entropy (8bit):2.219411074181711
                                                                Encrypted:false
                                                                SSDEEP:3:/lGlle2QwXln:8A2ZXln
                                                                MD5:62E024FE2476732F71542D38DDF3F263
                                                                SHA1:304A79B7904E2E1017AF6BC24461D2D7B4EDBDE2
                                                                SHA-256:A05BE7F1BA1635E6CB5A46F778B93A0CA8FDDCD60C0E91BE3A9E86040DB067A5
                                                                SHA-512:33162E2CA0135E03436491349B6DA65660B5D0F295B97E5243F4A4E380B51D7D6F00AE51CD48894B4149B6771C8E193E70061A190B6ABFC8B1FCAD3AFE084A7D
                                                                Malicious:false
                                                                Preview:........................................Advanced Installer.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Installer\{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}\icon_27.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                Category:dropped
                                                                Size (bytes):175255
                                                                Entropy (8bit):3.85622158771748
                                                                Encrypted:false
                                                                SSDEEP:1536:45DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPU:45Dt+e7GVBFvvMg0Vj5Ho4CIDPU
                                                                MD5:333EE8442C6101D0CD9C874D0AD83EAE
                                                                SHA1:22278A01E88B826B16D4936FA254E457B9ACA059
                                                                SHA-256:B5FDF4A4143964A46B7F2BBD1357D075C786F7AFBBA0BE3DD7B2623F379271BF
                                                                SHA-512:04F3BE053ECB44B11FE9ABDE941BFD367B17C0532B2C634FC42AF85CF1BE68C0F495B13F4B3CA35A4DD9E4535629EE1A615001A244DC1B68C871AB364A0A704F
                                                                Malicious:false
                                                                Preview:............ .A4............ .(....4..``.... ......<..HH.... ..T......@@.... .(B../&..00.... ..%..Wh.. .... ............... ............... .h.../....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yt..}.....8....H$EI<$Q$%..:.Hv,.Rly.......#..N6...v...dm.....%.2e.<.."-.$x..A.$@..\=.w...68.....`..}..7.X.U...[..U....A..A..A..A..A..A..A..A..A..A..A..A..A..A..)Q.l7...MM/.Q..J)[Q.0........e..u;l...q...X"....v.nj.hV2.j.IR.CS<..C!.O..iY`..f4j.....Y..w.....c$........HB!.....e.A.h...+L...4{i,f,QU.A..D.Z`...R..b..B-B..qd<.b.D...$......E...NQd:..D-..S)..5..Q......e..Y...E.....Y.LZ.E"..D.\5>..4MZG....RJ9..WW..C!....=....y..*.I$...HX..w..E..A.(....E..pl8....F]....16......M. .v..D.......Xm-.,..{.Lw,.+.e.u.z.....,......$Q.......?u..E.h#..".^.P<....K...4..D4..;..g.q....<--/.55....FF.?..K}<..n.....e.UQ.._......y.e....zj..[.....@.hn..,Z.....48.}..%...b/..v..>..t.ow}.......=..A.A.(.MM/.p....~.......R....r..g.]w..7........Y....3(.(.y...7lM.S.(..;:.......

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):256864
                                                                Entropy (8bit):6.8622477797553
                                                                Encrypted:false
                                                                SSDEEP:3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
                                                                MD5:E0BFA64EEFA440859C8525DFEC1962D0
                                                                SHA1:4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
                                                                SHA-256:8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
                                                                SHA-512:04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):506008
                                                                Entropy (8bit):6.4284173495366845
                                                                Encrypted:false
                                                                SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: v.1.6.3__x64__.msi, Detection: malicious, Browse
                                                                • Filename: v.1.5.4__x64__.msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (21).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (22).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (17).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (13).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (14).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (15).msi, Detection: malicious, Browse
                                                                • Filename: LegionLoader (10).msi, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):97152
                                                                Entropy (8bit):6.423207912198565
                                                                Encrypted:false
                                                                SSDEEP:1536:yOHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1lLN:yOr/Z+jPYNV9H0Q8ecbjt1j
                                                                MD5:5797D2A762227F35CDD581EC648693A8
                                                                SHA1:E587B804DB5E95833CBD2229AF54C755EE0393B9
                                                                SHA-256:C51C64DFB7C445ECF0001F69C27E13299DDCFBA0780EFA72B866A7487B7491C7
                                                                SHA-512:5C4DE4F65C0338F9A63B853DB356175CAE15C2DDC6B727F473726D69EE0D07545AC64B313C380548211216EA667CAF32C5A0FD86F7ABE75FC60086822BC4C92E
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p...............................................'J....`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14272
                                                                Entropy (8bit):6.519411559704781
                                                                Encrypted:false
                                                                SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                MD5:E173F3AB46096482C4361378F6DCB261
                                                                SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.659079053710614
                                                                Encrypted:false
                                                                SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11200
                                                                Entropy (8bit):6.7627840671368835
                                                                Encrypted:false
                                                                SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                MD5:0233F97324AAAA048F705D999244BC71
                                                                SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12224
                                                                Entropy (8bit):6.590253878523919
                                                                Encrypted:false
                                                                SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                MD5:E1BA66696901CF9B456559861F92786E
                                                                SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.672720452347989
                                                                Encrypted:false
                                                                SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):13760
                                                                Entropy (8bit):6.575688560984027
                                                                Encrypted:false
                                                                SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.70261983917014
                                                                Encrypted:false
                                                                SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                MD5:D175430EFF058838CEE2E334951F6C9C
                                                                SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.599515320379107
                                                                Encrypted:false
                                                                SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.690164913578267
                                                                Encrypted:false
                                                                SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.615761482304143
                                                                Encrypted:false
                                                                SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                MD5:735636096B86B761DA49EF26A1C7F779
                                                                SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.627282858694643
                                                                Encrypted:false
                                                                SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                MD5:031DC390780AC08F498E82A5604EF1EB
                                                                SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):15816
                                                                Entropy (8bit):6.435326465651674
                                                                Encrypted:false
                                                                SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.5874576656353145
                                                                Encrypted:false
                                                                SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):13768
                                                                Entropy (8bit):6.645869978118917
                                                                Encrypted:false
                                                                SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.564006501134889
                                                                Encrypted:false
                                                                SSDEEP:192:8a9aY17aFBRAWYhWYWWFYg7VWQ4eWbr0tJSUtpwBqnajrmaaG:8ad9WYhW4F/qlQG
                                                                MD5:212D58CEFB2347BD694B214A27828C83
                                                                SHA1:F0E98E2D594054E8A836BD9C6F68C3FE5048F870
                                                                SHA-256:8166321F14D5804CE76F172F290A6F39CE81373257887D9897A6CF3925D47989
                                                                SHA-512:637C215ED3E781F824AE93A0E04A7B6C0A6B1694D489E9058203630DCFC0B8152F2EB452177EA9FD2872A8A1F29C539F85A2F2824CF50B1D7496FA3FEBE27DFE
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...h{............" .........................................................0......J(....`.........................................0................ ...................!..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.678162783983714
                                                                Encrypted:false
                                                                SSDEEP:192:+WYhWoWWFYg7VWQ4eWSoV7jjT6iBTqnajbQwr1:+WYhWIiVTTXZl3QC
                                                                MD5:242829C7BE4190564BECEE51C7A43A7E
                                                                SHA1:663154C1437ACF66480518068FBC756F5CABB72F
                                                                SHA-256:EDC1699E9995F98826DF06D2C45BEB9E02AA7817BAE3E61373096AE7F6FA06E0
                                                                SHA-512:3529FDE428AFFC3663C5C69BAEE60367A083841B49583080F0C4C7E72EAA63CABBF8B9DA8CCFC473B3C552A0453405A4A68FCD7888D143529D53E5EEC9A91A34
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...+P............" .........................................................0......@.....`.........................................0...e............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):20928
                                                                Entropy (8bit):6.2047011292890195
                                                                Encrypted:false
                                                                SSDEEP:192:8JIDSM4Oe59rmkUALQe1hgmL44WYhWWWWFYg7VWQ4yWARgKZRqnajl6umA:8JI2M4Oe59Ckb1hgmLhWYhW2v2yRlwQ
                                                                MD5:FB79420EC05AA715FE76D9B89111F3E2
                                                                SHA1:15C6D65837C9979AF7EC143E034923884C3B0DBD
                                                                SHA-256:F6A93FE6B57A54AAC46229F2ED14A0A979BF60416ADB2B2CFC672386CCB2B42E
                                                                SHA-512:C40884C80F7921ADDCED37B1BF282BB5CB47608E53D4F4127EF1C6CE7E6BB9A4ADC7401389BC8504BF24751C402342693B11CEF8D06862677A63159A04DA544E
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...IV............" .........,...............................................P.......e....`.........................................0....%...........@...............0...!..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):19904
                                                                Entropy (8bit):6.189411151090302
                                                                Encrypted:false
                                                                SSDEEP:384:4SrxLPmIHJI6/CpG3t2G3t4odXLhWYhWfgy6l9ne:4iPmIHJI6vZO
                                                                MD5:A5B920F24AEA5C2528FE539CD7D20105
                                                                SHA1:3FAE25B81DC65923C1911649ED19F193ADC7BDDE
                                                                SHA-256:5B3E29116383BA48A2F46594402246264B4CB001023237EBBF28E7E9292CDB92
                                                                SHA-512:F77F83C7FAD442A9A915ABCBC2AF36198A56A1BC93D1423FC22E6016D5CC53E47DE712E07C118DD85E72D4750CA450D90FDB6F9544D097AFC170AEECC5863158
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.../..N.........." .........(...............................................P......C.....`.........................................0.... ...........@...............,...!..............T............................................................................rdata..$".......$..................@..@.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):64456
                                                                Entropy (8bit):5.53593950821058
                                                                Encrypted:false
                                                                SSDEEP:1536:Se6De5c4bFe2JyhcvxXWpD7d3334BkZn+PI5c:Se6De5c4bFe2JyhcvxXWpD7d3334BkZU
                                                                MD5:5C2004DAF398620211F0AD9781FF4EC2
                                                                SHA1:E43DD814E90330880EE75259809EEE7B91B4FFA6
                                                                SHA-256:55BC91A549D22B160AE4704485E19DEE955C7C2534E7447AFB84801EE629639B
                                                                SHA-512:11EDBBC662584BB1DEA37D1B23C56426B970D127F290F3BE21CD1BA0A80D1F202047ABB80D8460D17A7CACF095DE90B78A54F7C7EC395043D54B49FFE688DF51
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......F.........." ......................................................................`.........................................0...T................................!..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12736
                                                                Entropy (8bit):6.592404054572702
                                                                Encrypted:false
                                                                SSDEEP:192:+nqjd7dWYhWDWWFYg7VWQ4yWMJ5HKZRqnajl6b:+nsWYhWxp5HyRlwb
                                                                MD5:DD899C6FFECCE1DCA3E1C3B9BA2C8DA2
                                                                SHA1:2914B84226F5996161EB3646E62973B1E6C9E596
                                                                SHA-256:191F53988C7F02DD888C4FBF7C1D3351570F3B641146FAE6D60ACDAE544771AE
                                                                SHA-512:2DB47FAA025C797D8B9B82DE4254EE80E499203DE8C6738BD17DDF6A77149020857F95D0B145128681A3084B95C7D14EB678C0A607C58B76137403C80FE8F856
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...P..D.........." .........................................................0......N.....`.........................................0...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):16328
                                                                Entropy (8bit):6.449442433945565
                                                                Encrypted:false
                                                                SSDEEP:192:maajPrpJhhf4AN5/KixWYhW4XWWFYg7VWQ4eWvppXjxceXqnajLJhrdCq:mlbr7nWYhW41MXjmAlnJhUq
                                                                MD5:883120F9C25633B6C688577D024EFD12
                                                                SHA1:E4FA6254623A2B4CDEA61712CDFA9C91AA905F18
                                                                SHA-256:4390C389BBBF9EC7215D12D22723EFD77BEB4CD83311C75FFE215725ECFD55DC
                                                                SHA-512:F17D3B667CC8002F4B6E6B96B630913FA1CB4083D855DB5B7269518F6FF6EEBF835544FA3B737F4FC0EB46CCB368778C4AE8B11EBCF9274CE1E5A0BA331A0E2F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...9..b.........." .........................................................@......^%....`.........................................0...4............0...................!..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):17864
                                                                Entropy (8bit):6.393000322519701
                                                                Encrypted:false
                                                                SSDEEP:192:WpPLNPjFuWYFxEpahTWYhWHWWFYg7VWQ4eW9M3u57ZqnajgnLSuRCz:W19OFVhTWYhWlBu5llk2
                                                                MD5:29680D7B1105171116A137450C8BB452
                                                                SHA1:492BB8C231AAE9D5F5AF565ABB208A706FB2B130
                                                                SHA-256:6F6F6E857B347F70ECC669B4DF73C32E42199B834FE009641D7B41A0B1C210AF
                                                                SHA-512:87DCF131E21041B06ED84C3A510FE360048DE46F1975155B4B12E4BBF120F2DD0CB74CCD2E8691A39EEE0DA7F82AD39BC65C81F530FC0572A726F0A6661524F5
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....v..........." ......... ...............................................@............`.........................................0...a............0...............$...!..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\dictionaries\en_US.aff

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):3246
                                                                Entropy (8bit):4.313391741874073
                                                                Encrypted:false
                                                                SSDEEP:48:T7emiglihmWpRlH61/98BuY3SZQU3uD4Vg1lwsbJ0EcWiOr5NSr5NK3WuhYljrHN:RigQLsAiOUoeFTQUydYVrF31pwhwoe
                                                                MD5:D329845E5D86AFEBE0DB82B3422C70C2
                                                                SHA1:E432BEE2397B8573444ECAE348300F06AA5DF032
                                                                SHA-256:56E2090475E1CE11A1885CE8ECE4D4B1F1E863F69A7233CC00BAF56CDAAA9096
                                                                SHA-512:137202D74C374EC168BC64BBD0039BE2A77DC052842367550EB8E31C9C95B58585F4D3F46F72F80D4A22229C64B8600629B3FAB4F1E9E681446635E0A7524892
                                                                Malicious:false
                                                                Preview:SET ISO8859-1..TRY esianrtolcdugmphbyfvkwzESIANRTOLCDUGMPHBYFVKWZ'..NOSUGGEST !....# ordinal numbers..COMPOUNDMIN 1..# only in compounds: 1th, 2th, 3th..ONLYINCOMPOUND c..# compound rules:..# 1. [0-9]*1[0-9]th (10th, 11th, 12th, 56714th, etc.)..# 2. [0-9]*[02-9](1st|2nd|3rd|[4-9]th) (21st, 22nd, 123rd, 1234th, etc.)..COMPOUNDRULE 2..COMPOUNDRULE n*1t..COMPOUNDRULE n*mp..WORDCHARS 0123456789....PFX A Y 1..PFX A 0 re .....PFX I Y 1..PFX I 0 in .....PFX U Y 1..PFX U 0 un .....PFX C Y 1..PFX C 0 de .....PFX E Y 1..PFX E 0 dis .....PFX F Y 1..PFX F 0 con .....PFX K Y 1..PFX K 0 pro .....SFX V N 2..SFX V e ive e..SFX V 0 ive [^e]....SFX N Y 3..SFX N e ion e..SFX N y ication y ..SFX N 0 en [^ey] ....SFX X Y 3..SFX X e ions e..SFX X y ications y..SFX X 0 ens [^ey]....SFX H N 2..SFX H y ieth

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\dictionaries\en_US.dic

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:ISO-8859 text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):758251
                                                                Entropy (8bit):4.79038751246559
                                                                Encrypted:false
                                                                SSDEEP:12288:ja/Jivuk9SBJTgI6ecuunMM9J2QX6aCYyV9KdrbHzQnkzDBfcbEwoiiJQC:IJivGTvcuc36FK9m0i1C
                                                                MD5:3D51E0A789AD7B97307DC64229EFE5BA
                                                                SHA1:A8665D0D492D85B3A4F903C9C4D43CC42D416516
                                                                SHA-256:800EA3988CE7707858D97DA15228A30A7C0C0EECDC560EACE14BC0F0965A338E
                                                                SHA-512:86BC40B7B87E15A36498F2BE31E1C05D6CBE2F4C8290FD5DC6A5D561E3F6AC8500D5F56585760582DE89518A23C4219EBB5D53BDC9FFAD121AFF9057E95668F8
                                                                Malicious:false
                                                                Preview:62118..0/nm..1/n1..2/nm..3/nm..4/nm..5/nm..6/nm..7/nm..8/nm..9/nm..0th/pt..1st/p..1th/tc..2nd/p..2th/tc..3rd/p..3th/tc..4th/pt..5th/pt..6th/pt..7th/pt..8th/pt..9th/pt..a..A..AA..AAA..Aachen/M..aardvark/SM..Aaren/M..Aarhus/M..Aarika/M..Aaron/M..AB..aback..abacus/SM..abaft..Abagael/M..Abagail/M..abalone/SM..abandoner/M..abandon/LGDRS..abandonment/SM..abase/LGDSR..abasement/S..abaser/M..abashed/UY..abashment/MS..abash/SDLG..abate/DSRLG..abated/U..abatement/MS..abater/M..abattoir/SM..Abba/M..Abbe/M..abb./S..abbess/SM..Abbey/M..abbey/MS..Abbie/M..Abbi/M..Abbot/M..abbot/MS..Abbott/M..abbr..abbrev..abbreviated/UA..abbreviates/A..abbreviate/XDSNG..abbreviating/A..abbreviation/M..Abbye/M..Abby/M..ABC/M..Abdel/M..abdicate/NGDSX..abdication/M..abdomen/SM..abdominal/YS..abduct/DGS..abduction/SM..abductor/SM..Abdul/M..ab/DY..abeam..Abelard/M..Abel/M..Abelson/M..Abe/M..Aberdeen/M..Abernathy/M..aberrant/YS..aberrational..aberration/SM..abet/S..abetted..abetting..abettor/SM..Abeu/M..abeyance/MS..abeya

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\clipboard-40-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):280
                                                                Entropy (8bit):6.328040373865125
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKEk/2wqNmEyvsYEE3r7UXGEoW7yR/bp:6v/78nMtIj9yx/6cl1
                                                                MD5:C58286125E5CB909DAE9107DFD8F2006
                                                                SHA1:21380AE4E18FC176759885416684A0B19C7F7C82
                                                                SHA-256:A65F53D774AFC38308625E6C165B2EAD4F1DD03D25896548B42F2F21CF901D2B
                                                                SHA-512:4E00ED5AC90F78C62BE0507A2DB2ECD57F4505DD79870AA4C1BF485B13E076D5CC29BF4EC9FB0625FEA9F186BF0C21C5F5D7D40BBD6A14C4CC9C6D840800FE1C
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`......%..w..v&&&A\..N...ey........&.-..... 6L.++..... 9...Z......|......n..Tl..1..PO...!...../.O".o.....j..x..g..3.4..033K..2.!R S..,H.....l.......IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\documents-folders-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):294
                                                                Entropy (8bit):6.181656360209844
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKahknMBpLYoTn40eWuD1hidlYfelDblbp:6v/78nMtehFBpsWnLuDWvYQf
                                                                MD5:09C1CB2C3931F1E4FA7039678026BFAC
                                                                SHA1:72526E215BA70B6C0C53A14E30177B3C9C9B3AC7
                                                                SHA-256:10E4A6EB6992319CA1EB35C7366E3B7A6F1ECA743456282DCF64E76528705D23
                                                                SHA-512:79C273D66BC3D650643EE84C9C3BE4438848F23DFAB09EF345F93E45EE440147B858E4556B281F166A0640F6EA65A3D8F8D660B2466C9F7CE63DA42035C50E30
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$.... -!y.....e.L......5......Ib.8I........ddg.4...d@.J...@......W...N.r....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\download-folder-9-32.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):658
                                                                Entropy (8bit):7.2752538251619265
                                                                Encrypted:false
                                                                SSDEEP:12:6v/7iwnMtI5NdBM926zd5296hYRSOGdZret7SnP4BZKPw2n:ckANbMH2OASOG/retb6
                                                                MD5:CBECFA8E3A39AD187D0B5B611E8530D3
                                                                SHA1:1F98EC988EB2326A7905EA0CB0DADB11DFF98456
                                                                SHA-256:9B54F74F911E5F78A187B52EC94F2049180BF2FBFD043B3E56E5F1D4BF6654A0
                                                                SHA-512:F68AFB9275F37AA3FB42879D0147B30367A8CE15DEDBC967557D9DEBE12F649665D6E86F32BE3E66640FE95243F7A275656CB5A440A6676BEC74DD2041F5C8CC
                                                                Malicious:false
                                                                Preview:.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDATX.c`..P...)!&.IIN......\XQN..H.H=U-W.....b....gee...@>".r.....H....v|.A...c9)....2.Rg.......9...d,+%u...Ev...s.JH... ...W8.....3.9@NZ.6/.O<..O....CR....w...,..a.9..-.1.l....r".%(.:@^F.)zV......YI........O3.(......,."....+%.....2....Q...N.....H...PjeeaQ.......:d%..$...r.....L....b.HKH.G.........@1.t1`H...@_.cbb.G7....Q..{C.4 &"..T....,.j.....$.r>..t.gC%y...\\A.,.....&..Tw.4G.....e9..w.(+.k.\#.h%V...........Hv3...4......De.j....0..agg7gcc..f.c..DT.....P.Q.$....L.......F...P..#.v\baFk."..(h@.%P"... .@f....,.....Hp.3E$.....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\employee-id-1-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):329
                                                                Entropy (8bit):6.420308355307663
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyK2z8phbkbsxZG9leYdylfqCJ+k3iIp:6v/78nMtqYPoNl8fqCJlii
                                                                MD5:0674729E929FD791FC0D0AEF5B2FB5D9
                                                                SHA1:0A321E40FEA01E9FF341BAF78FCEE0D81963D84C
                                                                SHA-256:CF909DDCDF9BAD76EC0640275CE54B73F20EAE0A5E80ED7DC9F48AE982ACA8DF
                                                                SHA-512:59A317D283E2638593A82E149BDC3B8BC7E9FF0F5A575F3BC51845FCDF01174EB1E4B498C9B21897B73A461A1B2F9E068168920EF7A98F593DA61A99A83F15CE
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..........A....'P.W...io.;.....@...2.&.R..YAV.5.bl. .Az.6cS...".fcc..f(P.).Y.. ,)..KH@...Allj....q.@..k....%X..II.$..B.J..F.F..fFFF...P..{.3...@.......^.F..V.@qIl..L.l&XS"1XA.......I.`p....^..>.......IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\eraser-16-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):324
                                                                Entropy (8bit):6.491766680808101
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKll8n/sk3c7jBQxWgqbrTSMHmxHuESGmO2+vi8A9hN/sup:6v/78nMtboUKcuWgqbf5EHLSGmS6jD/N
                                                                MD5:59CE25E2011AC621D8C76D5EBC98E421
                                                                SHA1:27D9D254EDE7482CCBAE645E52CBB2BFB14EAB74
                                                                SHA-256:5BE77F5B2BB5A057E27733A28E36E535076D2EF12A6263B13D2EAA6ED9E59B09
                                                                SHA-512:3934D94EBC886D6386272D33782E8A7833945725AB227F3CB854FB2185A0539F2E43E9EC9E85A595C73F73E6BB57B289200A7E15F02240536ABF24CEA752603D
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c` ....9.........DD.*.+..a.I.sdk&..l...9K.f......!.h.ax..4K.K.$..`.s0012r.8..2.A.qqr...YLXd..vfff1.. .@-..o.4......!.5....L.!85.0..$&-!q.(......#d.@C...........4.Y3.e.@.<........37..H3.:........n....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\fonts-folder-3-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):267
                                                                Entropy (8bit):6.19077973468042
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKzEj/0GGou28UK+L+WVmMFntkDqnXEuOp:6v/78nMtih228RnumMV+DqXEu8
                                                                MD5:4E4AB21E8FDEE3C90C277F6EC23BF8CD
                                                                SHA1:2CA13EA94FE3CAEDAB3A2BE44FC18CD2A523CECA
                                                                SHA-256:956D447717A91521D4A0B48486189795B0F0E83F11C05E32F8FE666529D040C3
                                                                SHA-512:EC6CA34F6D975D1E3E433D3B8BA9CCE9FB6742D3F17B2DCC27B7201A98EA23479C33FD209B2584A8F5C633B97802D757E4D2BC1397FA7BFA3D802291D699C78D
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.........0.:>^....011.......f.V...3.*..h..c...p1.....$A.#clj.z...@TB..P..%O..2.......sET....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\list-document-32.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):460
                                                                Entropy (8bit):6.83761150187215
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPKwnMRtyKIj7eaYGwoGn9iGUl/nf+wB417DbsLRtAJNfEYopHnt41dSoEs4:6v/7iwnMt8jsoi9lkwDsAsYopOdt7SaY
                                                                MD5:09EFF4F4D770599A874BC2D94065A8CC
                                                                SHA1:265B40063ED9EE376C5991AA39E5772AD68C406F
                                                                SHA-256:A9238998CC2DCF53933685F7D92686C81F9433167087AD4820E121FAAEA460B5
                                                                SHA-512:C3E01B97D92C5AF4F6A023374D4EF8A23BACA485DF82A2ADAE753650062FE857CA2FECF5AC33E720F8B92C2AFAD0C2FCD5B141475C11FD451C6DB82A9D26A349
                                                                Malicious:false
                                                                Preview:.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<...JIDATX.c`.L...+PAF......J....Gq..lll.$9.....?B..-@...r..-.c.Q......4w....=.....!A..@_......}lj...Zh..i...0s..].+M...>M..L..@...........M.0w..Y....M...r.0$....C?...@....."..-M...0G.B...@4]......y.[.....a.. *$<....MLXd... +%u.9=.S.]......`..4.....MRL|.....s.0{.%....9...3.y......$..&B.(.M...p4..&.....t.00..8........r...8.0....;zg..(....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\safe-31-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):374
                                                                Entropy (8bit):6.671134871061204
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKKy/nDjX8HfN2qmvwKliLbUpyfp1HZAp8TFEWdp:6v/78nMtOybjsHfN2ikinU6p15dKWz
                                                                MD5:4A4930AE3498DCE09DDD80775E1FD7E4
                                                                SHA1:548E0FCCD0C382778F26D2DE411560B30BF23ED4
                                                                SHA-256:C21F5FC164884D7AE90D306B8098CA4A4FDDC028D63B04E75E06823293960D3E
                                                                SHA-512:68ED2585AB02E9B3ECBC481C55FF3B42721D9689502A9E0FBDA162FF8C9AF78FCD98B0DDA683EE1224A14C5543271DC953CF788F5DF8AF38AD757CD81B88A6FE
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..&F&^A~.z!...b0H-H..X3.......r0.##...4r...c.9..Q..}.r..3.,.............@.s.s.r..[.K.<.i...4#.%$.1...Q..D...$'......B........I2...Y.$.......b...j..X@......b.....>+..}...PC&)..&)..r....y....N...}J.f....A....Cu::...p.I.0.<..P.=L.............IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\star-folder-1-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):301
                                                                Entropy (8bit):6.433970126002673
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyK9Ej/0GGou28UKwrQdo/0ek1kCjFO75gD5NhUmuVp:6v/78nMtsh228RwrQq/Vk5O+Dimu7
                                                                MD5:6212A7A0F72777E1702FF69655C11014
                                                                SHA1:340F31181297EEFD1E7C710A53D34812F3FE5586
                                                                SHA-256:5E0D0CC1E5A7CCDF0754A131C00FDEFB345E763047D00CF458B485A660F8C961
                                                                SHA-512:819DCB658A57907C700366518E19814D2FF57DBC0902843FD1E5C0D140AEF9163A5EA0370A98EF93EC4D997DA362A96B9D204B30C2F45249B00BB2E92AD05FE8
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....xy3....D3V...\....x.......h...#.+.....r.P!....$y.]7Ia '-s...Y).KX..FE&.....|nN.?....+PDHh..h..<...8t....<.J.......sr......IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\swatch-1-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):275
                                                                Entropy (8bit):6.241760254713669
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKxWuGoM+kPJzlX8jjbnbbvkLV+Vm+p:6v/78nMttpM36H8LV+Vms
                                                                MD5:F7515A8ECBF2AA3AA9C57DFF3B05753E
                                                                SHA1:F51571132ADA200E233E5279014F6E396800C8C4
                                                                SHA-256:5BEBE21F8829533D8118E9B47DD49E2317C735A472477B583211670782312665
                                                                SHA-512:9AE9D82588858A39C6B56B99AD2703CA2652EB99358B234A632D47C38E1FE48E1548DB7CC763352FA1AF4E49B0A4CF3DDA9B8425BBFC94FAC4B7D1E957294988
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`@........B.....$..CW...e.*.+...j.`..2..f...U.0..D..!..V.....`.@~... ....."....5.....(6...m...$F......^@NHD....(N. ..(dg&$....... 1l6..Lc..:.qo....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\sync-folder-1-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):358
                                                                Entropy (8bit):6.674957154010901
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKaX2j/0GGou28UKztI9ohN9y6EHnqywm1jgWHopHbp:6v/78nMte0h228R5mvHnRwpWHopV
                                                                MD5:D0301F65CE574CFB8601F381A04FC2DC
                                                                SHA1:B970384F7B4D11280A41498CD99B73FFA8EED575
                                                                SHA-256:D1E2AA31652F8CCD1F8C6BE5F7DBE5056407DA790EA8604BA776FD9856546BCD
                                                                SHA-512:17CE1CA8593D575544EFDE570A30BD5D78DD7D35FF03C25D990ED11A5521D95BB6FCB7FAE899D93B7C46C8F5CC7C2533763A1D4DF31D7CFEDB8256801D0AEE56
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....E..&..... 1.Q.5.j.xy3.......U..,...N._....9).[ ...2.ab....0... #)u.......d..4@DHx*0j...{.."V..l..$.(..WL...LL.r...ar...I...p.....n...,.*0.XYY.y....L&)!...L...BrR......=f.Y....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\text-document-10-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):282
                                                                Entropy (8bit):6.2049316386300095
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKOhknMBpLYoTn40eWus7vrGVr3gWndp:6v/78nMtKhFBpsWnLusHGVrgWz
                                                                MD5:0943B8C4B397211B1C73B2288D2B0655
                                                                SHA1:2437C95E1CBDD6240D84EEB88C57CAFDFA5AE792
                                                                SHA-256:4221BB09453A0ED7183FB675B374F17B5F28BA7097AFBABBCCEBBB05EC557911
                                                                SHA-512:DF7BF3F6DEF5CA7E227EB2BF3F1E313F066C3AFE178D584860D6D6325B03DBFE6949C0C72643C3E0D8748767182892D7FAB4D090C1E86FC7D1911D58EF13FC3E
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$..I5...4@BTl-r....W.d..]...>....... %3!.P..?...T"1\3.t..Wn%.....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\upload-folder-5-16.png

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):325
                                                                Entropy (8bit):6.5022763903385785
                                                                Encrypted:false
                                                                SSDEEP:6:6v/lhPUnMRtyKFEj/0GGou28UKs/5Ln9R/ZVfFMXqfXMsnM2Sup:6v/78nMtkh228Rs/550yMshSc
                                                                MD5:ACFF953EC211AF6260069114D88B5D5E
                                                                SHA1:DBCCE1D8B99F2AAF2411FAEE55885CE4B0C87343
                                                                SHA-256:67D52CE987D7BB34817359BB689C69DD769FB3D147D136C65F16F94FDA16E2EF
                                                                SHA-512:6C069BA0EB35774A23A3FB8B46119069F510AD7F0B3F9FB5B98E3667C91EDA0E4D5508E79480010B829C86E35B7A62CBAB6B0350169AFF8FA58CDD5D7869D650
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@......Q..}.K...7...|<.i0o....cS#./P...n.......I&..i....\VR..A.8..A.....`....;A4.7w$Q^.%,.. ....W...=.......L\.XXX.XYX..F#>..JH .J...IVR..........4.....IEND.B`.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):158192
                                                                Entropy (8bit):6.276215721465373
                                                                Encrypted:false
                                                                SSDEEP:3072:CHpTY9D4S6S8AFezF9bqtdf1i+PTHnlLee0cw1XbCzoll1e+Asrm+P0w:CHpTnF+qe3yCzolfe2rm7w
                                                                MD5:04932B84E5CD4EA826840EE8EDE549B0
                                                                SHA1:6FE6F09021D4341537EA0C9010048D37462A0782
                                                                SHA-256:74DF283D6DDE5FC5DB3073619F712A80C9DEBE38291D3EF91EDCD3C220601407
                                                                SHA-512:35E5C73E59785DF4E30BBE0B8B27960C9F38E3CF4944E0470622DF20424B421387648172427C17AD3502FAC3E2DF4D1C21F2B9B1E5261B6707A528D79F9F3C00
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....:......P..........e.............................................. ......................................`.......p.......... ............>...+......................................(...................(t...............................text...............................`.P`.data... ...........................@.`..rdata...*.......,..................@.`@.pdata..............................@.0@.xdata.......0......................@.0@.bss....p....P........................`..edata.......`......................@.0@.idata.......p......."..............@.0..CRT....X............2..............@.@..tls.................4..............@.@..rsrc... ............6..............@.0..reloc...............<..............@.0B................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4700448
                                                                Entropy (8bit):6.762778198451197
                                                                Encrypted:false
                                                                SSDEEP:98304:GF+qQZELs+X7bVqGoFkzfwnxPhSVM1CPwDvt3uFGCCLh:a98Ks+rbVqGoFkzInx11CPwDvt3uFGCq
                                                                MD5:D1229452CA48896B048BDB0D12A5C505
                                                                SHA1:D2B73383DDADE5BBD42669049BFB6265892572B7
                                                                SHA-256:D9E31123FB00BA631FCCD9E697CD5F4DA4A4D09CB62F5B6F2F4C49EED8A8E27E
                                                                SHA-512:5401A94C8E998A6259AFE7AD930E914CA3F5AAAED4F706EF6151136E568B06BA8C3BB27AB04F95CBBB40FC879A75C0B7C442A586D54816E7109F8FB2755BC6CA
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d.....f.........." ...'..4...........4.......................................G.....G.G...`...........................................A. ....TD.@....@G.......D.HI....G. )...PG.\.....?.T.............................?.@.............4..............................text.....4.......4................. ..`.rdata.......4.......4.............@..@.data....t...pD..J...^D.............@....pdata..HI....D..J....D.............@..@.rsrc........@G.......F.............@..@.reloc..\....PG.......F.............@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):252912
                                                                Entropy (8bit):6.26449546686269
                                                                Encrypted:false
                                                                SSDEEP:6144:azN0KgZEaVmFI2qmDsHVf1JJKDo7wv52DP3dBrmSF:m0KgZcFIHmJU1BrR
                                                                MD5:EFE675C00C0543DD08AD96E4D7DD022C
                                                                SHA1:539A1724C5DB6279D239E28BF0BC1D06751CDF02
                                                                SHA-256:EF3A3677540AA47F1543C475E4531CE8BE0C70FBE3B75957C0AD6A0993A4ECA5
                                                                SHA-512:9E35D053D2C2CD5B3A70ECB88023B3854A7837D4FD0498622C9238A5D8EC0E2DDD51070A8525E2ED066B76E67FFB4602BBE7BBF1057D23373A71287AE7B2C126
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#............P.........(k.............................0............... ..............................................................P..p .......+... ...............................B..(....................................................text...H...........................`.P`.data...............................@.`..rdata..............................@.`@.pdata..p ...P..."...6..............@.0@.xdata........... ...X..............@.0@.bss..................................`..edata...............x..............@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1321984
                                                                Entropy (8bit):6.764233377532147
                                                                Encrypted:false
                                                                SSDEEP:12288:0AYoX2ZQzNuuDg9tx8nrR3xLBpG50GclyVZousDS9lyORh6zrJqIux0ERc3K6g1k:qMrtFu50Gclyvou16JCT
                                                                MD5:F5A30F8ADFF2C742D43364E3D953DC6F
                                                                SHA1:194B8DFFE33F36D840BF6AF4B7933D58E0390927
                                                                SHA-256:8D7BAAB1371692356A491370F4AF818A5E6EC9EC019ECA4764EEC787A6BA88D2
                                                                SHA-512:0106C6227142B25AD0D72DDAF4FB449A832E1677229FE1A60F606E0621B23496CC3AEE9D3ABAC8FD9F68C81EA873B32B33F52D057A6896D7211B34F8575EFD1E
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...^.Ig.........." ...).D...8...........................................................`.........................................`;..X....J...............`...r..............,...0...........................(.......@............................................text....C.......D.................. ..`.data...,....`.......H..............@....pdata...r...`...t..................@..@.hdata..f............d..............@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):829216
                                                                Entropy (8bit):6.300815379570505
                                                                Encrypted:false
                                                                SSDEEP:12288:/qxOwtce9UEE1KK2+SwtLde4UE8b35Vv8RAmpdEVB3SP:/It9BE1XYZJyxdEVB3SP
                                                                MD5:18232E66F7998529421B051E678C38A4
                                                                SHA1:3C040DA458F9231D3077193AC4A1F68144B8E2C2
                                                                SHA-256:B9E15674A3DC28D604F3A03398F2F421C3654C1376D5AAD3A4835538E1C61F1A
                                                                SHA-512:31258C52357B648093AD9AEC5760F0012202F596DD14F6C3A50DAC37286CB811F0CCE3BC418502767686FC199679DDC8D1F3DC790F19B8040D0229BC5DB636A2
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d.....f.........." ...'..................................................................`.........................................`0...K...{...................r...~.. )......X.......T...........................`...@............................................text...(........................... ..`.rdata..............................@..@.data...8=.......8..................@....pdata...r.......t..................@..@.rsrc................b..............@..@.reloc..X............f..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                Category:dropped
                                                                Size (bytes):66544
                                                                Entropy (8bit):6.309954882128114
                                                                Encrypted:false
                                                                SSDEEP:1536:Xoun2j59yXrmGv5jqGcZJt7im3YtQrmEKP0m:XUyhAJt7im3YtQrmEKP0m
                                                                MD5:4F8C576F1515282FF03306B01DE7F75D
                                                                SHA1:52CECE362F99E1B65732F54275F9CA984338882D
                                                                SHA-256:C27F1770F0648A3FEB826C6D480CECC37D8D807F193F45B721EB466688FF3998
                                                                SHA-512:7DDE6F439314C79C485A3B2EB7213FE17FC822377984B77CFA4012E2AB0BAC4C0A5B2951727497D2017DBA2140646E71A169BFA720E0C19D54FE4FF81552E59A
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....L......P..........d.............................`................ ......................................................@..P.......P........+...P..T...............................(....................................................text...P........................... .P`.data...............................@.P..rdata..............................@.`@.pdata..P...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....`.... ......................@.@..tls.........0......................@.@..rsrc...P....@......................@.0..reloc..T....P......................@.0B................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.base.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):18367853
                                                                Entropy (8bit):7.968497771189572
                                                                Encrypted:false
                                                                SSDEEP:393216:BLz4LssSDaG2WEXljHcVPZBfJgPWFp93OKqNZNJyXgjrHKzMR:CLJSuCCVHaiPWFpkNzcXgnHKgR
                                                                MD5:C6C96A3F5AC8A949A7F920D83D4C8B3F
                                                                SHA1:2D6B7E5973DA5B3A469C4D6B426A02B7AA4FF9E2
                                                                SHA-256:753BA6FDC8F9C1DE1627D0ABBD03E97E2E97AEF3E5823A6C8C036B68D48C301E
                                                                SHA-512:EE9FFC7C6B996B9DD9421E23444F9F3D72E002E6CD50E7816325DE7392E49240D6B239139D5C2C7F7FF01EDE0F35077B95C77C60995E94405A38E1E8F5B263AB
                                                                Malicious:false
                                                                Preview:JM..PK.........o/Q................classes/module-info.class.9.\...o....@.(D...= ..hP....n...yw4.`.Q..5v.^.+..#.b.b.Fc..!...=.....~7.;3.y3.f..K..&.t.....3..\.F.6...R..!Oa.Y ...<.5sRR.H.m.!.@.(.:.9M.P......h2.kT.IF\.xY.fN.f.X..z.V'#....)4...)N...$.q."+.T.z...Z4......Q......-2.....}.!.....VPHF....&N-#u.x8....g..N.[4:...UZ.kI...@..O=.c...e.R.....-..6.._.e2*.i.2.*...7.j!.Lf~..V..a..@.~<E..U..Mr@)X..IL. Qa/.%.iZZ..n....Z.t/...ei...#^..p&5..P..2..FN)#..f.p.8I'.z.. B.R.j....?Qg.A...w...&......J..Ng4.X.....f.6.q..e.,.d.e.,....Jm.x/...~y...A.A....).AkP..)..JE..4.Rp.~V.)>.......2qI\...t.6.lU_@YL...5.q..(#_...).......q...W...M...L...:.....|....*.o6...$ ..!(..V..*SeD..^y.ZC....Z*.#..A'..31.mH.....%..(.*.TAu=.!f....`.h..H...e...q.$./..]{....M....x.2M...q.1@..KR.X....,.B.ed\ys..rBy$!.&.G..<.Y....M.h...S.A..0..M....s*...\.^e.kg...,j..........%$%......6..ZcF...<.5.....`0%)..)..3.D.k.`Y.....P.....@..........p....[..........0.Y.j....d...Z..U|`83f.0W..Q.8..U..i....[.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.compiler.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):124409
                                                                Entropy (8bit):7.718272830707501
                                                                Encrypted:false
                                                                SSDEEP:3072:1i6Z6wsvoYmg/SeP7rXuLU20fGqZLdlC8IvgvGR:7XsAySk7rXu+fGqZLdlWvCGR
                                                                MD5:5A4FE8E78A6C9254B36919DA9CE7799F
                                                                SHA1:27276BC48C907C856F0EB72CF6F3A48FA3A92E44
                                                                SHA-256:44E1E786291E335C6E4DCC9B2EACA365F06EEB8534A0CF8912DAC550091C4F46
                                                                SHA-512:5C8B22AFC7B07B8DC595E6998819A4544603B6A8B3100EA653F42826B340C5930A872C01BA90269A783FC955C7024DB26088D4333D22DE5A632B0EF4734D7CD8
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmP.N.0..-....P(...P.. q.q@BB.?`R................av=3^.....;.3...e....A[ Bg.p.. 4..x:....{(.*...........t*.@+w.kO&I.|...+..P..eh.J..f]..H..F......si.......l.(..j.&6..U...Hd.=.hMw/.......LY...UX.9.X.ma.P..Y..+&x.7fO.V....I.2!4.b*b_...E.fz..E4;=^.%|.2...7.........%L.e\5...-....U..v0.84z.......80...PK....mp2.......PK.........n/Q............;...classes/javax/annotation/processing/AbstractProcessor.class.Xit.....%{$y...N..e ....&.....8.1.N........D..3#..-;..JI..RJ..6l.F...ZJY....t.....R...l......9>.....w.}W........J.P.TQ.2..;.a.1.[..[.w..O...Lo.@ ^..F.a....P...#..e...v..&...w=GOx[.K.#P.Y.z..H..>)}..J.....^kJw].y..".b...@.L.3..xFrKZn....j..U,.B..".....~.....$..z.H.j..",Vp...p2y....L5v..^..C.j..u.....T.&P:..2.@u....q.C..CX*..I.O...d.n..!.U.V .;.....Uh.O..o...b....K..A.C=...\..F...2..B..W}.W+U..U...k.....I..Bb..!..m....Qq.V..8n..*...u}. r..N.d..9...Q.V.yX'.8{......,......M..+..o.j.:_....%.7.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.datatransfer.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):51389
                                                                Entropy (8bit):7.916683616123071
                                                                Encrypted:false
                                                                SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.desktop.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):12133334
                                                                Entropy (8bit):7.944474086295981
                                                                Encrypted:false
                                                                SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                                MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                                SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                                SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                                SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.instrument.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):41127
                                                                Entropy (8bit):7.961466748192397
                                                                Encrypted:false
                                                                SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.logging.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):113725
                                                                Entropy (8bit):7.928841651831531
                                                                Encrypted:false
                                                                SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.management.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):896846
                                                                Entropy (8bit):7.923431656723031
                                                                Encrypted:false
                                                                SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.management.rmi.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):92135
                                                                Entropy (8bit):7.945919597257173
                                                                Encrypted:false
                                                                SSDEEP:1536:Jxw6Uq67COVGkuLH5Sr6DPHoXsUJWLgUpDYC+ZJk3kJoPUFX:Jxw6v67bXr2g/WRVtwi0Jw+X
                                                                MD5:22F603FFB69D73089DDE462D567E88C9
                                                                SHA1:7ACF3CADC41F208280B8F115C2EE58FE16FDB538
                                                                SHA-256:27047E3D872637D62DD251A1E7CBE0AE5F1DD1F0F275A06405E6C673421681C6
                                                                SHA-512:AA7ACDB5DD69CE5C8C62E4A89F65F94DD9316F9364E30EBEB66A542FC418FC586EC41B0D13D41548EB05B4B96E22113B879D20B9F146B935D8B6CB3826E78A51
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.Q.N.0.}C..............J..*U..W...%....G.....G!.......g.o..=.o./...qH(I...~,..... .>#.Y.$S..%Wi`..1M....'A...i.v{*..ah..)..J.Q,.-....'.S..OR...i../.1..J..3s.....I..>*..7.>.....m.P....9.-..~S.n.5.R<J.i...17y...?..6.a...Y#..G.>........-B.F.L.D...5....GE.E..B.P....yJ.....A.........xMc..9.]..1c.E.n.q.]..b.e...&..\^v..Vm..M...g...=.-c...>.PK......a.......PK.........n/Q............6...classes/com/sun/jmx/remote/internal/rmi/ProxyRef.class.UmS.U.~n.YI......j.$@.VZ...k.64%.4V@.\aqs7nv).........?8~.G9.{.$1....{..y.9.9.....O.E<O#.!.I..H1.90.M.6.Q.=.u.!u...w.a(....5.hH..@g......q.<2\.t<nX..0m.mZ...}..&mW./V..y...!w.u.E"....pF.Y.c...d.]n6..:....:...x].-.+.k...L2..p-...........c....%..o8..\..%...KRi.a.O.#T..%"l2g<...(nW.9/...{....+.d..\n...M\c..q..).f..P....u.s-..P....r.../d0.[q...l...-..b...h.....9.,...o}.&.g....oI..:...0..|d..KN...,K..:..bW`....p>..=.;..L...69......P.....L..L...?........?.k...?.%..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.naming.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):460349
                                                                Entropy (8bit):7.928980735357845
                                                                Encrypted:false
                                                                SSDEEP:12288:y8d3lQXYWlLLH56T4J+1hdWvHBmgmhhs+RGJ1:y8d3RWlXeMqdWvHczs6o1
                                                                MD5:B396D42998F877CBDE5B93A1B238B5C5
                                                                SHA1:ED864130A63A807EFC16CE9F97F8C24750A14C35
                                                                SHA-256:734130C3E9D7A12A75BBB194C9FD29DFC85FD802B42B3CCD2C617C86FC905473
                                                                SHA-512:8E44D12F37DE7A1F7453299FA0A3ACC566C2959A1C482DA936108BFB6514650AA3E2400AC090B65F2FE3FA53BCFF4F676D129695B10334B4160B45EF3B440043
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.Sio.1.}..KO.f{p.Hi8J.-..DU.T...3..5.9...........G!f...$..J...g...........3L............ ..CA{2.h.R.V.(...V..l0...M[..oF"..1...\v..q..a*...s9#.q..K}..#.eyh;>.^.F*.Q..m...8(..<..AA=..XdX.q.p..L........ur....u......[.s}.<..ju...wU.%.C07..B.......42l....$..U$S...&...#.g.w....,.a.+....^...0S...u."m...ciK...J.B..H.A.|.&........U.OZY%..c*j...W+.O.V.M...dG.j......y.r.....$.s....P...ab?n...UMI...{#.uwR.aC...w....e.>R:..LE.......z.(..l=....2.1Z?:...n...t~..;..-;{..Y...|./.:..<.&...N.%....8.)..9..%\..,S...e<.[...?PK..._./....$...PK.........n/Q............=...classes/com/sun/jndi/ldap/AbstractLdapNamingEnumeration.class.Y.x..u........S.,a....JF..."#.h.$.X...v....5.1....PB...Ml -N...%...i.;.>..WhC.I...G..A....h..d.M.o.....s.....]..W^..........A.)..a.[bv|{...N.U(j..n.BaC......B.F..BK81.J.[v.#.X..j..O.I;.v.e.=..o.....F.q.+.s..QP[E.,...f..w.Q'.0...v..... .l..s5.a.B0...R-.Nz+5.Jo`(..KG..".pX...K..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.net.http.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):718964
                                                                Entropy (8bit):7.932673218886782
                                                                Encrypted:false
                                                                SSDEEP:12288:i0TENWrWZbbneYeeZXg4ao0K/3JCypyudOQjsDv+X/A4zEs6HtZrvZ:AA6Z/teKX50K/ZPov+Xo4zEV/7Z
                                                                MD5:5A11C4A6D94E1C67F84D2D22B7012B11
                                                                SHA1:273C3A253F6845441C6B4D0AA000BD0860574EA8
                                                                SHA-256:AF1946B6683575D724430220DB7C948AF2598E69091F74459CCA1F97A15C2A54
                                                                SHA-512:841460A10900517CEB80F734F1492AEEE83287ECB521BB5107BECA3684189521D56F9CD2B17A136C521884124CD1F307CE51F63DABCAC60247960BBBFAC046BA
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classu.MN.0...@..K!...8A.*......n2m.$v....b..8..IAt.F..x.gKo>..?.<..It..y...n........I...Ul.1+.5B}r.....Y..L.A.......T.x....J..:I........T&,..W.XI?.8&.T.r.f.....Z.....Ch..u..S....\n...5/.g9.....d:gc...t..e.<.m...F.C..C..:.=. .mA.M....M......(__~.PK............PK.........n/Q................classes/java/net/http/HttpClient$Builder.class.T[O.A...(..r..Q...^X....E....%D..vw..e...b.Y....?..e<;.(......w.7...?....(c....Z.+ .~..]..s#..........b...sN.._..!.=...@.8..T/......|..P`(...h}..P.....D.........F.....n....F..z.7...%.a.rO.U/..Tk.#.J'.p.L..C.."....\&.....i.]N.....i..8..H...,..L..n.Qm....)..)o.k.b..K...l.6oq?1'^i.h....~..9........e....<..v....t.;u.m.R]...+Whn.8e..@...>b.v.2......g.;5.iz..).{f.;.:.lr.fj2L8...z..PDB/0.:3[.}..p:....z...j.k.4.o.D.|E.?.."..zzcy.We.-..K.mI...]'U..8...V;e...&.....i..Uo..ioXm.^7....1....B......:n...[.oc.....,b..]L.......dp...>..)..cZ...%..../...~......s.^....)..|.Y.q...v.....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.prefs.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):54624
                                                                Entropy (8bit):7.943156238505704
                                                                Encrypted:false
                                                                SSDEEP:1536:QAcQb2JQBFv0vQ1ffh80OUisaBL00Yfcfd8tjsH5:QqjcY1fJIUXCQx0lr
                                                                MD5:224D8C26B9454FFE244D354BC030CAB9
                                                                SHA1:E531A7BAF213D72964CE4DD83A11AEEAE5713F00
                                                                SHA-256:43622935A7EF06E30D1BDA7E77CB76488DA9E721728AE0B8ACDB1F9C7B91C943
                                                                SHA-512:E0754FFF5801CEB2B1512AD0DDDF0D74C4C2AE97EE70A467E7D83E3AE5870A6ECC6F250B849108923AA8CA94EA3505C4CC7C9BEEBFC192B2DFF1E99A943DCBB4
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class]N.N.@.=W..K....--$.=;.......J.!3....r...Q.;.&.Y.;.qs....'.9..N..:.qV.u."....zS.......h...h.M.}g.u..w...-.~Q.C.....<D.p.o#^...2a.PI..{..T>..$..r...?.ps..T.U....YxVf......T..X.....\..5......J.).}tn.g...T...=......PK..t?u.....9...PK.........n/Q............3...classes/java/util/prefs/AbstractPreferences$1.class.S]O.A.=.nYZ.(....Rd[.._/%D$..R.h.x..C.\w..,..H_1A%>...Q..M.iL7...;.;g...?~...q..dmX.r.c.;...k.W."....-.#...4...<.J+.}.@..2..=0j..#o..`..C.p|....C.i.\...k.Y...c..6..F.M.......P.p.c6..L.*......X.....f..%#..\.u.S.n.&....a...0.....>...... ..f...mr..D.w..l.2L...^.I..."../.bo..2$...t..&..F.'...2...CKDoy..h=....L.i.J..a....J.apGs...?J.....\0..;..p.G.y~.P.......F...0.<.)..].........C%.......x@t..Q.4..Q..RU4../BEU....m.\)...2T..w.......R.@..s4Z#D..Be.+X.;./4.......k..4.....Q...8R.W.a..r.v..3.~.m}..=...}..dt..#.P.!3...Ix!...D.T.......R.......L_.2.....<4.!<2...E..PK..]5\.H...`...PK.........n/Q.........

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.rmi.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):385108
                                                                Entropy (8bit):7.9135425794114935
                                                                Encrypted:false
                                                                SSDEEP:6144:WLo6BW4jXxBTXH4nfLyHInEmCC+Z/GTdy6ixx7KoLUTzROUBczZoUDYbwyKdlO5k:YvxhBDHauHIEDC+ZOTKL1IzCzZoUDYbK
                                                                MD5:C4BF3C85D5A2B5A2482D29682F937339
                                                                SHA1:2ACCDEEAD4904C6EC919771CE49943C9D6E8A9E9
                                                                SHA-256:25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
                                                                SHA-512:51908DB9F980EAABB144C3BBD38563DF0DE3AD9AD286FD4D4F5C41B4F2D70CF278395E123D8C26A64742858A4B629902532C0AF097D020EDA92A7031AF586B66
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classeR.N.1..*......E....ogX.n.411.../Pg..L.i....\^..>..Lwg.b'=?...z.........8eX.M6*dO.K..cX.......J.T.....'.Q...).7..E..q...+.c.!..D.^..WFs,3.4.,O9V.....\9o.pt.....K..Z..'.+8"j...09.&.....g.......q<...H{UJ......Kx../6K.......z.].....C.g.Ka........\.<.!..dWq)..e)..Ik...t...T.+.J..F;S.m.a..4..g.>...Fd..U..C.<..Q....,..4...E.Wt.#..p!l.=....v=Qf..7...k.}T..........n..p.M_.V......F.<.E.............b...U..;.;.R^..;.AL.(...({....8Tw..PK..{;\l........PK.........n/Q............R...classes/com/sun/rmi/rmid/ExecOptionPermission$ExecOptionPermissionCollection.class.V.S.W..]..aY.....hQI".UAJ.V....*..k.\..f7f7......K_./}.C....L.38..8...C..7.........#.:.>d.....;...9y......|!....n...2.^R...g3.=.>.3).4..6u..mZ1.vh.fw1...#.....kY[....5i..:.!A.j.....H.*P)a..*ld....5.dB....i..J...v...W.)O/.-..X.$.ay......K?.2O0.1.[.v........U#........$.)n..q...Qh..lG=..:.M#..g4{.V...6Amn....H .le..hF2"c+v.p............e40.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.scripting.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):44965
                                                                Entropy (8bit):7.9310029341229376
                                                                Encrypted:false
                                                                SSDEEP:768:T/6WAhx73PjgF6wN1l861Z/T6dKl4U1mQUva+qD160eYG3ichd66N3LgRBG:+73PjgTaK4U85i++1bmi+66N38RBG
                                                                MD5:A64194B2F7AD00E12C9E5AE260B57B3E
                                                                SHA1:2617AE8B733B5E7B31180A3EED1DDFFD1B5CF631
                                                                SHA-256:BC08974AF0D13B1B362A651329036C24CC54028F1D0B3EB327350B51E2270FA5
                                                                SHA-512:68FE47540C844FE28B92C0AE4E8FF5C77F60A4AD0C5F1F3857412DF36E11A6053697B823E7C3D653E012F1923502DBBAAA9B03803A24344DC5C384853A3D44F8
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMNAN.@....PJK!9q@|.Y*Q......|`.,a!.E......x.....>x.....o.7H...eM.g.>..D....|..I..W.y...c....".L.3.J..+j../:...(.D..v.c.'......:.p.+....67V/..]..aL8\..Rzi...w.G..+.z.........uM.......d.]_m.....c........<._.S6....I..p..i...PK..=..+....F...PK.........n/Q............*...classes/com/sun/tools/script/shell/init.js.<.s....@47.]+.......K.......];i&CK.."u$e[.......AYI{.6.....]...<....^=.V.:.Z.*..G...>....0Q.u6-....AU..mT6..E...I..P..Z7.....}....z.............W'/^.~w..4U.4Z.j....Um..|.Kx..z. .?....{....>.....U?g.....\.E. /.|]N.*.\..h64....X.`.U..Z5.... .R..j...QU.p9-.]h5......^UI...k]vx....e....^.f.U....'.Z?./.j...s...V.c.O.<...ROTV_5{.|p..i.~....-........v..v..+.).a......<T2....H.,t....6..l..9>X/u.64..n.O...s......Q.R.Z...j.g.r..G.....^O.&V.%.e."X.=\F..u].e>.e+........n?~T..,...,]..].-.:.0..................L.K..^...$..B..:........p...~.H.l:.M....5.u1k./-.7B.^.%.f.. ...w?....8...\g.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.se.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):2207
                                                                Entropy (8bit):7.650310282866788
                                                                Encrypted:false
                                                                SSDEEP:48:pEEdhj3vrYL8RjLRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DjGqt:+EdhdKvJX/Agxo7RA1LZZAL4Gqt
                                                                MD5:3B4DCB7D28ED3DA5F09ADE9FDE137D3B
                                                                SHA1:0EEDA129FA837E4D5E54F678249C7265C96BE4FA
                                                                SHA-256:4BD4726EB7772FD1A202DF3EEF6367ED66688E0603C4B970D22AC8EB560F2A04
                                                                SHA-512:BBC8165555B54BCE7E2342CEE798F93245B0F5A4B6E9CD9CCBB28F7EF42E8B4E3DD729DB95E7B027CE955DB27FA3B8555D8015B568CF8672A4BEC9DC6028EC1E
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classe..V.1....2.!.xC.&...A7.....=.68.4IF`..gr...P..k.9...K.OU.........p"0_..hh...|.B..@P....h5..FbJ`..A....,..t....9,|U........:.....F..X..&.H..X.Xf...2.I,./K.J.NN.....I....Be%...o8]q...Bg....].D`..:.A.x&0.1..B`i...N|.K...^..`.:/#U..O.:.%v...."..e4..uv.-.E..+-q.k.*.}.k)RE...../~...zN_s._G../..P.D./...}]].?.....c.Gh.I.......X..M.;.-..s..f.0W.....S.s.&s....e.3..o...G._...PK..U.FO........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQ*gHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S|t0...:..6x.}.;..i..D..Ye|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld.....H.........H/a.(.sa?E...oR'G.!3......j...A..'.....V2..m..5H.....ex.z...m..........a.l.6..7{........v.3]..(..g.|E.fg"^d..zc".-.dJ.[..M.6*t.uS.BKy...Ys`./.k.......yaZ..........U'.....&.n.&...P....F9..J.1bo.6..I.]%....x..../.1...[.u....ey...-.Ag$H@.BD....xHL.>..V...>

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.security.jgss.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):698330
                                                                Entropy (8bit):7.957481640793777
                                                                Encrypted:false
                                                                SSDEEP:12288:vSE51vUGc5P3jM18B7OcsnbmTk2baTrPxLLu3S6qj8fM7vX:qE5t9UPzI4OjbmTk2GPxvu3SXj8e
                                                                MD5:372B6F9949895C86164FDF3A1E99CAC6
                                                                SHA1:B9D3ECAFAE368E7ACDADCC347DE6FFC08D031CE8
                                                                SHA-256:934114BA650D81262CFE3CFBA0D5A190520C05CDDDCD9A7A875E3E1D951AD71D
                                                                SHA-512:2DB6F0FEAAD1DD724447CE6E1E1CE92C5293AAB8A661031BB4B343564703BA033410EB0BE56B223F2F8901CDF158530503C0F5B6459D7918253C3AC7CF99F029
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.R[O.A..."."..........P..w.LH..d.;l...lfgYy.w....G.g/.i.L2sn.d.......>.#aq..t$.At.j ..?.g(..a%.N".T.....I...a....;....._".H..R..V.C......iNy..@.I.G..,.x..Q...11O.H..a...Q....K..)7.u..p..:.K.IX._..."lLG3-.Xj...Q.v...)7."#u$F.......u.;...o..........a......3...}...]u5.jW...R#....;.&...P../...K...8...^._.z.$...`-p.<...Vg.'u...[..<I.+.[B.D......t.R0..(.c....^..*./.%s.D....{G...-\.9...qd.7........S..B..a/..r!..^.v..\.v.B.+.7....;h.zu.m..+`X.5...#.........S}..PK..CU\.........PK.........n/Q............?...classes/javax/security/auth/kerberos/DelegationPermission.class.V[s.......,.....".f-a!..+.Ip.M.q....0...x..h...,s..Il..vl.v..0.I..B.L.-....C^...<'...T.....8..;.}.w...............`...$L$...}.Z...Y.|;\.>f.v.9.W. .=W .....a...qm.X...T.........l c.].=.L..pV....?+}/.>..9g..m..P.TV.*.-..ZDj..@.@.^.B...{...K?......[.r....B.Qeub....W`.+.C.*.up.~..vb...&.......$Q^.,'XG...+......xD...0.(....\T.nxb.(...,;.ob/..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.security.sasl.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):81698
                                                                Entropy (8bit):7.940663737798511
                                                                Encrypted:false
                                                                SSDEEP:1536:PNkjPGGpYd4vOGnXOTbAuy88LVeMdC/FEM9ZndTL8kSCXWO5o4HMSKSg63WiWdYG:Jd4mIXpHdAVgkuO2GXKuHVWlZlV8i
                                                                MD5:BDD7FCA80A0E7436DC46FADE0C8CD511
                                                                SHA1:C491F4A649B8DB593F26D25133DD104D8985AE60
                                                                SHA-256:F783A14F1FD9E804553F54E8B97E38A5BEB8C25ADF096FD380FC1BEE391153AA
                                                                SHA-512:6DD0A97BC791E78C28E1D1D949911B94DB3E2B08E5055283AD0195E0897E7984FACB517FF8E6C7B6E78E310819AFCBEAC9876B0FF35370AD96539C3E8B28C134
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuP.N.@.=..r.h...-$........,..t[.7...?..2N....Mf.\....O...&4...C9V.kR..:...\,..W.....*{w...2.2.u&......y.n9n..Q%...\_.Rg6j..~F......<S<.E..uo.G..jF....B..4a........;............{o.&K...S.h....P.J...*..G..;..3..B..g.x.i 3Bk.b?Y....5P...q.">..q.C.+...E.6..:..l....gl.\...#.........PK..... *.......PK.........n/Q............5...classes/com/sun/security/sasl/ClientFactoryImpl.class.W.w.......,lc.hB.b._.@.C...&26.6.nH..X.UV+.$i..6....> }.m }..b....9.9.I=).7...-.9m.W3........[.n.h.....G.7..*....HJ5."..Gu....0L..).ij....U..AT#(.f.#....Z.6..HV."....N..9.=.....d...g.....$..0....A... V..6/...B.9.....).......5A..:.`...Y)C3t*T.u.....l..O`Ky.s....z...R.Z......o..o......`.@cy{.'..6.T....GX......4...?vpW..=..... ..a.1.;.Y..6G-..2.wX91.s.#..J...D$V..U..n.7.-EUA..Cw`.V.t2...V......U..M`}.'.v. .....wu.W.C.....R.a........W...GR.d.O.i.7j.HE!..n*..CK.-#..../..u7.G..M.8.e...."...<.a....p.+.".G2j6{.G.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.smartcardio.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):58645
                                                                Entropy (8bit):7.913344050895434
                                                                Encrypted:false
                                                                SSDEEP:1536:r6aikQmg/FHrHESArP6j+qjHQT3K4n5pBCZ9xkQ8AgIDAJ4WY8gOY5nIlSjI:e7mqECMbnVAXDq
                                                                MD5:4C54BF6DD5C142E6C8C1A360C985167C
                                                                SHA1:7449C89D087ADC871E26218F6AD82FD1FF5BC01D
                                                                SHA-256:0AF33A68F7B71F12FA3B7F27BC69B80A86633F25EB82830076ACFC3170538EC0
                                                                SHA-512:2C5050F04B4F7AD373CDD33B3874A38AA317C996DF27630D4AFCD6F2ACCEC6A5ACEE3ABADFCF8D0182104651BA68239FA13E4658398F9F92D0E1C6D4B4F4568A
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classu..N.1.E.Cd.D.A..gF.t...$...i%Ef..S...........6i_.=..........B;W..H..*...GB.b..$_".3]fLs.B....}t...=._.#.G@..[.FdV.../m..U....M....h..\......Aqj.d...\.Z..:..r-...O.....e/l)... .^..........?Lv@....|..+Woq...\..S...].f.a.9.B.:{..PK..F......k...PK.........n/Q............#...classes/javax/smartcardio/ATR.class.Vko.e.~.t......R,....V.j..m.ta.e......v;....%..5.D.D..1A0.....\B..o..'..A.wf...J.0...y.s.s......2.."...P.a4...jOY5&z.....#.G7tg.@.+..".F............e....t%sK.3.X.f...V!*....{...r..U.....V.+J..1..<...5.6.uX/.l;...m...Z..Yy..C.<o2..\.Ql.s.:c.......h3...e..E.2+..Z.=[g+..P..1l....f.im.4..sZw&9#M..iWv..#.....(..T..!..5RUG/..I..k...eN.......t....D&U.AJT;..d6...`g..d=Z]<..........lc.J..{R....WY....f.jY....D...2.Y.n....(.a.....j......[..b.>..@.#....hu..Y..`K.dQ.*Q..7C..,...vD...0aa...M.............YG#J.+);..;.]....M..+....."....16.Y...,;d.3.Y...D...;..G.W...*.3..g.....VqX.[....5......

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.sql.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):76011
                                                                Entropy (8bit):7.806124696487568
                                                                Encrypted:false
                                                                SSDEEP:1536:WwNmF73X9Xw+OM8661csaSLwEqv4RO8zIYaHlrez:NYlpBj866taSLwEqB3DrA
                                                                MD5:E910C6B0413AB8D4CD0A5EBCCDA387EF
                                                                SHA1:6782B1D03ED398C4AA558C219294C6367F7C8479
                                                                SHA-256:2A24C132034F0894A0AA38A2DFA546F6D20113783B791EDCC9831DFC144256FA
                                                                SHA-512:A729C0449FD21D633E5F70B8FE98876E96FE7559DE0E4E137A55B329403B624D6F298B2D4BBA061AD4049DE224CC2A2C3B6FA2BDCB13430BE78E84992D537B2B
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classM.MN.0...../....@]*A7l.;$$..I.eHb..m.=........Hx..........p.K.05.&......D....]l.._.n?........|...s..A......_...C....(.3.0&0O.\dVD.6./..M+S.vD..!..\oe....g..#.....y...&..ID.BI.Bk."r%..x.....B...f.t..NP.........}.........~/l..s.g~..8.S..PK...p......k...PK.........n/Q................classes/java/sql/Array.class...N.0.."2............FH.h..Dg...,#s.3.j^..>..[1@....dY{.''_...O.0.P.....Q#|u.. .....*Bs.g.....p.e..........#P..9g...l.@..}.|.P....,...<...@.+z.C ..h!.O[`..>U#.F.....Y..Q...|+.h%K/(.....i.l....MGi...j...\."....-..~.T<......\o.q.y...d....d....a.......5....v\......2....)._....k.K.7.J...R...R..\.2.RP..z..P...T.&.U.+.-.4...Ag...Y|..w..PK...?mb...&...PK.........n/Q............+...classes/java/sql/BatchUpdateException.class.W.s.W...+.k..8vl)..$N#._q.I.7qS.i.(vR...).F..JdI.V.(.|5..|.xf.....q2..2.e.7...x.7.x...sw..m..0c.....w..s..OO....$~.C.....-.=...X.......K..f...s.-.er..@,.R&Y#.26o.3....3..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.sql.rowset.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):190817
                                                                Entropy (8bit):7.967262446791647
                                                                Encrypted:false
                                                                SSDEEP:3072:SiFe3M5fvodBY6aFvCLY3HQgZlTlJtlGwNa+Uk3/+y9L:o85XoHaRMCHQelhHlZVlGy9L
                                                                MD5:435A6696E8BABB8D66B3D838FAED2BF9
                                                                SHA1:4EB408C7D7E6A347CC6F331CAEC10DE7F55FBC57
                                                                SHA-256:3F55459BE1A9E300D872F712039F975A3C5BCCFDC498CD0A603A465DE8633300
                                                                SHA-512:D3D8D34400230FDDBBCDF469786869FCDF50491CDDF70B58ADCB33E959A5ED8649E374E714FFFFA7AA2D4884042F09B0FCB7963402B65BD48E1634D099E2B2BA
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0.......hy.......{CB..0...I\...[.....G!6.E.Z...v......W8e.F.../.GU.ch.!.'>...,8.K.h5KDj!.P.\8g....M&...m....9W..1.m..:+.X...NlTi~6..i..u2\e.Dh..6..uq,ml1....x",X.5S.*.d.X...&.!...._-.1t...l$.!.R..8`...D{b(CA[.1..,.[.=.@$4{A.s....>..O.}....s`.....:...kl.......a.......ep....n..K..FY...q?..PK....:.:.......PK.........n/Q............/...classes/com/sun/rowset/CachedRowSetImpl$1.class...N.1.....K..RN=.(.$.e.R.....AE.....Wt.X.h.....V.D..E...UuvI..Ua%....o<...??..X.4....B/a.....RN..ja.....vpZ.f....-.z..y.W...3.C.B.F?lB..=q..UMgs.@x.aKRI.L....i.`.B..}..............jiwk{...Z.&.U.=.L(U..2.Q.c6..!a"..9...G.G..+o..L......Fi.*O...o3...R...D6D.~.xl...r.aK...w.g.9a&v.....9w.By"}....'........|..(...R..`.+R.j.pO.;./.......PF.1..4a..:..H.\.I[.!..e.JO.i..fmp....k..}.&..5..........t.{X.B.....k2J.hg.s..sZV..h...a.....*.y.h.s{])..|Wk.1.5...3P6.=<~.=..1....-.".}.8..T........./k@./x<v...r@<J......E.............

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.transaction.xa.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):4035
                                                                Entropy (8bit):7.63515724105447
                                                                Encrypted:false
                                                                SSDEEP:96:Yq0GYT9RMGlLOkhw8KvJX/Agxo7RA1LZZALaGXDHHs:f0GjlkhDKdNsAlsnI
                                                                MD5:FF54FAF2ABD3B1BD2B868FEC043BB19D
                                                                SHA1:C6EBE8364D84B85478C164A6A6A09FEB4394F6A6
                                                                SHA-256:D73340591C1D956650175CDF0B12F5523EE5D5644ECDAF663DD7F44EBC28290E
                                                                SHA-512:F6225B4F0FD673226F20D8BFC9A99851FE230C7DF59472FE07269B83A52F52E5878A39B9B2C55D8435E98C140F16BC383AEA01D4AEDED5BC4531084D491A3B37
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMMI..@..v..x......7A....(.L.....>.G....:tuWWQ....`.....z.C..u.Dp..q...<K".84..J."a..Bm2.c1!..#..YF..Q'4....$.6...r..2...*B.X... ..S.[..2&8w...n.|....(...w.....f...(._B.?8..j.<...PK..Z...........PK.........n/Q................classes/javax/transaction/xa/XAException.class..MS.P.....R.a@.?...(U....&..4a...7L(...:iq...p.q..?.?.7........>....;..r......J.....o.t=p+5.\....^S.....c......$..Q?.O...I...9.....E&&K.#....L...b=.+...81:..n.a.....d.[.#.3.y......U].^By.Z...J....{....}..ZG...ag2JQ..X[....#.d.C.Z.BN..^.R.....\.`.-.n:..;..n3J.k9y..f'4+..X.....8zA.V..v.4.V....d.).f..&.*......ym..+..l....X......:Z%.}....[4..g.6/I.LC..h.....nf#...G....ms.G4....p.;,..bp.+4.......#...GX....*7...apUE]...(.....x...M/p..=.>.Z.<...pSF.;~.......x.?c...}..(..,..'......|..^)e.w...6....a..>P..c.Y.z..... ..)>/..>..../H|.|I...Q....._._.....).!..xR..xJ..[.O........xF.{...?.?......O.....J<.^...X.8..J.R.k.m.[....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.xml.crypto.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):670979
                                                                Entropy (8bit):7.887042011821685
                                                                Encrypted:false
                                                                SSDEEP:12288:aXgXoXuXOLj7awadMRn6HG46P4IN8mvyHswk596dQLreo7Z6AAb1yRvuASgS5Mey:aXgYMOLj7awadMRn6HG4y4IN8mvyHswi
                                                                MD5:895377EEDFDE160D01971E53C5657F7C
                                                                SHA1:8A3E4A11683A7F406DF57277921A9B5E49DCA185
                                                                SHA-256:026D61591C17B3ACBF900F3EA676452CC668062116C5B823709AEABBF77AC7B6
                                                                SHA-512:D73AB337D179B07DB5F01D58243578687A9E4323BCF6ADE8137E31D882099966EBC8C132CC3A5391A4C77D532B54C5354C6C0279CC24AC0970375B0EEA0EBEF4
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.UYW.P..F...6.....K..-.&(.((.*...6......7~.......[.....9'..............9..:].Prx...~.D.`..Y..z.^q...'A..Bh...q=K.3}..K....`.3..!....q.1...Y.vt.!E.lt....?.n............"..'.:.....l...M.%........KXH....z.........$......'..A..v/.p....4V..)q...0..I%?>..6a&.^..C.).5L.h.^.r...f...Y\..a.)h}......bJ..<&L4..m.cQIH.(a>9N..r..8..$.>.........I....~.2I.......'b....v$F^...0Fm.N....W.'.]$..b..G...q;.(.j?.0C.......0G....@...UE.../w.-.w'..e.....njX..."..@.P.Z-.2.?..$....}c!Oc..T.,..xOh;k.il..b.6.../...R.H..o4c.kse.v6R.D..U.q.v..[.+.z.?..<..>..T.{LX<"t..^.?.3.-L.N.+8{Z..X..=...5)[....J.......J.W.KJ.Qr..-..|V.....].A.n@..na.wpW.>.#<.....t.c.9L.4/#,I....-......PK..v.G........PK.........n/Q............K...classes/com/sun/org/apache/xml/internal/security/algorithms/Algorithm.class...O.P..w.+t...(...0.I%&j2...@.F.._..M.v-io..+}....}..2.{W+HM4.Y.=..|...s.o.?.........*....F.'IC'.=..qwW8....C)..N".4..J?H...\..X..@.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.accessibility.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):517331
                                                                Entropy (8bit):7.932914811977659
                                                                Encrypted:false
                                                                SSDEEP:12288:3Jcwf4nlwkOnw0dGfGf2NNdGGF56ZwDcBy:3Jcy4nlenRGuf+NdPFke+y
                                                                MD5:1BF162783EC1B1DE6BF846275CB30304
                                                                SHA1:DAED3EAFA8D19CA690F8A46B55DEFB0FD5F55387
                                                                SHA-256:BE8A7293DEADFF4410281D93A0B6E8CAF2ABD08486000F933E2B7794998B0AAA
                                                                SHA-512:71000CFDE3B33D7E1DE2BE8F34D1A4451CA37DB7C7CA28B59A6F6C00A730E974EE9F0AE4868659B9BD47970FE70CD83A4F523AD0D03F70362C5C7BD7FD99AC95
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class...N.@....HA>....M............}..].B.%....sy..|(..S=.....g~3.;...o..qL...O..S..@.V!.L.\..........T.b.D(....3 .y:tM....~.].%2.D.E8..L..P....*.......6..z.}i.....!.g...}n.j...el.M.../......l...NcO.@.\.....+g(...K.[..E<....P....'B..b.l`.J.C.7..g.[l...,..)[...'.......WU8W.a....PK..a.-.........PK.........n/Q............@...classes/com/sun/java/accessibility/internal/AccessBridge$1.class.SMo.@.}..q..............RU....i..rA ......v......~.?.1v".R.QK..}.7..3......}..QC.C#.....1?.a.U...c.8..T..2..Q.-...c;.R}.>|.x.........:1aX.5O#..n.....B.3Re...G.k.:..`..q.'.-TX..$...X..MC..0......fb...3.b.t{..FZ.}...6*..0e..F..\d".$Nj"6.t*.V#..~1..y..N.......}.6...O..+.3...9.../.e..+..x~: .w.;...K)...L"^.R....e4..B%..Qfo.;..;.....Ck_X.J[..R....Za.I....O.V....n....g%r.+.g:.p.l....*.`..k.N...1'?............g...>...f)..Jq.T./X=...K.YEm.V.7q.|.[d.+d.w+..#.z~.PK...G.'....h...PK.........n/Q............A...classes/com/sun/java/acces

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.aot.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):286933
                                                                Entropy (8bit):7.911348853312728
                                                                Encrypted:false
                                                                SSDEEP:6144:vlan58OL1oHDUV6c+45ksJuLWjNAN3ZtjV5OyaFQWIWdB8VimLL:vZHDezuqcjOjQWIySs6
                                                                MD5:CB1CFBA8201EE222C2D69845FC055F84
                                                                SHA1:8C448B58260790B6B10231F0153FC7438B41F4D8
                                                                SHA-256:DE900FCC734F2CE46175DFBAA4C26368452C6049EA96A35F1E27F5CD988C9D3A
                                                                SHA-512:2B69DD8B25F2549C4BCD4F2F3E3FB21F0EB66FD8BCAD4CEC0F7B731317041BC01B8329644109C0823839F3BA78BE48CEB227C5CB958CA3101E24035C24FD15C2
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class}..N.0.E.c*...1.(.y..H..=;$$...b..IA..],..>..BB.`..G..~..|{.p..P.&.*..)...?...9....}nR.#...3..?!L95H.QI.q.`(...s+..O....S..U!,.....)C..Rh.R.........0....')L.....0JI.R.#....P<Ib.%C..,....}eX$4......B...a.w.J.V....O..u.lV.(N..../".......HI.a.P.\.c~/...7.%L.....A.O\..8........a./.r{/SB.%.C.....!|...#.....{.u.S7z...3;.......eT1..L..i.a..Xrz.k8...PK....h.x.......PK.........n/Q............>...classes/jdk/tools/jaotc/aarch64/AArch64ELFMacroAssembler.class.U]W.E.~...tm....b-.MBe...HK..l0..4j..a...M6.nPZ..z..^z.7............n.ml)x<........;......FPH...q....U`.S+..]/..W,;..L..M)..:t......i)o.....=.Z.8%'...If...M..0C.6..Z....o)..8^i$.oG...H.8.C._..........m2;..x.(e...R!..)...X:.... ...a.E..8.......j`...k..W.?..H..=j..:..e..l..-...W...T>..p"...^.).s...E...,e.......6Wr7......}..%.b.4^%.n...&3......6t.xMs.V,k....8+.V.|'..d*.M).i...H.Y.>..D9.4......|.c.N..x......:.tc+-...Li.SE......_...:]).s.....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.attach.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):38562
                                                                Entropy (8bit):7.938691448340528
                                                                Encrypted:false
                                                                SSDEEP:768:YFL2bxkq9mFS8C+9OwdExG3rjwo6LkgHVOImnz3E2/ElTMst5G:Qalkq9ktCCOwHwo6L91Dmnz3E6ElTltQ
                                                                MD5:B1ECA358F4D3525178F96244F11344FD
                                                                SHA1:EA84D813907BA33FB66E54FC0A8272230F7F6FCB
                                                                SHA-256:178B1246FA90169F75CC8DED648A88276DD252A28A85F26676777D75D290BB64
                                                                SHA-512:985D19030C00EAF12E088184745739ACA59797D6E354FD41B1483A231E66479DAC0260E1BA9A3A5FFE4954CD69EC8FF49ECAF7D14DF0C4333BC77B2790EAE410
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuP.J.@.=..&M.V..>v.\5..".r#.....c2.I.d&........TA....9.........1....L.(...".~4..U..$..gJ...E..._.g....".d..J.T.+...0....<.....3.B.V...zzy....9K...b......$."........N.Q../,...5.o.]6O-...DY..6N.>......J&,..).....)W..".#..#.E..K`...}.u.C....}K..e......D...6.....@.a:.qhv.}.PK...4..........PK.........n/Q............?...classes/com/sun/tools/attach/AgentInitializationException.class..KO.A..O..y........1.c\..b...6.. .qU...LSm....7.!...p..v.....TO.H....7.~...>.s..@..u.P...D....W.]z.4#..~..Y....6..(.-.k..Z..&.h.<..=/I.g.(L<i..v..#e.."-C} .....+..f(.T....1.&h.....f..6...P`&Q1aC.'dl..,|'0.Lb.......k....(../........?...;.( G..8O..N.....M.s$.zcj.../.3.{...[Q...v.,...S.."o..g+..fp..Em~|..K.....2Zg^p.wO!...T.2}..4.\WX....p.Qs.&.>wGj..r...'....zEy.....3..(wz.9..t>.n._..:?....nf.........9......1....J..|.p...L../PK..............PK.........n/Q............5...classes/com/sun/tools/attach/AgentLoadException.cl

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.cryptoki.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):351274
                                                                Entropy (8bit):7.9627246365800355
                                                                Encrypted:false
                                                                SSDEEP:6144:ulMVIrmuMtJv/bpPkLG9zDEUa9NcHCwegOkCh0Tmj3/pxk3UKFZW7dc:ul6tltM6xDja9CCuOkChC0BxkkKFZwc
                                                                MD5:1327D707FBB8DF3EE0D70D15A9C0D040
                                                                SHA1:C4659E3754C6FA51E043AF8154AF8A9EE18A6F48
                                                                SHA-256:EF9D8D43781AF4C7A1952014806FD3E36036DF92D62E79A3C0AF021CAB6EDA50
                                                                SHA-512:E67C3E11EA5E962345CAC9682BE0F66E21CEB754AAAB2B48EC504D5EC50462BE5A96F59E28F046F9D3565E6C27214BD1793D8354DFA13FD99A2783EC44AA3AB5
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmP.N.@.=W...G+..7.)N.n\..1&M......N3...\..~.q..Xp..>........W..L'.T.U..=..t'.N....I...,.BoT.|4.M....!l.....Q.b...2..#\.I.*..\..-B...~p+}t...QR....5b.#2z..i<..n....,z}...pFh.4B...t....#..F.E.......;7cY.=*.%..C>K.............[.9.t~wYg..{..s\l..hc.....PK..gz"J........PK.........n/Q............*...classes/sun/security/pkcs11/Config$1.class.SkO.@.=...}T..P...q..u...%$H @.G....t....!3S....(.?..e.....tn...s.....w.5.-".....>.3...'...Q...?.a._..0...re/.<.....<..0....@W.....SCD........).q.u.E..Q1/..-..6.1.W..6.....fG.c..).r.R.Q.^.E*.P...%...Gi...(....W..t....%....6&..a ......dPF.0.]..XW...-~!W+b.....x.......k..,......8bp.=2..0L...{G.....o..FH".e.3..E..}.v.......?..H.]0g.B.j..=.....|.+...ok..v/.i.\.u...u&^.....K*..2V._...J...$..Y..Pj...-..^1._.l....fM&..^."..C_k.1M......,.t.h6K_.E. s_.>.G.Oi.O..(.hw.P..E....J..$...u,.p..3|......{v!6Fd`.9...u.`..4.#>....r..-Q..=.~....:...DM.KT).0O.......EbM!}~.PK....8.H....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.ec.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):201772
                                                                Entropy (8bit):7.9524710852936815
                                                                Encrypted:false
                                                                SSDEEP:6144:9qVHcUYpfJbKNaLV2ppHAVxWHj+f/ehKAqW:9icZp0yVOxA30j+f/eJqW
                                                                MD5:263F17CDB67CA9DC7704B373ED4FFE6C
                                                                SHA1:6F8E27D98F9187BF6A19A6C048E4C1E8AD43D2B1
                                                                SHA-256:C35E8D06078F41B89D152DF528C0F577A65BEE1235379B17E0C5BC54867B80FE
                                                                SHA-512:6C3689F290F6FAC4A090B6F01B7C2E70390F158F548D2E3F3F04F5383C895DA6F2D0092A254FE85D3FE0FA9BDA8F50DA72173ACC9A0AC99F590A22D6E370D3B3
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmOIN.A.}_.f...t....D.4.3!...U_R.]....s.....X.q..'.x/.O...'..\..s....M.n...........DO.r.Ef...%Byp'n..J.$NY..d.U...9"c.....1..&."...b.x.).h.z.....]...@.).<yz.pA..l..?...._......P...sJh..W....V&.v...\..n..|[.!.|...k..X.....x...A........z.../PK...I......l...PK.........n/Q................classes/sun/security/ec/ECDHKeyAgreement.class.Z.|...?.$_2....`F.F..9. ^...@.!.. .:.|IF&.s......wW.j.-.....El..V..n...]{............f&a2.....3..{<...?....}.k.....9.5.2..|..+......h_$n7\`.-.ZV...."AA..`8../....@..JMh.Y.D4..kX......'.p.N:.iK....v.....+.......)...$bqo....cq.8`y.N..rn..D.9NPY.....]..x4..;c..e(70.D.*.I,.....4,n.2K.......q[w.NO.....32...........\.....f....x.'.......-Z:...w$=Yp..D..e..f../N..F..`@.~...qT.d..Y..0.e.{w.....cq...M#...1o.S.H...7...M..M.@....]...B..fg3|F.O5......g..\.`..[B!.....i..2...k. ..Aj.E.R.....LX..Y^.(j.;...fnAY.p..qy8..o....4....|2.S.7..5R..G.....S....8S0c$....C.&...%-.].\.98.D#...]V\.;F.V

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.mscapi.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):78196
                                                                Entropy (8bit):7.92845847050618
                                                                Encrypted:false
                                                                SSDEEP:1536:k2Na/LNYo4Z/rkUG3FVnJP1Uufitv3eQccdatnKdknGFe3mUsGwzMOpOICSCSKPm:Z4CQls2igDGFiCgtIVjqSi4Hh
                                                                MD5:6F42045F475CC7E5AFCE90B03AA6ECE0
                                                                SHA1:51D26AA2154B906A29A931151887E9EA5C11962C
                                                                SHA-256:F35CBD067FA654E4782847D60E27BC6BB19329C144CE724836E11ED3024885BE
                                                                SHA-512:630781278A0BD196D38765E37566E8704CD09EFB48E267EAF541AFF60D0B3585884F4F27E5F6C4A0E5AA1536B5CB1F84DCA65E02FD80D22F5AFF296D2E6DC396
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmN.N.0....P..%.'..:T.......J.....Tn....V...8..|..I...J.....~|........+5...@...[..'..r..K.r'.Z.h....v...."qJx..].0...J.^.S1:.....Sk6Z*..K...F..b.=.O.....x+.^.`>..$..!.b....z...*............8.w.p...b....Bm#...(..B.0...c....PK.........E...PK.........n/Q............4...classes/sun/security/mscapi/CKey$NativeHandles.class.R.O.P...V.v..(.. ..6..#AQ3!8.4...xW..P......#.A.y.O.A=....@b....{.......o...`.@.I.......vy....?....R.].W....V.idt.&..dX.z...........u..+1.o......x"b0:.p..A...%......K.d`..:.&.c.a."r......v.F*..RK..)y..{...Y0h.`. .p}...E....}.h...Z<t....w\.....C.0d.b..m.b.Qf.......Cjc.#........:b...$.#.h.. ".../..H..G.e./A.'_...'.0........C.V@...fe.@.!k.d6K.j..8.....PE..0....!Y..3T)......+...f*..I.$..M...J#.Z..?.#R;B..c.3,.. ..|z.f.r..)...b.A....U.....T.Z0(>.]......g.......T..&..55.p....EuV..%..i]:.....:A..A..%R.....q.$4...|..PK...S;W*...E...PK.........n/Q............&...classes/

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.dynalink.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):164226
                                                                Entropy (8bit):7.892034326519069
                                                                Encrypted:false
                                                                SSDEEP:3072:WduPEhfhy9SH8Y4zuTV/9nrPcTYxt7qnbN6LjTjAW6+w0ghchJK44kupSzOxGwQJ:WduchfIgHAzuTdR4TYxt7qnbN63TjAWN
                                                                MD5:5F943224E4AF329272D7FDC2066583CF
                                                                SHA1:895810831A50558AEA8DE45E121E5166030B9E54
                                                                SHA-256:AE6BB704E5073B9A0A72E767E7621077E78905799EA24493D23F11E41B6D8E83
                                                                SHA-512:BDFC9110CE85062532C583920D2AB6D4EEF9345E87FE5C68264C3E83020705E3AD3C4ABFA248C4C3C59FA9718EFD288B19DAA78C684A856F847D5F6864C24015
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmP.N.A..V..Fv.....J.^..........e...7....G.g.1.0...JM...>..\.P.'a...T.I.Dh.....qBu....C.X..........B...C..Ze...*e(..k.TS.M.P!xk....j...!H..$.S.......]B...y*<xvO;.I.I.yh.z...3.C.1.X...{.nS..b.P~N2=.w2.....V...y...Dj.[./\GbJ....Y.....|.la.r8...qd.5...ffs..9O.;.....6...R...;N-.w.U.5.~..O~.PK...?.y).......PK.........n/Q............5...classes/jdk/dynalink/beans/AbstractJavaLinker$1.class.S]O.P.~.6.m...0......B.7.b37.n]B..p...'.PZ.v3..o.V.c.......i0.....y.~....ur.`.k%d.U.S1.<..{.......@......G.p.`.:<.........m.............3.....U|..Q@QAI.(T...83zq.q'y..I...U.-...%N..42...i..v.j2.f..3.b.e...;.....m3l^.<..I..1.......b.T0.0.O5.>..t+..N....GQ..**n.)...1.Z..nH..../.v...6.K.{..Ym...>C..{../..,6...K6.$vH.....j....=.ux.'f.I..;<.$>#..;...3\..A.'...Z....z..a..{-..CW......5.l.8y...j...j>.c.+x.|..0._.Oy....=.V...(O.<.C.......h|.;.Q......Z....7).!8r.g......J.?#.".0...P.G$...g$...K.Y.S....9!....hM..V!...|..ZU<

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.editpad.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):7108
                                                                Entropy (8bit):7.811258404475187
                                                                Encrypted:false
                                                                SSDEEP:192:Q8DM/XTGw6L+YSUUgagGBdzubltchdvvWKdNsAlsB46c:Q8DM/jGNx7agGKblGDGLAD
                                                                MD5:AA734D758967C9CC99D97CADAF2CF600
                                                                SHA1:C11F74087C937E8A29C7B8E9E796896D0D9359CA
                                                                SHA-256:614B6DAD2877EAC8D0E1F7D29F2067356C3ACC3CAA40DC6DCA23953F416D79DE
                                                                SHA-512:959EDABC1255EF215CD76F949FCD6B1809D9A8E01BB320165AF0E9462EBFE62646A6DDE9017FE55944B5B9036C2FAAD87064C2EE64B46EE80511A0C6761CE988
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMOKN.0..WJK...|/.&....;$.X E....Tn.8..v.s......8T..y3.y.~~...<...[)^$..j.....,.Y...2....$.fw.M0....M..P...=.f...S......=B.\.8W...aT..i.t..;.....;.9+..L...L.K..H...B.qL..g(....#t.\.g.....0.>...l!.MX..L/DN.ld....l..o.@..jb..?..}.qh.....:..."..3...5p......PK..5^..........PK.........n/Q............#...classes/jdk/editpad/EditPad$1.class}RmO.0.~..........o.J....i..:mR.&@E..4.......].@.......vv.m.E..r~...{....@.[S......J..W.u(b.oy...~.q..P.2... *@4...)x.^.'A7Is.1.EW.......?OD....O|.QaX..>........t...[m(Jo.....x}.3.*j..|.....z.a.^..H.v..i.1.#..A..\d.C.j.vy..4...c...iQ.`..03.M.....`X.G.]..o.0.]...n.(.e].A.....I!.m....,.e....j...&.D.?..&.OJ....<.9V..}...J.<%@...Dh...j......i...k...m|..W.|F{..@.../.....`..{N....=Y...wp.c....gONI.._|.o>...L...79.X#.`.5l..:6-nX.._PK.....m........PK.........n/Q............!...classes/jdk/editpad/EditPad.class.X.\.....e..,.X....&..B ...l,`b...CD...@6,3.;.....n....nz7..$.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.httpserver.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):102118
                                                                Entropy (8bit):7.881915775504197
                                                                Encrypted:false
                                                                SSDEEP:1536:hA2EjV4dImyeS82MzTdgErULKjFp4Fm1CMfe1ChqmxrMylQEnEfc6o3zqZ1o:+2Ej5mlP5rUGjFp4FbMfe18r2TYMZm
                                                                MD5:F4F26CF1AABC52F9C792551E45F971CD
                                                                SHA1:98F52335B802EDE4918EBE4725E79BF59BD48029
                                                                SHA-256:AFDA7A68032E31314698D506E38EE63682A506BB72D6620DAFEA6DA1578585A6
                                                                SHA-512:820ACBB8CAC8E19383B5B5D93AA475E83186148022EFCC125001ED2A3CDE96B9F131D083300D62167687442865ACC79644E169553A4C749FDF0E43203C938124
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuP.N.0..../.M.3.8T......J..Lb..&..$...8..|.b..PV...xv...w.w..z...Jt.b.....!...y...U.r.6.Fh....q%.Qf...eZ.*........R..1:.....}W<K."....m...S.'.4:W6...;5...^*......%..-.L9B.G<I;S.a..en...E~{....c-.a..1...G.....x>.....1b.."d......PK..D.......}...PK.........n/Q............:...classes/com/sun/net/httpserver/Authenticator$Failure.class.R.N.@.}..R.............CbH.$....n...dw.Wy1.x...(.tA.nx..7;....~}.|.h.$...&...d..h..8tB...R3....&V..*.sU$.C..@1d...Wm.t.>...e"oc.6..ZL]..b..l..,.%.D..Y.....#r.L..|.O.\..2.~....~..ICM|.....}......H..HD.......r....]..Ku.Ie..N_....\t.WJNr...5..pJ.L..1..O.R.g.Iv.P.pr.o..5*o0_tM....d/`.....M.........VZ4v...t4.2.W...tY.lk.{Q..Ic_W.p.}.G.ZZ..#..e....PK..1P..g...p...PK.........n/Q............9...classes/com/sun/net/httpserver/Authenticator$Result.class.P.J.1.=i...Zm...B....*..D.TP.{..n.6.$.......G..[_|....9..I........).h&..h!../.J.B..y?_P...Kmt..h......N3...4.P.y.......CN&.L....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.incubator.foreign.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):67990
                                                                Entropy (8bit):7.946352945303167
                                                                Encrypted:false
                                                                SSDEEP:1536:bUJtgSL6NznTI0AE1ZSxiubggeSqtx0xp/2hQ9rW76B93ap:bytF6NbBz1ZS3bggeSqtxq5/rW76vKp
                                                                MD5:E9CBB864F1F0780B15F40963C426E6F3
                                                                SHA1:F910917052336D532732647BCDB73D80DF612C62
                                                                SHA-256:FEEEBA790ABE0CD4A36BBC68FE29185B4A152663ED5FC6B6261FB40E729D3B21
                                                                SHA-512:DE83F8F52040E862A495881C59A5FAD444A012DCDCFE65B56896A079D6DE1B4668138F48C9E50E091BD2F83E11F090CDBC38E47FAD52186DC6ACCE6994027535
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMNAR.@..A...h...X.J.p.F..~`H..B..$r.].|....dE...t.t....'..bBog.*..6k........w&.m..&.V\Z....L.sB{....4x&...g..a..R....D...W+.$F..]..%.s....a..WN..I...b!..R[C.....LJB..Mj..w....h...Q.g..y.o...p.U.%N.n....6_.n.y..PK..%an.....C...PK.........n/Q............2...classes/jdk/incubator/foreign/AbstractLayout.class.Yy\\.......p.0d5. faI..!b.!.D.".Db.w...I......R..6.Q[M\....kB..4..>.Zkm.Z.V...^.....s.af...o.....9.w.s~..._...PO.9..\.6.y.'.l.....ZpS][.f..%./.....BnUuW..(P.PQ...`.oK.?..j.P../.....u...hX.F[..P.I."..t....z,....F....h..7...i*.QB(..Lb@.2..s..2..U..L...M.@..c".Bq,8.....Zo@o....UI..L}u..9[...Aph.h.....B+.P......m..B.!SL;.....s]P....C..J.'.m.G......34....../K..Q.R.X(.?.]...T,."Q..U.6..`...*..LX.jP.`...8.P..h...mZX?/....P........4..[&O9...Uq..'.i...!..M.-.Ia./.4,_..z`.O.W....d.BpN...w@..C...B,.+f...D....a......G...b...hb.....d:.4.z..F...X.Q.E...9FJ..ay..\X....-hM..@.g......LsV.....b.Z..eu..3%U...'E

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.incubator.jpackage.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):944571
                                                                Entropy (8bit):7.993019507850888
                                                                Encrypted:true
                                                                SSDEEP:24576:o/LKQfuCSkRb5ZBlZQQILYqwjypRJ0lqmAp:4LKQmCj1lZQvLYqweh2Wp
                                                                MD5:D202B393A656A5E8C68687B4D33F55C4
                                                                SHA1:9B41A22AD8105D3CF3961AD8F4D6E750BCF291B4
                                                                SHA-256:5619F01649B53255A0A3E68CFEC3A4AD2DE6200F83E347DFFE083F0839AC467D
                                                                SHA-512:01CE53A2C06BCA793DB0AA9E7011A3D4C734EC1B4DEB289CF3E57973514DFE25D325C3C401798EE22CA06FEB47D643CCD73880F064AFF27449691C189C7D7AEA
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class...N.0...a+-;-...C....\@.....$.1.mjGq...\.x...1Ii..j}...G...|{.p.2a.a.....M.D..%85.,..5..(]..DdB...j]<.".......OXa.. .....P.......rCiM.V.-!OX..o..K."....a...$.Bk..."...i........N...b..2.H....9L....8R.k....._..Yy.m3..N.]^....9B...^.. .J_..r.*3.Rw.+.2.J..3aU.........<;W..F[....<.-.../5....D.$#...y.......@....H.^l.~.10..h3...dF...i..{..^,b....... k.(`..)..N..~.PK..-O..~...H...PK.........n/Q............N...classes/jdk/incubator/jpackage/internal/AbstractAppImageBuilder$IconType.class.TmO.A.~.^{.yH..K._....."j.)..M.H,6!~..G.r.k......h..2..%"U?..d.3..>..........#........Y...x.z.F....nR(0=.....x...Z.R.2.eo..x.p...-3..EG.1...s..v..6}7..s....a.|Q..`..H.&......9...C...{.....I.u..T~.Za(.....)\W.....Q.v...?.-7......6j....;.!..:.I.~.V..I......;.s.3.E..~.L..x.S.e....Gu..m:...X.".@........).q$.....:.`B.G...V3.K..i9.P).......a.fz..fS......N.]..U.Y...8.i.\.'.w.)MT....#\$...-.v......pq..D.U..Y.....L.jR.n

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.ed.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):7519
                                                                Entropy (8bit):7.847897535550514
                                                                Encrypted:false
                                                                SSDEEP:192:5IDZZqI952/n+g5u2ssRZZl3ewqKdNsAls7+B:2DZP9HgAuHZo1LAR
                                                                MD5:C8936F98B9091974AE938C3DA77A2F25
                                                                SHA1:F5A9C8C0883DE8EA79C3BD9D8AC3F80C11320157
                                                                SHA-256:138B3AEDC0F46E2CAC688CDB36B78E9B06D102E8DC9C3E6F8A7CC8ACAC993263
                                                                SHA-512:BB4BB7268C81DD734DE01977AA2AFD1CB4301C09EDA7D1D6E396EB7E24034520F52AB4111B9722EC32FE2DAB158D21B5DDD4EC579FB29125BBA3BD91089AAC4C
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmP.N.0..-..)}@.\...u..\.sCB..0.R..I...c.....G!...8..zgv.3....'.[......Ol.RtA...Be.M.F.Y(..\..)61...Z].).\..n...uQ.....]....je...=.u.1...{y.J...y".^..#.....u,!.CX.i..l..\....I.s.....M..&zin..@.....<........E.P...@:...8.Z.FH....PK..........Y...PK.........n/Q............;...classes/jdk/internal/editor/external/ExternalEditor$1.class.T[O.A......R..!.U[n......5@J1....``.%.[..JM.....h.Oj.5...P 5n..g....sf..y..@..a...._A...c..MU....MWyY8...]o....'.Z.ua.'(0.Dd*...AD..Aa...v4....*t.......X...O<3..N...H."..#.N...c.:.....Q.:w8C_"{.....0...D..>.f.?.".p..;......B.i.......,C.0i.j}^A?..y....PX.D.|..0..T.....v.i..'..r.*..E...kp=...P.t..X.Xq..@.E...S.'R3L$...d..?g.)...0x..U..Vt..e...4K.kO.w.Am.&>I..We.....!.n...D=."...A.{.y.c..~......z....=.h..%m....5]3........X0<;..?..k..T,.|:{..i..[.Y.J.:.].{9...d..n..X[..Y.b.a...P.v..]Qw.C9n;.tD........6.1H.*DW'..toL........$...B....k.....U....|./.B....".H)

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.jvmstat.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):90538
                                                                Entropy (8bit):7.8478943536932055
                                                                Encrypted:false
                                                                SSDEEP:1536:3fa+mzmuYgDlJR3aOy11mrrGFHz6FH2TD8YR7IactS5HK/6YVGz2OMPCzn3/PQPr:v1mzh9vX/az6FH2TDjIStA6gODz3/P2
                                                                MD5:2F1AED1638554EC6D6479CCFECE4F6FE
                                                                SHA1:767011B093A860A269947435B42A0918A031DBCB
                                                                SHA-256:1CD4ED9D066D1C5D2B8E179DED7024F2B52FCF9364F1C0765C5D579FF73CB2BA
                                                                SHA-512:987952BF02E87A4011B77A25CF3811BBB91FA0C166F3F7BD31C83A705A821685252F4F9C280AC77834EF6AE8BD57D96A467E8D2873BE1B8ED898F18AA72B195E
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.R.N.@.}..a....`..`l..\rAB . !.;j.......c.|..> .....2H#.K.U...k..........a8Ua+..(k...0..x.(....K/..3.xq.j#..>B.c....,.[...qQ!8....,2*w1H....e!3..&.v..d....O.#.....U...T.7.D..#.....@$.&../....M...-K.$..r.U+..v1E..>{gBK..!.0F...f.....4t0G..+.i.0..=?..0c.....v....D.E......o...>#.B+..w..\..B.R...NJw...dG.F.F......lE..#.si.#.Q..k].i........?`.^.q.....A.rc...*9..a......g...G{/.....uFx.1..Uf..#.....l.?PK....vR....d...PK.........n/Q............1...classes/sun/jvmstat/monitor/AbstractMonitor.class.TKS.P..n....$(".".G}"BE..3u.8V..F..J..&I;:...n....3....(.sob[..7.'..{.s..._...X..|.......w.W.xA/..[..#.0t%..,3...L.....).Ca..+..A.h;../.).l.W..c.9g.}g.Jz.`.H5..e..K..GA/....J..FR.H.....Pp....n.z.,.......L#E`..\.%..JG+[)..w..X.o^V0.+.A.rxX..c.vvB.s.Wg.!.m?._....N2..a..dL*...3.p....v..].....3..%9.(b../.HUi...i*k'3....w.E.).dlV.Y.z.g..i.^pM.........li....].X.A......h.3S.(aM..7)..P....v..a.%..N.z(5.<g.......ig..[

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.le.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):424947
                                                                Entropy (8bit):7.938896145421226
                                                                Encrypted:false
                                                                SSDEEP:6144:kDK++kib1+dsmo6Asyn7XP8VClZe/vgPpHH8qUINO2QEnPyf2rQ5ASe:UrwbQno6AB7XPgCn/Bn8NMfQIy6Ke
                                                                MD5:4A46A0B3A85C592A5CD1A875C466E386
                                                                SHA1:9863CCC4CEF7FE3A46FB9A99CB367346B8872D3F
                                                                SHA-256:05EB47739AC18826EA713F68E0611EB59950255AB002FE3CC7CDED75A9CC2464
                                                                SHA-512:9D1B7EF66CD98A22C3A6E160F315263643F444A86F8C237C98E1FA6101A3A607B49266E085D45AF9F8A1FB232DB85248C046DA22FF2B6B679656EF6CD8C71DCD
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.R.N.@.=S(n......P...E.%R/.}..J.*.?..7a..E.....C?..B.a.VBib.sv.3......?.>.P..`j...G.."l.C..:W.f.L|..:....na.......}.6g.,+.l,Ckb-'.2R..7_.i..L.B..W"M.Z...x.N....(+..GK8.L^$.@..3G.Dd...$.....[..e.2......{...&.xN.-r..xI...N.cs.W.J9n...y..j9.0?...C.......4M.....i...5~e.C...$.l......}........N.X..{... .....E~.....+..f.*.P.W..q....@x}Uf+x...U.....7.n9....;...u...y..5.^......g..qp...-PK.....i........PK.........n/Q............9...classes/jdk/internal/org/jline/keymap/BindingReader.class.X.xTW...,y.......)....iM..2.......\x.yI.&..Y..wk.j.R7.......m.. ....k.k......of2Y@.~....}.....s......j...k.g.2..Vk..NX...v4.P..O.3.....~.....7.eR..PW6.....x+P..@..sP..5.-.Of.T.J...Pxk"......#.h.+....sl.....hWvpP.s{N#.....Yz5..'.+S)k...Y;....,.!.(....p.......sF.8.&h..sL..<...kqa.i...t..Iv%.....r.5....*.K.,...t...x..c.5.~v.65.L......yXL..+.).>w.....\``....^a..HeT..L..M....0......Q.}s.4..".M4...M....Q.,,3......@Z.......

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.opt.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):81856
                                                                Entropy (8bit):7.846420334642564
                                                                Encrypted:false
                                                                SSDEEP:1536:11nsYEHYbC3DfjgQb6r1sPX2ShUVu4J6FI8pn2aGZsUpCi7Lre7jDZXG3tQ9D:1BsYiQqDMriX2PVuM6SGrOLsK3UDZXMM
                                                                MD5:E47B28481EE70BB515D1ACFC17C9D84F
                                                                SHA1:5BD36C3121AD501400D8A92546DA6A72FCDC271F
                                                                SHA-256:545BFD82162D6262FE190F86F86DD497E1665235EE2D1129CD5D5E1AEA908C2F
                                                                SHA-512:2AEA39B26710427B528BBEBAF3A88DD9D6CC8ECF350E99E99FFD7437729CC234D958601FAD30AB844077FC190190E2DDD3E90528B56FEAC451065F459CE18800
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classu.MN.0...Ai.?($P.,z..T.n.g....0.)N...........R....od.......&t3..F..}s-.a......l%q*.-Tn..nU.h...{q+..!...O..^g+.".......&..J...D....W.U.~%.Rb.MC..:......]./.6..>.?"...Or.....x..R...Z...Xf..n..a...Q.cD<G8..~rSQBP...~..N.......PK.....S....x...PK.........n/Q............8...classes/jdk/internal/joptsimple/AbstractOptionSpec.class.W.........N...X 4....d..,.......$..V..N..vg..Y.......-.m..j[j.-..V.O~>../....{g&.}.6~..{...|..s..|.........@.B.x.a..mj.....:F....\.0....)..P.(.qA;...]#.......kX.#..P8...9f8....1O2...........[.,.....@.*Z...X........:......9U....A.4.!...*....]..I ...6HS...VB.h..Q.I`...a..NI...a}..nV.....U.._[i^z.UE'..h....'...W..z.T..;..3....O\ Y.<..*.F.M...1..m6....Z.5..z.......m+E=..N..'.\Qw&...[o...6.[.=..c.i...X..RB..Uq/.9.~T.......>..U.}P..\?...Tf..yR..#....X........Z|.F..\..<./.u/.....]...|....:...|1..n....cD&...D.)UG.de:k[.I....x..*8...xL`g}Q.P=...\)*......=.b...M.....

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.ci.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):441292
                                                                Entropy (8bit):7.904078584539265
                                                                Encrypted:false
                                                                SSDEEP:12288:xL9PUt54BixmIWVjQgCjiub1RU53P8tP9:xLhJgxmIUcWuxv9
                                                                MD5:E46EA1F70112D65C273DEF5E61194944
                                                                SHA1:A0545A8DE36BD509813D6E0D0A0FAB9C400494F4
                                                                SHA-256:08738A27A0B852F2F928066F40F28B0ECF3B7AE383BE8670BE40EC51E3F322DC
                                                                SHA-512:E7486E285DDA9376342303901C2C97216071E1512A7AA9E6D1AEDF3DF8D0639FD2F74F0B00028E9B2B186633C4FFB04B0D02ED25B7573903E114F052E8253C2D
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class}R.r.0.=.mC...z.PJ..h........t.I.w!..mdul%...]<..|....4!.~.........?....a...2.8..* .\. OUG..N.3.'..j..:.0B....{.F..cC..J....s..a...Q...f.@."#0I...0.=..../.>..e.........r.|v.@@X...t.&,........+..1i;.e.wK..pf.N.M&p.0..(....X#,....y.2i.u..0VZ..ccM..l.6....>7.o...N+.....v.o...&..5.j..@in.V..a..ea.^....!..bjXo....)a...6.|o~f..E.(.O\.Fd...8R...8..EV-.].7...A...&$.C..:.......}.GX...pF.Mu.....6..=..B.V...&x.........].....oPK....V....x...PK.........n/Q............)...classes/jdk/vm/ci/aarch64/AArch64$1.classu..N.@..a...:.(G..r.@.....c\Y..%x..C;a...i.k.3..01>..jb.1<.....?#I....../........c..X,....Y.v..z..C..p\.i.D8.EKl...k..)c.....9....(X(r\.g.HsBDn}v.YZ2jO1...~..7.MA..].....m....x...%.kY.@....."...8....*..P..........t...;UUk..u_..Z..H....g...I.6.8...^..(..u..&.R...M.amd.....L...}m.q.k#..w ]...q....(a.{..&...{..p......+C~....O..vt.....?..fcOF..3tU.+.....O.Z".C.....T3r........\..@.~..)...,...

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.compiler.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):6393414
                                                                Entropy (8bit):7.903376019710367
                                                                Encrypted:false
                                                                SSDEEP:98304:6owraaSV2UUIicONZ4L/LgvXXtasDSECRrs+b5Fr4zvFTTJNzH8mQ:6oWbSPCeL/svX9Nwxs+b7r4zNplG
                                                                MD5:9F834ABEAAC75525F0FCF228B7A60574
                                                                SHA1:179F4A4E8E30686AD80582F3A0A1E1F178E50BA3
                                                                SHA-256:8B66F9D8245ACAA5E2EF406C443E33D1FA9D3ACDCB6FC93A439C4EA1FCB15442
                                                                SHA-512:81976CB0DC4FDAEF67BCE6276123DEF0ACDFA98B6ADDE9EF4350A018D03C57E3B3F0F8FEC5451AA34AACEF802476FF6561E8161DC9AB1F8FCDC077FB7C872035
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.\.x.V..ym.6mS.^...m.&e0.N....I......X+m%...L...|.....zL=f..]...yz.5..n.}+.v....Q.}..G..l. .e.P....r:...l...1...^..4m_..au.;.N.bZ.].;".X......G.X6.......aY2..e...pV.2'..aX....`Vl.q.....D..Y.....G:n1. 7...3[0]..$..@8..te.2.,m.D.B8....Y..XM.....x......K.O......R....+39..S U.D.?VD.|0..K?.J...\..p.C...Gr.....cg.h.c...e9.....[.l.H.x.i..T1.'.#.U...i...|..mG....\...EI6:5..e..2......).(..nQ..8..X........~.....\...Y.......9.c.....pP.L..C..p..%...X.,..!M... g.H.2..\.U$U........d...g..2.E.'.![q.).2mz...m..D..bn$..oK....J_......./E8>.Is\.<....Z.m........y.2..cQ...)....N...4z.<Z.b.J..0.$.Px.#:.Zw.2......G..L..\R.*.2.Y.#a/....\T....:..:C..C....S ...k..Q.y..|.B......xsC...Sd....6..eY6*..%.(.:.%.8...p...7)..wqD...'I....K....i.r..i.p.U....L.',.!+=....\{..r.Q.R...x>.1..B.:.....AB!U...X.4z9.ZJ....H...Lz5/[$.^.pb..J.U.*H..>...&...F..h....K...\.o.....+=2.-...oMVO.'.ir......1]...@..h

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.compiler.management.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):12298
                                                                Entropy (8bit):7.8734358073542
                                                                Encrypted:false
                                                                SSDEEP:384:4sWbgcyF3vE5ImBmW6oJ4+cbE3Rcfd8wxmy6zvXLAD:4s/cs3vEGmBmCKBP9Z6rQ
                                                                MD5:34DFDC94E39761FC9E046893E561D671
                                                                SHA1:A15D2FDDC81E8055E85289E409EEDD31B73DEF4B
                                                                SHA-256:05334CBAC51A75673F23943BA026B79672440C477A0E69608FEA456C02A36834
                                                                SHA-512:CA394A70EFE1AA102B2C01DD1CA6749009953B66FF5F426A50CFC9FEEB1452C756A72654A839D01F202A4BBBECD54CF6B4638EFC1F5AE0CDA1E41D7D0B3C1983
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.P.N.@.=W...)*>v.\1....N....F:.B.C..l...~..e.. $..M...s.._....qJ(I.O"...W...5...)'.....c#t.#6.l..8..f..<.R..E...\...!.+.x..<.Jo..)....VUM8.B...D.(.j...\"T...}.B..X.....i\.{..?G{P.o.}....{.A...M.b.....m.s.O(..D..-...eW...>.|0.....p<s..C....W......[XJ..H.m...b.b.bq.F.YN5.z.......G..a.....7PK..../.+...,...PK.........n/Q............Y...classes/META-INF/providers/org.graalvm.compiler.hotspot.management.HotSpotGraalManagement./J.K/JL.)..K..-..I-.../)../.../.... y................<^..PK...:.Y?...A...PK.........n/Q............_...classes/org/graalvm/compiler/hotspot/management/HotSpotGraalManagement$RegistrationThread.class.V.S.W.....C+..4..&.\.1......b..0.$...f.0..t..A..jn.....MQ...>.U..T.%y.C..}IYK....C...x...|..v.......t...X%.?..#E/xL.v~.v.,H7.<*m.sX..?Pv.xn..h0...F.u..I;...\z...vV`...u...mqk.t$P...N...C.......x.S.tN{.,.3^...J....h...tm..Wc[@.....r<.......u&.A.@.......l.p..6..4......xb....Ml...Y9!..4..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jartool.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):194472
                                                                Entropy (8bit):7.970641034460952
                                                                Encrypted:false
                                                                SSDEEP:3072:MgedXNLqa3FbTV5vUwRraR677wbxsv1EGo76TIObRkax7vJk4VsDkT9hym9oAlzK:bIXFH31fvYRe7wbY1pH/7vS4okT9IAZ6
                                                                MD5:325C9BAC6B43ED148BFAB975BA7EC749
                                                                SHA1:112602CC92CB5706740FE8E470245CE5131ADD46
                                                                SHA-256:0DD5B5ECAB1D3C4227330FF96B2CD0782BFF4C1DA082DD5BC667C693143454CB
                                                                SHA-512:15DD1150F5BA2634EE32016FF470C5BDB6F51FFDE32E7A94265CC2298ADB1777526C907310086B5940762F78D317A051C927DF2D69D03F0CF2B35EA68B3BF61E
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classU..N.1..Qd./...x..V........@...lM....sy..|(....4i;.}..L.......CB}i.,V#....Dh...\.$3.h..M...(.....6..:.Y..%.].g..><B...Safu...U....yyK.O.....>....$.r&..r>N..|..M:.E.0.S..:..C.)WM.Y.HY.]..a.gi..sB.h..c.})>........L9Bc+L.....^.$2k7....n......G.......Y..l.B..Tm..|.=\r.`..^.-.1(..?PK.....k........PK.........n/Q............-...classes/com/sun/jarsigner/ContentSigner.class.QMo.1.}.l.%..Z(....h{...J..R....N..&.v...V.8!.....U1kPKO.....{......9..6.X@#G..&Z..\.JQH;...V..zo......a.E.r....s.Z.E..m......D......k.M..FV.N.b(....`.g&......~.. .N.d_FIx.}.....Q....v..$.?.P.$.gC.....U.M.)..R..b.8..W.....or..Q..c.....k..D6N|9.......J.6.)7j}S....O...M..G....C...l.Z.e*......{...*NO.8..G.t..h..).B......=.;........+]......l......2.},3.al..<.*.....O...y..g.=.x..#l..PK..aHL.........PK.........n/Q............7...classes/com/sun/jarsigner/ContentSignerParameters.class.R]O.A..C..Zi..T...i..`B..n5.4...x.n..4.3..,..*.}.....w

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.javadoc.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):1211177
                                                                Entropy (8bit):7.944554747269419
                                                                Encrypted:false
                                                                SSDEEP:24576:c4xHrlw1+43XYwN5YYB8d9PBEJAqxM6EClnYCRwQz:t5B69YYOrPeJfMrypz
                                                                MD5:038AEACBF82A840FB86C19767F657F72
                                                                SHA1:7883E63F46B7CB0847ECA59BEF4DF7D8A3EC8D72
                                                                SHA-256:1430B8D1685F5DE76F26C54B56C81D5C1069358CD4709BC3DCB6FFCCB0913264
                                                                SHA-512:154779EDA97F99703796A169D00BB37FBF46C4D1ED87F9954943860828FEA6DE3CBC0D282511977C0E5C56C084E801C5E736CD35A41AFC448E2B192F2EF5DA95
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.S.R.@.=-H..J........E..^|.|..*....dX.\f+........,;..X..IUz.O..3.3....o...-a:1a...NO.."t...&.%s...NC...'L...=..0...+"..U..!xM\...R.{.$,...9....[C.u.\..,.<~).N6K..DfQ9.p...^...Y.r.w.........]B..S..:.U.....V.....[i..|...k.,47..A...X....LX.*...V.k#.....&+.."s.b.p..I..)a.z.I.:V....LuM. [...To/.hq.k.f.\s....uLv+.j.oI..\./-'..LP&*-d.MZQ..Q..x3..~>.f...%L..&|.2..}..0WO.e.....8.Y_......"..$<..n....>*...<..M...._U.g...U...^..a.}.=./.g.+..a.YS..yx...,.!GV....o~.PK..~.AI....k...PK.........n/Q............3...classes/jdk/javadoc/doclet/Doclet$Option$Kind.class.T.O.P.=o..t2'.CP.!.(u**l.....l.....V.XZ.u|.b..@F"D..o?..GQ..l..}.s.=..u_.}.. ...!....+}..1.^C..c.zQ.L..o{n..6.`.TD.e....J.b..0Y..........Jqi..}*T..Tk+.5.9...I.9S_*?-......(H....\$.....-s...^...>a.pIFZ.0.S......;.../.f.S.e.l..........\@...........v......Q..Gc.......M.6..SZ..6P.....5...e.*....U37.....$.~..5L.n.l..HJ..m.3...N.7]...

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jcmd.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):148116
                                                                Entropy (8bit):7.957089717075174
                                                                Encrypted:false
                                                                SSDEEP:3072:ep6J8WzaQPEnQilSKrKbu4orXtAw8BEI6KyVmX632j:c6eiOPObu4OAw8B7B/N
                                                                MD5:7FE2728D9C5445BD2E8BCE58C8EB596B
                                                                SHA1:DC5E88F003CE98F92BBC47558BEB041FD42316E9
                                                                SHA-256:6E07BA1C7EF067AF05AAA9B6C5EBA558C9B7C110BE19A4B8CA92750718FFD195
                                                                SHA-512:55694DC5A5F13F82C5E2E411BB17A5CF46B350A0CB4C25952CD35B57E98B6B9AF0652DEE4F4B365401E0DCB4AB6F2C873E6F8FF015D178E211B6655F025C5040
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class]P.N.0..C.A.RvzoB%.......ILI..U...~..>..B<.B$<...c...?>..c..Q:.c9..7..c...7.K......*pPc.Oo.kwJJ.'^.ul<_+....C...G8Z...g}9:U.....C..-..rKd2..9v...f........<.%9.3.l..U.....mS..,......a..4...-..ppB....!.%..,...Y<..L...x..Lf.e.&.^..P......o.p...qN..;4......q.9E....I.......8.e.s..PK....Z.........PK.........n/Q............1...classes/sun/tools/common/PrintStreamPrinter.class.T.s.U...vwo.l.Q..V .....BM.R..`.Bkg:}q...b...l.8.....o<..Kp.w..c....%..f.3.{..|.9.g....O..q..1...S..=....p.;..{......0H....u...T..D.+..m?....NV..ww,HX.l...|..9.QV,.....m..q..../.g.,.8..&.fF...J.I..a..{.F.o.../.Y)T-..#.)..o.....R...-..E..m.I@..Y.p.'$r6N.......`.^.do.]/K....3JQ.kD-_..>4.t.n..w....i.l....[......o....~..=...s..Z.DQ.U....(.,+].1%.Du_.@-....;[~....&k..6..8P.....(........c7.y[......a.......6+\.|.....z.F....&..R....f.......r.l.9....P.v..)X..j.z_.t..8....0.)qQ.....7. .[.7..W..0j5j...(...W.9.....T?.B}.|..+..Zc...o..}.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jconsole.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):471595
                                                                Entropy (8bit):7.927361107640658
                                                                Encrypted:false
                                                                SSDEEP:12288:5l1yr1oJ6u/7xwGw5eHlUisCEtfyyVTJtfp:dI1oJb/7xwG4WlUibry/D
                                                                MD5:8154E711D750D204E5358034800D4FCB
                                                                SHA1:1ABD5BEC7F082B1A9183D36A298173A28BA37B40
                                                                SHA-256:A00EAFECFB99C1C63FB7B33A5EE330680888215F55698B03CCAA340D74F2FA97
                                                                SHA-512:20EF0B9A80EA8FC122EB5E5800E6CF0FCA70E95C08567675D8E46A37926B9D11C835CABCB7874F553092D34CF93CA2021DD671A437780D028A32461C736AA7DF
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classm....A....j.T1...o7.%..K......cw..3.3..s....J.L....o.|...y.x}.p.}.D..~&..W..a..#..'N..&...+.U&.J...qx......#..Q*..wR..av..JX..R..ElT.`bxF!.......S..qm.4..9..#r!MX.)..a.....5..n........SiD!y.v.rm.a.'L..O=..._=..".n@.K"t.G.UB. .u...aE.g..u.......?.<.......jp..q.....q..0..s*....<ON.^..|.....Ql...c.eT1..>'.lz.x.y.x..e....K...f{.[Nb.....'PK..>..e...i...PK.........n/Q............D...classes/com/sun/tools/jconsole/JConsoleContext$ConnectionState.class.S.O.P.=.u.V.2'. ...6P.T.X..1ud...%.O.V,..d....D.F.g.(.}..0.1[.w{.=.....~......CE...4....Q.x..k.~.x..^>y!.9..I..cGn....9.0(.I..2.z.R..1,.z.g..i..h...iO....EB....K...1.,.:.x^{S1.....!..*........w.....g......TC.a\W1.1..$.....g.....{.....g..q&`F-..1.2....8.M.bH-....0../VV..4...b<.L.\........2..B.s!...(....d...N...vZ..G.._..z'......V...c.....]`.\..%}....."\"_h.B-.^<...!/..o..53h.l.+..vU..".;a.*.#...S..F._%..\.1...."}.a....}..Ll...Qq)...x../.7AV

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdeps.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):747316
                                                                Entropy (8bit):7.912940714319912
                                                                Encrypted:false
                                                                SSDEEP:12288:C73JYuZSRMmg+2l8ZUAKJUUvF9MnHczIf+z71M5Ns9ey:wZS5g+JUAOtrMni571Wsv
                                                                MD5:29D0A4D06C197F265501AAD6BAF45E62
                                                                SHA1:83E71B0BEF3DFCB56F3E2476B1CA53A16ACEF850
                                                                SHA-256:A9775CF5EC65239428BB5C55BDC058BB60B8CBB4F5C0B4B070D413708EAD81E6
                                                                SHA-512:F58B00D9D151AF763B8FCB95008E154D8506023C82490714E1D23228177283643C5B1A1EF2BC52565A651A87BA9200899F2ADEF02D8BEA7E5916CA7ACFE03595
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuR.N.0......-..... ..G..HHH..&1(m.Tq..|..|...X..-..d{wgf.#.....8..a....H...!.@.B[..'A.U..[.d]..#......s....f.5.$R......H:..vgQ+........T....R9......E.`....1F...k......:....B......v.6..#&dZ....!.i...o..0..X .j..l....w.n..).dja...O.".KW.._....-.9.;.k..n.....L.,..-...M..c...!.a..Xx...3.6..0.:...*.5,.J..Q6...0..gU..........]^.9...l".......4..e.....p4..Y..;oV.Y...e.U.kt...B..(p.`......PK..f`......C...PK.........n/Q............6...classes/com/sun/tools/classfile/AccessFlags$Kind.class.SmO.P.~.{.V/n...A.P.M....9!."q...O..Q....d$B4.>....^j...&.....y..._..0.Z...f.-=..z..^....{.....g5.......C.#.4CjM..J.A.....vu.......+.\.n..'u.r.D%....Y..Q...2__.}X7....WW1.q.#..q..l/...Q.X;..-.....s...a'qS...4n......i..C..8.{..ZO.<..S0...7.^.A .g8.`..Xq}7.2.k....z.)..?.A6..ANdE...b...}...x.a.....Z.Ks..\...v..{k.J..~...(.....V...1k.Z....h.%GY.m.V.i.....tk*..O...,+.;...j....l..K...(hIi...7A.).0...../....[Y..4I?Yj

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdi.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):873528
                                                                Entropy (8bit):7.899120036221473
                                                                Encrypted:false
                                                                SSDEEP:12288:va0YbDnpUDzGiOkyBcWLuexX9B5QjTQyJ9S38DMZz6zb2lPT6kax8uMCIJuTNDt2:i0wzMzrOpCWLgXSMYOzUPTtZVC71c
                                                                MD5:70EE207E89DDCAEBBDBFE57B7274DB71
                                                                SHA1:CBAEAC1512A8ED53D391BDF008E3490B5B19455E
                                                                SHA-256:35C6FA0FF16DE8D51DD51448BBA85A3B43CE32E7553779B30A3AD71EEF8F3353
                                                                SHA-512:61E299B33D34239DF362591CD2A5D37EA94F1811C80D44733CF9D536089431443FB19911D7B608D3F1B48C597CD4FB559A88A1D07B26B751168194B54E7F0E2B
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.SMS.A.}..J...(*"..`v....,.<.*.P..6.$;.gv...<...Q.....Yq.=...........7..p(...8.S-Q...!.Z..]9..^7...8.1+0.8..A...NC...3Ux.~!.FZ)..*...K...0kQ`...!).,.U...,'n.l_%2..6./2..)..<o.70U..l]...*..' w.;..Sa.`un".U..,....KK>..T..Y&......I.F.@..:>6.6.Zp49..%.....F*;.&k..&.yx,.7-..hVh.;%.j..?-..M.(GG:M.......U.!F?..F.t.....k...f...*U..U..=.z..#...jsQ..._V.....r......c..<....z<T+.4..J.L`y..X.lM....%0..g.....x........r.}.0....MwV.]rv..._.f..'.%..gx....5....l\....f.f...a...~.PK..............PK.........n/Q............4...classes/com/sun/jdi/AbsentInformationException.class...N.A...... ..Jclt........`66....8d.5.c.Q.}.+......-l.w.....b..........MT.H ...C.i...r..jlu..&..bH...a.!i...X..e..i..../.Ys2Xa..zS+..5.I.x......O.f~.....u..P}.;a`g.........n$R.V........x#.P.....t ..>p.S..!q8.^4..Z......4ix.Q....{.?..Rsw.f.j/v...0T.C..*U...0.l..sD.QL.g`O..H....&J..."l..Ci..@..Z..7f..$4Hy..*s....6..[.g..PK.....LM.......PK.........

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdwp.agent.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):127873
                                                                Entropy (8bit):7.995171911648754
                                                                Encrypted:true
                                                                SSDEEP:3072:BJ/WTQagxB70gu3KeURn3xm1aJr2lUdrwEfNQT0:XWSBzean3xm4JcAr3Y0
                                                                MD5:62D094CAED8190D1752D97C6EF9DF7A5
                                                                SHA1:6351CB0057606D2B44B8AED4AF01DB32FA9079D1
                                                                SHA-256:27CC1468B8BA7A78E5DEB2560CAD5D6CEA1D4FE63EED380C80D90A3481F30BB0
                                                                SHA-512:EEE33F1B646AEFDD6F52DA3CB8CEEDBCBD26091BE328A8BB441DB94846CBF25BF163DC478B562CCAAE923EDDAC5583F8ADE8E09FA7B84DCBD9A3B190AA8BA7D1
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classM.K..@.D.EA~..[0.D.w.J/08#..1|d.\x..e...o.].y.......K.3%.T.q~U.....X....H.%..3...0%....Y@0{.......uRuq..8..t.~.._8."...m.\...y&v.......}.`u{.Y7u..-F..|.PK..b..C........PK.........n/Q................include/jdwpTransport.h.Yms.F....q>....'nR<...C..G.g./.C:..qRu'.O...{w.....i....s.......h...0z......{....3..{w......<3.....r..>..w`....q.)..z.ioj..c....=.....9.N.GW.d>..;..S.9.d.H]."..w).QA.5.F~..l.L...dC...........P.n..<&.Ga,`......=..!.%qiG[z./.G........LfwS{.|h..A....8..A.Q8yd~gu.jQ......k.}o..t.........n......^..k=_*....Q.p...q..N.'...e..l......G.[.o....C.e;.9...YlS.I<ET....r.+.p..pC..4!.F.-.(0.".B..8.cL.O.M..@..|...>...G&.....+.7$..3.+......p,.\^.'.4#2.Q.l{j;.......F..c.f0v...[<......O?..sk.N./...g|2...`.p{.f$f..\..s..<.o...7..Z.V.......6...`4..1....K.#.....u..%..u#=.......)..R.[:L.......L.....M.D8D..$.....X..h.]a..+..`....v^{.o..^......#....z...=..;.{~.....G`/^`.........G...FD.T@@.0%SiE.}

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jfr.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):534760
                                                                Entropy (8bit):7.936953895862843
                                                                Encrypted:false
                                                                SSDEEP:12288:vtLqgAzEIiaPQ0NSuKWTdJLwUa3RPM71yj9aAP4E4:5qis+QdFw93RSyI8w
                                                                MD5:6687450EE0EFC3CF002A404A31F0CF0B
                                                                SHA1:2A3AF738821E03C7CB80D73F0051775D6A2DFC60
                                                                SHA-256:BF4CE18BC133EECB6E0D7607553C0B911D780A430948B804F3BC9040ED0AE73D
                                                                SHA-512:BA8E24DAB000C7A8C5777481679470C620486A1E394AA234B1B3E5F15A08C68FE210B489205736BC17CB642BA52BD0DEA46C1D3AA32EA278C7E23838E74AAB50
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmQ.N.@.=W.d......Q$Q_|...D.`l.l.S...o|..~..e....t...r.d......{\.r.k...i.....Js.n.. .m......$!...v....f...2\....h.P..r(U.k..)-.HO........+.J.......oB.}.q....@[..<....U.. .;...8.#....Z.k.. .T.[7...H......O..j......L...*|Y.!......(.cB...x.|....z...aD.'a.......".......Lw.7.c...%.F.......~.e^S ..C6...*;Y7y.N..s.;(.".<.%......m1........PK....^.W.......PK.........n/Q............'...classes/jdk/jfr/AnnotationElement.class.Z.xT.~.I&gfr.....EFD...EAL...".b.H.........o..[.V..l.w..Z...d..u.n.v.[....^.vw...Z.....dnA..<...?.............h..>.Pd...%..[C.Bu.PlK..[....d~$.I-..UO_..^.>..0.#5yo*.u...uUo$a5.c..`juS....[^......#..........[...S.T$.[.....U*N...c..4.X.J.B.5|...(T..mb.....R..[.....Si......).L5.b....`b"N.Y..D2r....h (.=D.JDb[..#1+..d...`..6x0._.}..j......Y..J...V..j...O_.t.51.3..........e]..O..p...M..9.A>....%...)mh.:1..\.G.cz{Tu.X.8..I.}](.k-....H...0..&....g..C.V.....O.....)?...f..L.3.@&....R..pqV..d

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jlink.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):410728
                                                                Entropy (8bit):7.940858294306596
                                                                Encrypted:false
                                                                SSDEEP:6144:Q0N3mgGVIQyaTOMi93AcpXpRfT+JjHS4W6dTL/doNBnUCNllxPZ+6UOP15If:vHKPXOMozpjsHS47RLF2BUqlTZ9UOof
                                                                MD5:6B537512C2F426FB7D0EA53B2C9B88F3
                                                                SHA1:52648A05552B27E9F7E8FFE39EC12688DA901E16
                                                                SHA-256:09E7D2A027BDDD185DF18CD8D7042B1C6464664B82F798FB7DD81205E16B8A98
                                                                SHA-512:E51CAED2A7181D2A275F34093F45E1C727196B30DFB26B16BC0439E7C449F98CD65F257AE6E3DCDB1BF55390CC876EE644F6BB9C16E06052DB56F07AA297F2CD
                                                                Malicious:false
                                                                Preview:JM..PK.........o/Q................classes/module-info.class..YW.@....Be.heS\.W.vYTd....B}.6C.4............x...V<I.....s.;w~.....:.1..M...4N....`....g.i.JM..i.....Ye.\.:...jM.yU..`....M..;.n....S-.R..B/.X.4.a.\O.....f..V.A..e...jN.0.0.9..-.0..&.R........I...-..oJ..Y)f.I.~ .&.v.....'...G..<.)..:RW.T..9o.g.tJ...TGR9......=.1....x.v.9.J...8....K6vD...`..},C[..M.^.#. .+.%2.....j"`.0,.e..~....j\..(*.4..W..#.r..td._;`..-F...vD=...V...k.d>..<..f...../1,E...D!...}.g..A.6....U..Z.r...'..SY..C:}..q..!,.L6..s..7..#...5.4u..d...65..Rk..85\..fZ[n......8.5.R...S.....P........P#.lF...N.....?./m.....=E...SDWQ.TP.n..rJ7...5.G.....\.....^../...~.....2.,r..4...g...M..yD~@..M\x...}.B...>..L.x./..o.`..X.2V.....O...........;.A..0H\.#...v./PK...D..........PK.........o/Q............+...classes/jdk/tools/jimage/JImageTask$1.class.R]o.@..k.8..ICiCK!....5 .K....p..D).O...8q}.v...g@B.B...(...!..nwFs7......3..x...R:4..H3.'....#k....m..<..jaH.p.&"..J..u.~7..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jshell.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):663529
                                                                Entropy (8bit):7.949945206904611
                                                                Encrypted:false
                                                                SSDEEP:12288:tLcJdcxVT6CFASpD7Qzw8EunjWLmxQ2jWE+6pyTACA4oqu:lcJdcn6KdY9iTop3CAvZ
                                                                MD5:5914B236665D99E5E396D3C727ACCEB2
                                                                SHA1:6610D9A8F450DAC3AEDB06306AA0F99224D13F8B
                                                                SHA-256:3A73276654319554366BFB46AC82BC1D6F2C93989D9DB2104EDA519BA310D654
                                                                SHA-512:A4ED568482BDDAE0A06A530555ABAAEA31987674693ED34FD460C8960CDD29615984174A85D60D324619844CB80CF86B9CC310132ED6D763311347B5149A7F75
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuS[S.@...*.\......*6)J............].m..I........(.M;m.&._.|g.e.......>.+.\[..u..i...6B....2....J...\T.f6.~..dX%G .L.$TA.#...{p.V&.3...*.Z.70".]....\Q........@\...I.xX......8.I;..4..M.......\..4L..U.yk*..2.]....*..T.._......w...RQ.....;..'....0.\....q..Xgp.|.t.a}....@.o:.VGF.$....C}l...L......Ov-3...]R.K+N...:..6J.......4tu.....sY..[.7..~.(T.qM....P..0..H.c;.=R.n..}.t...Q....Hi..q..Xd4...p}...6....0.*....G..\#.A.w.r.=...G..,>...r/,..X....,z.......>a.......m......:f1O.5.${.+.l....PK...`#I....!...PK.........n/Q............<...classes/jdk/internal/jshell/debug/InternalDebugControl.class.U]o.T.~..6..tM.....h7..#..6.R..k.I.5%]..p......i.BB.!n...._..n...@ .@.7!.{N..6.4.............~..@..:..!h.Z...e.I.,....[..1.NXe.dPc.|..h.A7...a|kc;i.=.M;..m'7.z..L...aMW.S....e..e8..\U...H......w.tK.....#.........*.R......3.*_.d....v........C..;e.[.d..2G+.j..]....s8O.s.Ne.3\.@;&...WD.Z..v..E\..Qu."3Y..N....#

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jsobject.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):3098
                                                                Entropy (8bit):7.5832881194591995
                                                                Encrypted:false
                                                                SSDEEP:48:pCDh92jG/7jnZhQyhuW0KjhRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DVGOveUz:QDhLQ2XKvJX/Agxo7RA1LZZALCGOveI
                                                                MD5:E495331A4B7EFC861687151B3647CCED
                                                                SHA1:2EC5BE517CD31D9FBA085EBB432DAD9BC7D2186C
                                                                SHA-256:04F7529F454B7B3DE70187C4B8457EB1F1F81B4F38F64B4509B5CB733AA80CC0
                                                                SHA-512:C2A85AEB8B01FB37CD82235FF55D1E766FF3F45B6B4BA93A51A60D0D2A1DD19C2F95FA40B640BBA75D284175646CCCD3F5920DEF420BA7C4824829EFCFA54A39
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMM...A...~..._.A....D.......,......(1."....*.|.......G....G.NWA.. by..V..El.6f.y(.*...1.K83J.x.F..).J.;....:....T.":.M/..B.s.....m.........(.......&7../Jh.."Zv.P...[ts_B.?.s..:y...PK...5.........PK.........n/Q............-...classes/netscape/javascript/JSException.class...NB1.....DP..7.0..;1l.$..B..e96Z.=............d..H$.q.N.o.i..o.*.'.B8.H.Q..+..A..B./z..<yrd.(W.b.J+S%...M..Y.L....0...!1c.$ay.....G.jK..#.4.#..l!..T.k...)_zJ....y}uvL..a.....4E.'.[../..u..9ro$a...<.uZ......G.....S>a...=*\.......}....D..y.<U.XjL.cylb.[.p.1......!.0../<...>..s.4...$.c"H. ."..%.....H..F.*.......O.v.....!52.(.W......t.0Y........l|.PK..k1bUt.......PK.........n/Q............*...classes/netscape/javascript/JSObject.class}..N.@...@.XA....t....\..7F.L.....R'8.....[.......2..S..L./..............*.<2.2..........!.%C.-\!....VOE...r....:.}1..U7*P...P4..o&.>..C.lz...,_.....G.0....5HG...i....p.....h-".....c)<7PQf

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jstatd.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):33913
                                                                Entropy (8bit):7.925452325822178
                                                                Encrypted:false
                                                                SSDEEP:768:UBjs99RXqRNMZEJvWg/hm6LY15x/C0WcqutzJuUyS5m9u8ynj:F9EWoJYNC0F/z8UJITq
                                                                MD5:C40DFD30EFE94EB2E213E0B12215B482
                                                                SHA1:AC7B8037B7FBF1BEC19AA62E9792598E6CA6CF72
                                                                SHA-256:A4D36A1A5112F9F3E793BBABC690255962ED8894519004E7EA28F17C3AC39A32
                                                                SHA-512:0522C1A23A4CBBE4CEA61EAA443ACAF2FBEA09F1EC657CACF254489ABDB36DCD8617C586431304E25D51253A1625C088C36AC76EA0759E73F0720A82866958CC
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.P.N.0.......^...C.V.... .....L.VN...........Q.')U.8`.;...h>..?....Hd..y_..Y...;.^..P...i.L.D(.o..7$.."..e...D..H.+.H.]T...9W....%.42.....fWgt#e..b..........Z.j.......I...*e..Y...p...Q.y.$..s.....!<.[.../..9.N..B..Q...4.$....36..,.^..rCh.D...$..Y.{.9%."..8.y.......Y..s..h..cw.\{Opn..WQG..|..7PK....`.5.......PK.........n/Q............3...classes/sun/jvmstat/monitor/remote/RemoteHost.class...N.0.E.i.#...@J6xO.TTj.D.lX.`.G..b7..X..|.b(.......^.g.....3..G1"._XQ5....qV.W.Z....^.K.C.6aP.F...3qu[....!Y...vBW. .......x.j.jmgy6.sgarB..T.A;.cl...mZ_..%..6t.Q..w.>..._ YA..2.'...f.tS..K5.s.r....s!..lq.-..F.U.U....ao...o......V....PK..&Q7.........PK.........n/Q............1...classes/sun/jvmstat/monitor/remote/RemoteVm.classe..N.A.....A>.....\........D..x....fg...".....e...i.k...<.....B.pSm...B.u...X...N?.....a....)..i.9..-..e......t."$....yx.n.>..B.p}..-..".7.c=....dN..{...i.....cc_.j*..q[Z7....\|{\!.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.agent.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):81621
                                                                Entropy (8bit):7.930307384934393
                                                                Encrypted:false
                                                                SSDEEP:1536:b4z1HiSObJI7P6ahupea/dABbwU5wkwoKlzX6juezDDW6zrV+RZwOZjO2:b4z1HiS0OyCuEjchLoKlL6juofKxNz
                                                                MD5:1A0F24297CFE2D15AAB00F31458640B6
                                                                SHA1:5F4D91F26DCAE7AB0FB2B0FFE69C610E6B6AC273
                                                                SHA-256:6BBE768A88034193C63670B2C037A7C229155C08275A69321A09715690422855
                                                                SHA-512:27EBD97ED0E9C0BC9D29DCAE5837A0B478DFB7404233131E11AD46128FE110EF3D371AB5EAFF41EDC9D503BA6509FA61C8AB8D1536DAE7B5100087AD9233C1C7
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classmP.N.1.=W...2#..c.Rf$Q7..3!...L%3....%........A...{O.}......=...T....#.&......c6g./.'~.....7Vd...............,....C...............F......`.8...:....2....r>...4w.Oh.p.v.....Wi..P.w.GRh...C........*9.B....*.v..(..k..?..+g.F...M.....g.."..\.>K..%...S...x.=c..g.h..2....c.P..xl....(.bl.-..Z.?PK.....3.......PK.........n/Q............6...classes/jdk/internal/agent/Agent$StatusCollector.class.Xi`\U..nf.7..$.iH[.%.).L.L..@b.M[J....i.*.e.%....7mcQ6E@D...EE.VQ.@.).V.q..}.}......d..$..}..s..s.97O>w.1..EA.....H<i.fR3"..."k..^.+.P..'....k.CK.E....QK..#..[k.<..>.~.yy...'..e.FL7..Dy%.Q..VE.s.B..n.4+..L...L......i...1.u..PQ.y$,`.?......).*..t....L.u...B.jvxg.......@..h*..&..Z.Z&x.m$q...)Ko3RQ..L%...kc1S.d.h.B..T,....b..u.8;.5....K.....A....T4a.@%.....:.k.....U.8.F6w..i.P..j.P.B.@.....8>......$E..V......z2.2...$:#4.7..T%"*Va...J9.D#.<.ZJx....H.7E.&]....'...a.xT.qY....|..+%..U..C........K.g...q...;.[.n..L

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.jfr.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):35841
                                                                Entropy (8bit):7.895920206921998
                                                                Encrypted:false
                                                                SSDEEP:768:01aLV2OeSrEWXZIj4RiHRdIuRK4jpg9I6app5uU8OIW8Gp9xwFJ2I6fJZdTX:01aLNLq88R7qRQuUT9jp
                                                                MD5:2AF6A1F2D4FB1FA1AD0E8150892C4A12
                                                                SHA1:2A1DFA6D16CE9ED226BB541AF3AD11E8466D205B
                                                                SHA-256:3E223217F96935D6890A6E3BE53F90BE5E52CE6F691844AC53A40CD64481FCFB
                                                                SHA-512:E0CEA8C7A25A86CB61512186D78564AD9CE08B3504D677BA4E797C7FE542B0DABB4C5DEB4F06702EDF449B7531AC4B665BC3B278E92E888E04EFD3CF41F0A982
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class}PMO.1.}...7.....^....7..H.z.Z....t...<...Q.n7....t.}..i?>.....P.T..yO.r@.V...l...y.."&.G\&.|.].....w..3..K.........B&\K.vP&.S....E..FV.Nhl..h.........R.].W.C.L..Fw..V+.p..%..3.?...%.........}@.<......y..~..5;..dadcB-.....P_...u.cQp=...|."...wpl...&..Z...ll..D..O/.c.!NlO.T*8.j./PK...}..'.......PK.........n/Q............2...classes/jdk/management/jfr/ConfigurationInfo.class.Vis.U.=/.Iw2M..... ..!!.F4A.........;3.....8......}.}..Xe.H.....7h.....U.o.$3i1V*.^.....=........O.P.j.!.a.(\4j..m);3.wh.I..5...oR.nj....Z.u."....&..F.sm]^f..).l..2.....w|.....45....M......|..YX...jI..3...v2...aO..O.._.Pp-................9../...R.PF.Eg{I.e....&...CNJB/..BB.).....V.[=.;.D...fq..B.8G..v.i..,!...7.&......".f.d.....;.......*..s.d4. .v\k`...p.B....Lj...I.9v....^....o.....4.....EAv..ia#nP.M...wX..UM.}+ko"f`K....Xa..D....v......);'.#..,tc..:n....rq..T.X.~...*r..Mv..aE....Y..}TNP,..w.:.$t.a7.........p..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):69486
                                                                Entropy (8bit):7.914145548898423
                                                                Encrypted:false
                                                                SSDEEP:1536:wQk+DDx0BvxFbTf8sCDrGvo9SFOwliS7QWAfRbfjM/Rd3N8CkQdyyFKLpW:wcDSFbD8s+A54E6fMH3N8CkQ+W
                                                                MD5:295ECFC1A63647735DE3918D7B61AD15
                                                                SHA1:7EAD8158CC54073AD4B5594446FC1275989D750E
                                                                SHA-256:032F0DF66BD529D7D9838C9A0A76B7B825430EA2089B9C732B86F25EBC99DEA0
                                                                SHA-512:52EDEA1A5315D5110B9031A0BE23C3952311BAC1FBFEAB758C59F89F1BABD3256C19D713FB3473CBB9F3498B2634883E3E57E55B7679B9392570779971619DD7
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class}P.N.0.....]...c/M.D.p...C.H..&q+..]9I{.wq...(....a....v_._....:..>.j....x...l...E..%Sl.%W....:..W......\.......7...q.X.N.....K..&.[...m...A..A..l...N8S..k.s.K.....{.J................$d......xdf.3B{#T.7....z....T.....;...U.[..K.../.]..}.|.jh.t8{.PK..s...........PK.........n/Q............7...classes/com/sun/management/DiagnosticCommandMBean.class;.o.>...k.Nv.&F....\...<.........}........d..\.x..Sjb.;..#.@VbY.~Nb^...RVjr.;..#.,H.......d.FF......T..TF.i............ ....$..8.PK....`.........PK.........n/Q............B...classes/com/sun/management/GarbageCollectionNotificationInfo.class.U.S.U..nH..... ..6.6,.X...4....K../.fY..d.I6.u...h..>9...XGf..........7.....B..R.d..{..|.9.......0...|hQ.W.@+C......n..+..0..3-.ah..g....._JW..%...4wM76....1....y=.F..T....'...^vJ............U...T.....n.U....3..v1^.X.".x.(...O.R....P0$J.v.uS.b.`..$..!|7..._...>.KD..T1(.J..c*...."......i..1$<.e.,^h@]8'..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.naming.dns.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):60084
                                                                Entropy (8bit):7.94170672965016
                                                                Encrypted:false
                                                                SSDEEP:1536:Ko+W+rGMpEXYiqAD+gL24MrD9OYvVng1y3iX2r:L+r5pkYit8PJOAVntd
                                                                MD5:29EA5E44B576D8EDC8334535ED8152BD
                                                                SHA1:3D42D41A1E32054DE879F95D3E8D26EF2C7D0A66
                                                                SHA-256:004819FB8B5C46995DEED0477F074CB15DB7862E4C4A83B5FFB891D4FAB700CC
                                                                SHA-512:91546F0FE574F78CC02A7E285ED981129EEB5F2077AF970B6B620DB739CCF105ECE333DD6C9E13150CBAA54D710EF6FBAFD910EF68091D4F6D72DCAF9C4D8DAF
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class]OKN.0.}....C!.f...6...KP%.HHp....mb.8.e.s......$T.Z..Go<_.....qL.fV...i.b..a..`S.&....1#2m.&..."....?..w..S#5.r....c.<m...Se.g.T..._.&<D.pZ...0.j~gt.EzcM...D......N.g.[..}{..G[..T..........g"Q..k.'.'. ...H;w#...%...i!D.7..~.-_.....:.=~l]Wh..>.~..^=.3.~.PK..<..........PK.........n/Q............;...classes/com/sun/jndi/dns/BaseNameClassPairEnumeration.class.UMs.T.=.O.bYM.$v...i..v.......K...=a.NQ4..-e$.........`..S......f..;`.?0....M:YX...{.=....}....u.1p...8...[....6....-....%..U...'1...EE.*....h~...M[.t|..[u.c...m.^..v,..l..f..0_....e....@W0....*.b.a:d...v..[.........g....1.p. ;."..C.q7-.......aN.q.Y.`H..b.h.~...J..T........q.....TqJ.=....g.,..P..3...(...1.....1:6}..Ke........}.u..5[..~..<.x.Qq..CR4.lt}.....n.<..!.....<..(F..$........_.-si..bX...}Ug8.;p4.#fA...e.@..U.v6,.....k..u..{..M.....^...I.!.8...V..Qj6C..F..Z..<R_...G..a.W3.C62.0d...a.....U..+f.]gP..J....$.CJ..h..Q.-.>

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.naming.rmi.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):18962
                                                                Entropy (8bit):7.879095599349228
                                                                Encrypted:false
                                                                SSDEEP:384:JEJj14/v6ubRBwV+mtm5VpVAlF+D+6XZsLA2:JE74/CMemx+lgS6XOt
                                                                MD5:F11E5D65863146758D0650872CB3A164
                                                                SHA1:0E5EA724EB4EC991DF4FC7626DDBFE77FF313EFB
                                                                SHA-256:9EE120517DD4F711C5C3662ED77555059861291DC78CF349615F0A51BC79A7E7
                                                                SHA-512:242A225DEB9A88FF208511F772F19BA691EAFE2CF42597FA29A9D27B07CD7F5C7C5D5CA1B1B1DE381D8705E9F4D6751E7084A17642A56CB1802E0B3C9CD0E962
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuPKN.0.}SJ.-..O9......%R%.H...IL.6....v.s......8 ...<3....?^..\..MuT$b,.n....D0./.0.G.@.T.80..P'4.g.$..F.NYV(6W.dVfF.2...G.......)>.v.x..3.k.q...Oh9...!..h.*.e.]+.K.\i..U>.a...].....W..#t.uaB1....._..W.-..<...W...."'..REz..y...n...O..(..........z.R.....5t....r.b.{..8tu5.up.G.PK..e:..".......PK.........n/Q............8...classes/com/sun/jndi/rmi/registry/AtomicNameParser.class.R.n.1.=.l..&..BJ..P.. ..R!P.O.RQT....*.v.....(<D....G!...6.<.s<>s.._.........TC.M,`..<._D..}....e....J+..P..:.Q#.z.$."W..|d.z.'rYG.F.f.7p....<..:..m.K......3.J}.....8.NL...41v*....I.,..B,{...;....g.Gw~..|..w...g..V...oWA..$a)QZ...D?.L+1....U.<K..*./....KX.yDx1g...5...Xz..'D.&..9et.....U....Bm7.f.....M.{.Gi..9......2X..0.;...G._T...3+.b..3.S.).....Q...yN`....!.2...A...g..v..>...+..R.s.ix..k|..8...5l\..(.@....)..Q?-[_..x.Z.z..PK..............PK.........n/Q............:...classes/com/sun/jndi/rmi/registry/BindingEnumeration

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.net.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):16691
                                                                Entropy (8bit):7.835716025973249
                                                                Encrypted:false
                                                                SSDEEP:384:X35ZZ+W608/ykiL+E3OgSd2yDLDoWlgv6LA2/c:XpZZ+W6zzPn4y3Dn750
                                                                MD5:7B3BE04EFC27E0560C20006170E899DD
                                                                SHA1:8FE7D7B4A04DC3F1A31F97CC17BAB31A94EC42E7
                                                                SHA-256:6DBF1422C48BA474C70426686229DF1AD32A20582EEEE1E5D79F288933CFF20D
                                                                SHA-512:E64FD473691976F4DFAB2001D15C7D72F2E64FB6F126E41D906A11BDDF600D0E5ACF6ABA54B0535DFA12104EDAFBE4309CF22F4A64BCE3EAC33DE6D949A97B80
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classM.K..@.D..E.....g.D.wgb...a$(0..l=............z..O.k...X.y$.09I.Dp..;..'.g.....`...%..yE...a~.P.a....y*Fh......P.[.O.U.{......._....E...H].......+.].{.=.'h..J.C.v........=..PK...y[.........PK.........n/Q............-...classes/jdk/net/ExtendedSocketOptions$1.class.V[p.U...-M.n..-.r.R.....PR...46$..E@.....lw..Il._.~..8<..."......_}..~...Q....nz.I..3........k.>...>,@.......a..3........O.n.x*a&3\.B3....[34.....=.............j.........G..]}..{.....0-..yU.R.Um.=..a..)#....I....b.z.a...i.........9..J.K3....X..R...a.T..]aG.Phpt.p$4...`X....W1......p{LS..C.V)X-7.....U.q.e.P..7.........$3.;....K...v..`..^.7......!.6...1.Os..hW......!....#2........D.......]..A....|.D.d.).E&.L'........=7....=.i.\..Pp.4\<c......J..u!.7]gL.........uc">.....".......h.W..V.=.-..4..15.ER.q".....f....a.,h.=-.g........F....f.W3<d.IU...qZ.B5.!..V.O.K[...~0.y.%....U.[.i..4..0...fP.~..Z.K{..b..F....I.....c..._....Fdk..

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.nio.mapmode.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):2573
                                                                Entropy (8bit):7.585716552925947
                                                                Encrypted:false
                                                                SSDEEP:48:pIVaWgvq2vIt8Fn3fjPRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DHGavq5:Kavqbkn3jKvJX/Agxo7RA1LZZAL8Gav4
                                                                MD5:6580F1626A2C55DA21AC50143B4C92C0
                                                                SHA1:A28A5BA9620948355E0CCC9637C740963D3EDA92
                                                                SHA-256:624B5898A3FBCD11E6E6D681871B9E8B307684CB068C6F17E66B7A637D7531F5
                                                                SHA-512:820BF4E3A1BFE0711F1D52FFF9755B0D16C36E0B50B5E2D11D1FE90F906DACDF3453084BD1EA0E776E3084386ED39CEBF9E1922B53F82B0E03FEF00B224DF3C5
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classM.M..P.......C[.&...I$l..GZ.'....,...kK...s.sr.........e....&{....."~..;..,.%..YQ1.Fh.S6f~M=E...B't.$..L....Z..N,.P.e..`.... 2.Y....../.$.E..8.Mn@...`...0....z......~...fU...PK..I..........PK.........n/Q............-...classes/jdk/nio/mapmode/ExtendedMapMode.class.Q.N.A.}...."......9y....d.D...i..6........L<..~......R.U.......7.e...B.A.......x.^(.w.h. !d..V.>!..u.G.y....p.+..t"#-B.....>&R7e.D.t..0|V=8.......u.B..-.V./..Z.0..T(+_.Z.g9.a.U$,...o..6.~..U%..FR..].._T-..R"d*VL.WZ...D#....Dx)"e.~2...... ..r{A._P...if!......1..UB..2v.HX..6.,..~...>.+<t....9..f.vl&e.......l...ly.m.&70....`...s.....C.pz..0f..mR..v.~.Y.|...`.U.?.PK..8.~M........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQ*gHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S|t0...:..6x.}.;..i..D..Ye|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld...

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.sctp.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):23570
                                                                Entropy (8bit):7.699516108218091
                                                                Encrypted:false
                                                                SSDEEP:384:/FWdT63qGA2s74PPf+AfdgcirNa6hTbdJ3ZBR6ZhF62WmhSWDdulpLAEU:/c63qXDMvfLirFXd6Z2gDdufS
                                                                MD5:7579F5E9191D26076513F0D62BA63763
                                                                SHA1:A983D608C3087FFDE4E1A2F76C4072766CB52763
                                                                SHA-256:6BE9DE8083B09B782B7520691C2B1B9CD8796ECCFA3101A205853CD3CE22FDF0
                                                                SHA-512:EF643B3E4252448E6AB98CFC2F7309A0D41D53EABA8B3DB4AFA86BC09EDA1EDD49750AE5763E542073B142B40F9F541570655FDFB841709797D59433CB09997E
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classM.K..@...&.x-].D....S..... !.e..sY8.C).................B-T^|..?......,..N(..iq>va.....k^..::...WN".P"..../..*..[s-....K......i...BB..,........i+...<u...z....!...$s.MS.(.\.q.%.....S-gX...W..PK...0S[........PK.........n/Q............:...classes/com/sun/nio/sctp/AbstractNotificationHandler.class...n.@...M...J..CiS(4).....".@.R.V$...ico.....7.^...n....x(.....s.....g.ofl.........4b....`.I..c..k]n....0.C.$-....|.p..XH!...d.V....}K.....:.^p....p.]:<_.7_...3.j.....1l..*-W9.Pu[.#ip%mkp0.E.........m...5i.z...N......l.w..#....P..2..s....t^.......J.^&.l...`h.Zg#...G...z...A.0..\)ntz.R^..L.a.....l[\....i.....#d*.k..W.R..b....R.."g......TL.....+.L.]..3.*~3B.!,s..0g/uD..y.z.\...z.`..L..5{i.!..ja..WV..|...tM..CC0...!v.7Gs.....:..F....$..F.+...ed..}.E.Y?.s.q.....\.u.K.<.d.n.&.{roi.'.....!...Z...@.[..m.}.+.C:K>%6.Z.D.`.|k.....\..l.e...37B0..2.Gd>.!...2.........i,.aD....#..V..PK.....}[.......PK.........n/Q.......

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.security.auth.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):75417
                                                                Entropy (8bit):7.957051837625358
                                                                Encrypted:false
                                                                SSDEEP:1536:rLd/gr4QC4zcxQiwrk+79xRDxqWXp4kE/eoBtAi939FMp0t0NmwELQxqbJs8hneK:ejouRxH9qWXFEZ0is85rgyn
                                                                MD5:24AF92517AC1A65B436D2FA612EC7003
                                                                SHA1:32F019F2D9057A52EE79A603637753918991E193
                                                                SHA-256:8D2196DFD3096919F43852D654C99D3D52CA37A58A311A540CE6A14D367B1482
                                                                SHA-512:D4FDC8A4300591297595A2B7051F9ABB41EB5A833E813508160779EDB45FA7C1BAADEEF81B768F74C457C719B7C2987C601C64AC920C8FC18F37685772C908D8
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class...N.P.......@.....b..D.w.hL..8..z....^v<.....2.."..@.............p.CB.....{.. B.O.h..F(..g#.V......)B...81N....6..3..3ft...-.b..d..YBi8....td.....:....F..\.......-'.5.......s4h.J\x.wn..f-.~....H8...y.4....8...o.cu.q.."a..'..........1nN.f...I8.i.5..6!S....W...7.7........!a._h...]....l.5...}q..&.{M..8..._cZ...[T..-E.,....9.%.`..(K~.{.....s.Ws.~.PK......n...#...PK.........n/Q............@...classes/com/sun/security/auth/callback/TextCallbackHandler.class...O.A........."...C).M./x.....F..&...uC....n.?.DC..?.?.8{-5.5.3.3..........XqQ@.A..-...C.E.PF.b.{..C(..6....j.....f.HU.%.....P..(.C.a...w2.*q.XA.....j.&<..#..@f./..R...!..........r..Wq.3.f=..=..M..~......;._..J.......]...v..L...%..)a.}.....e...$.}3...h.g....u,.w&.........4.....%|".C>.Y....>s./..p,..@.S.!;+<.6..u...(........O..|.{.W......Jx.z...y#...![.....b[`[m~..v.z..Qn..f.>..J...=.c.=a...X.h)./..PK.....`....`...PK.........n

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.security.jgss.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):25069
                                                                Entropy (8bit):7.861186641428454
                                                                Encrypted:false
                                                                SSDEEP:768:dGve+SEzoJirQXHxGTjCsxc0T3iQCVSJqdSE7g8gGuICe772czgyO/CS:d0e9EzyirQ3xGTjrxViQ0kQg8gGuICeu
                                                                MD5:0818A0480E8735784DF484F633893DAE
                                                                SHA1:B210BB4F8C1DC9EACC0531D645CF77A5EF80E30F
                                                                SHA-256:6193B8935293735A0E075950A43AC9C2FED9EBD333CBC5CA2ECF3508E550FBFF
                                                                SHA-512:9F881002F03343453B7903B6471ADF42F4769E61D26F7AB4AC31524484FB201FE25A9FDCCB90D03B337C42EE8B3072EB2A845E3DC3ED854E39266EFF19E55D1C
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class}P.N.@.=...S.........Wn\.MH......A'.P.;....G...&$N2g.s.g......=.......M. B..aGl....m.<...v.Hi.J.Mn..{B.xb..<u.9N.c. \.I...Qr...:.^...Lr.MBK....0.L..}.....L....aX..g.X.>.....~.'?v..g..B..y...0../.W...2c^.....xeY....:L}..c.........E|.SuNq.....P;:....k...]-.R{.3]SQJ.....PK..D... .......PK.........n/Q............:...classes/com/sun/security/jgss/AuthorizationDataEntry.class.T]O.A.=S...../.....RYQ...b..M.<@0..3......Yb.%...4.H0!>...wv.@.F.:sg..s.=.w..:>.....bh..O..M...|..6w6...0%C..Xr..A....-..I.".3.].....f.Y.jlo...*.[.g}..r.y...#.*C\V...+&.v..I\G.!.^`h4m...=S..E^.v%..B..b...C...@Z..$>...{...V..@/....-.0$E.P.66......S.H.r6.)..v.i.a...;b.uL..Zr.,_rG...^,..^.GB.E"Z.....d9.M.[..*/.t.*.&..g.s.2..,".-...D.m....M.\1:.wB.3J.f.F.]..4...x.X.T...3..8j...J_z|. ......<......S..3...wwD.).v...U].I/.9F.K....*..N...O..@..%.........bI.o.s.+..L..f....i..W..'....8....._..:.O.i.f...+uU.1....l.)5.d.........z.N

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.unsupported.desktop.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):13963
                                                                Entropy (8bit):7.775458355384311
                                                                Encrypted:false
                                                                SSDEEP:384:xzRgcWBxiV8wXQMbX9Z0aIg40ED5rfPLAJmnhB:xnWBQLz9Z0aV40EFfPFnhB
                                                                MD5:510CE41F524D16C86791C0064A589E7B
                                                                SHA1:78ED6092E0F150A94460ADDEF8CAAD601AB5ABBC
                                                                SHA-256:AF7E7BDA39FB3EA6A8C41669DBB86B41B6799E7EFF379CE757981E5B956BB24F
                                                                SHA-512:20B6517378381D379A052997642BF23B5B057EA33C2E0BC962AB6B64E989FDAAA4CC3F02BFD7560D26189E55C7CDF13555BA272C476AD984CD0F913730BD16C0
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuPKN.0......J..V,....a...R%...M.&.#;i.=......NR*....G3~..|{.p.3B7.H.8R.....~.l.W.0Z.....Y.M......|4...-.fS..&v..p..\........+..h..e.{.V...z......P[.Ym07z..i<........4K<...']..|....x..&.../b.J..R...2'.]..k;....{.^..(.>..p.j.......UBk.w...1N...:8..F_PK...E..........PK.........n/Q............A...classes/jdk/swing/interop/DispatcherWrapper$DispatcherProxy.class.R.n.Q.]....X.E...R.h"...&....i.m0..a.D...A.?......?..2.3PQ...k..._...h.QD...r.. Ox4p.6...izA"U.5w.8.....Q$Um.y.....|......Vg.|..b...%X..@..M_0.7.N...Kv.Y..5..R.e...B.\`..z.y....pS...U.p.Un....}y.HX.;S1..A z.l.%\.p..U...y$.0p.:.aDX..c..%..j....*.0Hk{..Z.m/.c..!..]I(u.@.....:...+...~W(O.dN...d.......*...`..C..=O...Gv_......0.eZ/.@../.X....4...4@..*....e.8.......c.2l...WP....9....y...2.`...;.`K.^&.......:..3......<....|.....gX..0.B.a.)Iu.8!..&j.x>..r.>...#'......v.v:.R...oPK..s...........PK.........n/Q............1...classes/jdk/swing/intero

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.unsupported.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):17477
                                                                Entropy (8bit):7.858834131732098
                                                                Encrypted:false
                                                                SSDEEP:384:WssxVkcgUhibEPAZowuCxykS7ug+aM2xbWCwRNXkoYufro8LAC:cekAiwuCxyvugjMqCCwAuzo8p
                                                                MD5:76B5BEB2F821D1CADF6FBC86B4AD3EA4
                                                                SHA1:353EB41AD10248539929CA4D4E52099C2233798E
                                                                SHA-256:E390AE217A83C38651EAAAE4BB00941F53C3E06C70F5F6E335713333432BEA27
                                                                SHA-512:A48301D836C6865B210FDA8D5252611E39C9BCB30A0E328C96A6F934B169B5FD31CC3ACAF0438DF85F1F4B846F1A1FDC815043C885072396F88018BC6DDD212C
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classUNAn.0....!@.M..S$.K.!U*.0......\yW.}@.U.6......._.......&....K.+3.....v..0?.#s..........=.._(MSX...LQ.Z.....4.9....ZY..rL...v...3B.f\[....7........#.KK.^.-o..#..J.s.K........#.>..\....>..n.H.+.8....B..N.7..}.d?PK....q.....<...PK.........n/Q............1...classes/com/sun/nio/file/ExtendedCopyOption.class.T.O.P...^e...8......."......,....?...b..#._.$@4.~..2.....bc...{.w..........,..0$5....b...c......VY/..{..{.a[Q0.$..a.Z]..oll..\}U.3<,. .p...Q...X.ea+_d....X......n.0.5.t...\.U.U.T......k.a{..pKB.n3t...z...f]_.a.K.X..j..i..].*.V.....0.A.H..7.H.[..%.w0,`D.].c..-.R....K5..Q..q....F.T$G..$p.F....i).\.@8J...-I....)x...~.a.....R.d.y3...H....S.c...R..^0.V.2...`X.Z...;..I..kb.}.f..lM5K.cp.&a.R.:....hP0...^.*.......e[<.l....h.X.[w.....\...jfs".).x...f}.(..y...]w4.....n>.m..iDz.@`y._.@l...t.i.D..St...?....t.C.B'.....'|..4..xR1..g...q|..~.V...S.xz.zZ9.{......).......9.qt.../B.N.p..Yr.Y...5.$../.p

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.xml.dom.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):42290
                                                                Entropy (8bit):7.301009409584117
                                                                Encrypted:false
                                                                SSDEEP:768:GyvMIZQqx6mssgRqwShvKe8l5sFCIvV9XaK:GykJqxdevm3ptRaK
                                                                MD5:476A6F2B11BB60D05012AD03D982E3C1
                                                                SHA1:2796654C41EF4AAA09D23450B3F7E616E63ABA33
                                                                SHA-256:905C70A0DD7FC8C9F4547388EB492992B43D26FDC3D6808D9A4DFFFF577C3FAC
                                                                SHA-512:EBF7130DB716B4FFB5C4F2951E16464A683E0BB5B65D633B7F13EFEC69EC570D9B34DB1E7902761402A9068E0EE7A0F7EBAFE0BD96648BE9CFD993BDAF420E17
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classMN.R.0.=W.G....K..TFt..3....6...8M...\..~.C..wq.........x..._.d#.,_....0n.l.?..,.....%..."..w...#U.Qu.G.b.Ct...B....MU./)t&..O..I..~p....z...k.`D.:j.......)c.Ka.=....xy..B..G..0.a...U../....8............]...e...9.8..?..S.u}\....PK...F3.....r...PK.........n/Q............%...classes/org/w3c/dom/css/Counter.class;.o.>...k.nv.&F....t.r.d...\...b}....."v..F....D...t}......F..........."F...M.......tkF...2......T.78. .(.$...+8..(9.-.,..Q.d..#.#.3..0.......r.;....@..@.....PK..............PK.........n/Q............,...classes/org/w3c/dom/css/CSS2Properties.classu..x.G...`.S..N.qh..M. ...bc..):E.P.w..Z{..=[2%@B...{..z....{...3;...w...y...von../..K=.;...y.U.3.3s...L;...f..V..'.4.4..x.....L.G...c.E+.x#......t..M.8.T.4.$.:r.#d..;.[...C;-.K.8..5Z.N..|4.W..9.;I..&....l.......l....Ig..8......\...Q.D...\.)...G..)..U./g6E..a..'m!g4L...r...#9...n...U.R0.w4{~K.&.....4..P..A0.w..=Y.S.........x.1.

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.zipfs.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):102661
                                                                Entropy (8bit):7.963859985844485
                                                                Encrypted:false
                                                                SSDEEP:1536:kipzltxqDIygENgDWnkIgwqZOQqcK4kLvPx0aKeXCCIPuV/ingD4IJT8nYjIrSb0:kipXxgIy7Ng6kqr34e7Kw7Kwtmd0c
                                                                MD5:0FF732511F74426FBE09EEC982ED56A2
                                                                SHA1:D06B4A0E2745AF3C47E51721347852827EE18707
                                                                SHA-256:9DB03AC8466E45B2FF32F419686E9B44286B2B29A7FCF2B1C7DBC0BCD46C927B
                                                                SHA-512:E0A5115D5683D2E68E5274D77D007C35ACA02C137D8D52461889289282797ED29F57DC5FE1D604D0B09EE11F4152C7AC168CEF7BC681A8890DF1589301784E05
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classm..N.1...UdD~D..;..J.l.#!...J;..L'S~"+.....C..h4.I.{..n{>......!.S..K.Y.".....s.Q..\/...Q!T{O.Q..M.ef..........Q#<.2 .]..s+.\L.....m.6E.:...[.....M.....)..e...Z.b...53..8./....G..L...T..{....k...m..p.g.....a....M.....3..PK..........K...PK.........n/Q............,...classes/jdk/nio/zipfs/ByteArrayChannel.class.W.w...~&....E@Hb..$.0.....M"...jB..U..N.!..ev....V..e. Zmm.....,9m.i...?...C.{N.=m....I....{......>..y../.h.%.e.V.6..mi..k.;.5fy..Q....J..s.{G.[I_C..c...B.-.:".nPB9.N.%]'..<....nr"..gq..g..!.....#X..e..r.5.j.B.5.S.m....3...i...<s.g.t.+M..1.!.X.`..v....UXE.#.Q.e..eq....VC8mf....:.....Yy..@#.4TzT.:.i........d..Z...6..N.[6b.....f.-....l..f,G.[.l.e.rR.....)Q.@.P.P..+W..I..`.......r.t}.T.....D).A...-..L..V..1.!...,.3.Y...w.$.....Gp#.I........nE..N...v...DzM...M....x.%..u....*..'....N....R)..K..s...G.=k.d.9c*..r.....J`r.V].n.H,r.].^.[.;.|.d....Rs$m..U$-.=..}.6.y4.xe2..[)..3E....(...

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1039136
                                                                Entropy (8bit):6.580236835541948
                                                                Encrypted:false
                                                                SSDEEP:24576:fXAsqzXlKZSxpJUlwtC/jCQ6tGh91Ds9H2LUVMhmP3oRaEt:fX4zXlnAlwtCbM891YVH6
                                                                MD5:5E807B5DAD1B6C81982037C714DC9AEF
                                                                SHA1:2B818F50C0CE821CD0278C714E57CB591B89B715
                                                                SHA-256:AC94FBB73EBD0CE13AEA7C1AFCBA0DF9A646CBE5795E804FA0C0AC4EBA259E16
                                                                SHA-512:665EA8069E8D75089EF9292DD6F07E19FA7F7FA1294D44F45D017BCED0D16C8281260BCA4AC7896ACBB0DFFB483BFB13BA4298D767A4BB1A91D9FA437D6BECFE
                                                                Malicious:true
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......9.}...}...}...t.[.k...........5.w......i......w......y......x...6...m...6...|......z...}...L.............|....7.|......|...Rich}...................PE..d....9:.........."....'.....v.................@..........................................`.........................................P...P............`..@........j...... )...p.......`..............................._..@............................................text............................... ..`.rdata...c.......d..................@..@.data........P.......2..............@....pdata...j.......l...6..............@..@.rsrc...@....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\sauighfs.rar

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:RAR archive data, v5
                                                                Category:dropped
                                                                Size (bytes):411326
                                                                Entropy (8bit):7.999539292971948
                                                                Encrypted:true
                                                                SSDEEP:12288:B6Mi3YwfPsKf5qBQLBub0GjeU9Nm6Go442FZceKeVt/zm/h:MMevfPss55LBCeU9Nm6Go44Q6eHbEh
                                                                MD5:861F5D9E0A900BE579B73158130174D1
                                                                SHA1:3E57F84C0F7D98844FCF7C30E40828BD9D5AC96A
                                                                SHA-256:DF5FD53A4D59F727AFCC000F50C1198ED765DA62A14BB67304494F13B78905D2
                                                                SHA-512:E1E7F2D0F5B95937B43AF9B1A90D5CB61AD7F1D34224B982DF754610165281367FD910BB66A5FD9000E057B7FD7AB246FA6E71B1A68F0994872DB3D72D14DF61
                                                                Malicious:false
                                                                Preview:Rar!........!.....Eqvj0e..5t>z.!Y..?,)Y}V.....5D.N... qkS`8...1u...a..p.A...N............+.I....9q...1.i..a.....0.|...I)..>0._8r..F....lD5...3.;.?...%...!3.2w.}^^... .....V8..6.%..BM....5>^'A...T.U.eTW.Nq.[r8...e-..*,H0..........d.!/...p.A....@.m*.....7..EB)2.cK2...n.0=..K......r..............j..k.....R....J...'.H.%y.....F...{....@W.z...&{...%.=.P...olC.t1.4.+.FO......k..%f.,....4sY..l"..5W.Z[...w..q..!..B.w..$...;3...Z..\ca1...,.i^.Yy..O........:3A:{..}..".F.f.|...v..u"\....."5..u...w..JnY7.....U8...+.....N7.F8...)........M]....I..Ac..%.yzV.4.A..(.^9......U...?w:.5...r.....k3.7......ry.^.@..-..#.i.v.."....{.y....g.$.P.......*!4T.g..(.k..d..Q...=.....;.o.y"..kw.....3u.?>..rG.~..y...s.s'1/Pu.*X.n.?.bU..PT,.....+,.7.............MU,...(.ciX....Q.a.....p.$K.%.`...4.,V&...k'....t.d.....(v.._|...I."t.7......R...<........U...].<."W..J.v.NN)..a=.N..V..i....j.....z9"..G.u.%l;......D..f}.fe...$X....2.....C....I.j.aGyr&W..l..5.*T...v2.{...;=.}{...r

                                                                C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):984312
                                                                Entropy (8bit):6.338396454828307
                                                                Encrypted:false
                                                                SSDEEP:24576:ee3xAibB85Z1HrWtB8z1L1OBJB5zzz3zzzozzz3zzz6O:lxAibBEZ1LWtBzxDO
                                                                MD5:37CA63447784D68545801EB2F9DFE1AF
                                                                SHA1:4575FA78C6E54480A1F2DA51082BFB9538649DDF
                                                                SHA-256:31F5E43E9283CF2469D8B3E51E7C28C132C6ECB0DAB855DF52CBF21D5394AE0B
                                                                SHA-512:49A16F4ADE2A434D0E502571E077529CAB54BC98BD4D3EEC45C86A9CFC9623F6830F4046B94730517C6706FDA71C54490EB5ADA538A157D0CC90DC413FA008C7
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.............................................@.................................... ]....`... .........................................B............ ...(......D........:...P.............................. ...(...................h................................text...X...........................`.P`.data...h".......$..................@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..D...........................@.0@.xdata..p...........................@.0@.bss..................................`..edata..B............f..............@.0@.idata...............h..............@.0..CRT....h...........................@.@..tls....h...........................@.`..rsrc....(... ...*..................@.0..reloc.......P......................@.0B/4...........p......................@.0B................................................

                                                                C:\Windows\Installer\6a05b9.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A4659C21-0233-4410-8FE4-FC29D947059C}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 29 15:14:16 2024, Last Saved Time/Date: Fri Nov 29 15:14:16 2024, Last Printed: Fri Nov 29 15:14:16 2024, Number of Pages: 450
                                                                Category:dropped
                                                                Size (bytes):56124928
                                                                Entropy (8bit):7.980346255968996
                                                                Encrypted:false
                                                                SSDEEP:786432:AjCh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZAy:A86FnkF2d6VXXtzR5mgvkz1d2x5wKkA
                                                                MD5:772813518AEA3A48271080B42D5C6264
                                                                SHA1:19C152151A15A8ADA30DCE65648755C60D1AB9D6
                                                                SHA-256:A7253143B6D8A97B7B1ABA868DAC4BD902BD077A5279DEA702DFB836F9D6C0B2
                                                                SHA-512:BEA7F4875FD36955EDD69918D57ACCCD690433C4145C2FDB792CC8CBD588E63F19A8FC6C66CC2F6DF4A4E3DDDB0C6403059531AB379A00BC8C9E08D6CAA09D7C
                                                                Malicious:false
                                                                Preview:......................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)...................................................................^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................*.......................7...9................................................................................... ...!..."...#...$...%...&...'...1...)...*...+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

                                                                C:\Windows\Installer\6a05bc.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A4659C21-0233-4410-8FE4-FC29D947059C}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 29 15:14:16 2024, Last Saved Time/Date: Fri Nov 29 15:14:16 2024, Last Printed: Fri Nov 29 15:14:16 2024, Number of Pages: 450
                                                                Category:dropped
                                                                Size (bytes):56124928
                                                                Entropy (8bit):7.980346255968996
                                                                Encrypted:false
                                                                SSDEEP:786432:AjCh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZAy:A86FnkF2d6VXXtzR5mgvkz1d2x5wKkA
                                                                MD5:772813518AEA3A48271080B42D5C6264
                                                                SHA1:19C152151A15A8ADA30DCE65648755C60D1AB9D6
                                                                SHA-256:A7253143B6D8A97B7B1ABA868DAC4BD902BD077A5279DEA702DFB836F9D6C0B2
                                                                SHA-512:BEA7F4875FD36955EDD69918D57ACCCD690433C4145C2FDB792CC8CBD588E63F19A8FC6C66CC2F6DF4A4E3DDDB0C6403059531AB379A00BC8C9E08D6CAA09D7C
                                                                Malicious:false
                                                                Preview:......................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)...................................................................^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................*.......................7...9................................................................................... ...!..."...#...$...%...&...'...1...)...*...+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

                                                                C:\Windows\Installer\MSI104A.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI107A.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI10C9.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI2210.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI2FBD.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI2FFC.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):380520
                                                                Entropy (8bit):6.512348002260683
                                                                Encrypted:false
                                                                SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI40B7.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):787808
                                                                Entropy (8bit):6.693392695195763
                                                                Encrypted:false
                                                                SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI4A6C.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):256864
                                                                Entropy (8bit):6.8622477797553
                                                                Encrypted:false
                                                                SSDEEP:3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
                                                                MD5:E0BFA64EEFA440859C8525DFEC1962D0
                                                                SHA1:4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
                                                                SHA-256:8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
                                                                SHA-512:04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
                                                                Malicious:false
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSI4B77.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):200163
                                                                Entropy (8bit):4.36995783557915
                                                                Encrypted:false
                                                                SSDEEP:1536:n+/BM9V5DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPkp:n+G9V5Dt+e7GVBFvvMg0Vj5Ho4CIDPkp
                                                                MD5:DA4A9DF3DB74CF6846DA66C6A181A607
                                                                SHA1:22D7277B95A12CE82B413DBB9983D403C4902ABD
                                                                SHA-256:6F94F7C13A3C4E9E4CFD52CA4FE017D3A27B088B538FAADB064549F840FEFB17
                                                                SHA-512:85E0EA3F5ECD5951821B4E8F70F74D0F60F47C8FB013224B83FA575ED98CBC87699BA99E8C01469D6B5FCD8AE5897465E5374D2D62F221E8191A51B6BC26F6AA
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@le~Y.@.....@.....@.....@.....@.....@......&.{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}..Oovi Appc..installer.msi.@.....@.....@.....@......icon_27.exe..&.{A4659C21-0233-4410-8FE4-FC29D947059C}.....@.....@.....@.....@.......@.....@.....@.......@......Oovi Appc......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@(....@.....@.]....&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}5.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\.@.......@.....@.....@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}).21:\Software\Yuwei Qusi\Oovi Appc\Version.@.......@.....@.....@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}E.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll.@.......@.....@.....@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}@.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe.@.......@.....@.....@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}E.

                                                                C:\Windows\Installer\MSIF1F.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIFCC.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\SourceHash{5C0A2D89-B02D-4E7B-BB61-9AECE4FF3AD0}

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.1628281489125163
                                                                Encrypted:false
                                                                SSDEEP:12:JSbX72FjGQAGiLIlHVRpiBh/7777777777777777777777777vDHF27XbBEgXnpH:J1QI5AE7XdhsF
                                                                MD5:ADB6FA68E0F7927ED6F51DC4B937EEE8
                                                                SHA1:16B0392756AA7B21C0AE84A58B320B206C7321A5
                                                                SHA-256:FA8FF92630BF93B6D07DC3E84F6325F88E6804DF76E4532B29147DB876EE5387
                                                                SHA-512:C84095A32D7CAE8322EE53755BD6F6A3A4B7E3CEE106BBD08DA783C6C6768A0AEBF85B8E82DCD8D1633DE09151675CA7F28AB9240217976C10B6C140E14AD24B
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5448873040754565
                                                                Encrypted:false
                                                                SSDEEP:48:0h8PhquRc06WXJ0FT57ICSbwAEkCyWTCX9CSbeTKtgSt:08hq13FTFpWvCEXMK
                                                                MD5:6F4AC1E019B35D0CAF288EF444E36886
                                                                SHA1:E4F85CC11CA1FAB1232B9DFB4CD5866A5F9C2EB1
                                                                SHA-256:BAF80BA76417056C054BD4BC4D81C8D1007DCA678D286CA22414648687B5EFC6
                                                                SHA-512:9E9CE539F2E7E2B2E6247D148D525AAA7D1E16FB2C4F007F6A0BBAAE27B839FDA1E45B1F14ED5D12DBCEBA94B5FD266FB60099B69EFEA3F19474E21E5C3A4B0A
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):360001
                                                                Entropy (8bit):5.362972018272892
                                                                Encrypted:false
                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau+:zTtbmkExhMJCIpEv
                                                                MD5:16DC78F1E0D6789BC35DE8C5131B7C64
                                                                SHA1:0AB756A7E69947BD3AA7D8EB73387E728706BC77
                                                                SHA-256:1F73FDB9AB09DA743CDD435F5FAE949F1F4519CC0C1B087A7FDC121DDADAAEC2
                                                                SHA-512:45DE470DA4F687C5F28D372A64E0D033FD2A69EECD62D3F904AB383B1947D310C1BE52C82C698B84B88425EAD15A6748C7198E02D17A34AFB9530AF2FBD6D8A5
                                                                Malicious:false
                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                C:\Windows\Temp\~DF17970BB344E05A79.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5448873040754565
                                                                Encrypted:false
                                                                SSDEEP:48:0h8PhquRc06WXJ0FT57ICSbwAEkCyWTCX9CSbeTKtgSt:08hq13FTFpWvCEXMK
                                                                MD5:6F4AC1E019B35D0CAF288EF444E36886
                                                                SHA1:E4F85CC11CA1FAB1232B9DFB4CD5866A5F9C2EB1
                                                                SHA-256:BAF80BA76417056C054BD4BC4D81C8D1007DCA678D286CA22414648687B5EFC6
                                                                SHA-512:9E9CE539F2E7E2B2E6247D148D525AAA7D1E16FB2C4F007F6A0BBAAE27B839FDA1E45B1F14ED5D12DBCEBA94B5FD266FB60099B69EFEA3F19474E21E5C3A4B0A
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF26CDD22D8A336F8C.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.239639958628362
                                                                Encrypted:false
                                                                SSDEEP:48:oM1iuEWO+CFXJpT5zICSbwAEkCyWTCX9CSbeTKtgSt:JijRTNpWvCEXMK
                                                                MD5:2D9A087AC1E1041ED423A4E5C54243DB
                                                                SHA1:D809E7D6527E0DF494079618AD8D59C774F61593
                                                                SHA-256:73012260D3B9C8A1FD695C7C7C9446642DBB0F7B1285E4BA4BC5858DAB380DB3
                                                                SHA-512:BECF59CAADF0492CB48A0128CB7395580315043FE53E448C1BBE996288FD8894944931D99D90242E4A8A6183D8EC89F7FCE2F3018D47F152928E178120DF1C89
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF28E521C2C1C19754.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.239639958628362
                                                                Encrypted:false
                                                                SSDEEP:48:oM1iuEWO+CFXJpT5zICSbwAEkCyWTCX9CSbeTKtgSt:JijRTNpWvCEXMK
                                                                MD5:2D9A087AC1E1041ED423A4E5C54243DB
                                                                SHA1:D809E7D6527E0DF494079618AD8D59C774F61593
                                                                SHA-256:73012260D3B9C8A1FD695C7C7C9446642DBB0F7B1285E4BA4BC5858DAB380DB3
                                                                SHA-512:BECF59CAADF0492CB48A0128CB7395580315043FE53E448C1BBE996288FD8894944931D99D90242E4A8A6183D8EC89F7FCE2F3018D47F152928E178120DF1C89
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF2A2F005B02B9E800.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):0.0711295117671832
                                                                Encrypted:false
                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO27oMbWyEgXLIiVky6l7:2F0i8n0itFzDHF27XbBEgX27
                                                                MD5:BAF9335834D0C5542E5F9C39B5097E52
                                                                SHA1:80F0F02628CA718FEC5071FC81DD51F8F2849115
                                                                SHA-256:8C137E640FD2420CD7FAE3E72A98EEA61F6D52AA98665776D56A98F0EC85FE61
                                                                SHA-512:5BED29E47DE13B878F92147383817D4A0EFD391A1DD0D36C25EC7966F9F4ED7EAA896BDF804D73CD4176167F7A3846FE276D4D732558E957483C9A0808187F78
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF5AEDFA79DEA63412.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF72E061E1A871B022.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF7A8240728B1B03B4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):73728
                                                                Entropy (8bit):0.1300916078745359
                                                                Encrypted:false
                                                                SSDEEP:24:QStQtxTxb1CipVb1ob1CipVb1wAEVbyjCyWTVPwGaR80M+t:QStQtxTfCSbiCSbwAEkCyWTCXM
                                                                MD5:B2BF0811BDEE2879101444330C6AB13D
                                                                SHA1:DBA63A2A1B1A6F799BE8477AD9504573AD170D77
                                                                SHA-256:5DDAEBE7A43D63E6F8A8EEF151583AB4A5CAAD538EAEBC1237708C8D287B2A41
                                                                SHA-512:8D381B2953F0D482F22AE0F0D136EC0225BCD2CF5865CE12B17328D3181E1EDFB31EFAC7E37D5FF3D6E2F0A4B4328EFA157DE6D2A4BC7880DE34D5823013A6BE
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF8CB1E4E24FBFA136.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFA3FB9C8D0928D3DF.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5448873040754565
                                                                Encrypted:false
                                                                SSDEEP:48:0h8PhquRc06WXJ0FT57ICSbwAEkCyWTCX9CSbeTKtgSt:08hq13FTFpWvCEXMK
                                                                MD5:6F4AC1E019B35D0CAF288EF444E36886
                                                                SHA1:E4F85CC11CA1FAB1232B9DFB4CD5866A5F9C2EB1
                                                                SHA-256:BAF80BA76417056C054BD4BC4D81C8D1007DCA678D286CA22414648687B5EFC6
                                                                SHA-512:9E9CE539F2E7E2B2E6247D148D525AAA7D1E16FB2C4F007F6A0BBAAE27B839FDA1E45B1F14ED5D12DBCEBA94B5FD266FB60099B69EFEA3F19474E21E5C3A4B0A
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFE9084FCD9F0B5272.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFFA63969572D53136.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFFF2891BF82882881.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.239639958628362
                                                                Encrypted:false
                                                                SSDEEP:48:oM1iuEWO+CFXJpT5zICSbwAEkCyWTCX9CSbeTKtgSt:JijRTNpWvCEXMK
                                                                MD5:2D9A087AC1E1041ED423A4E5C54243DB
                                                                SHA1:D809E7D6527E0DF494079618AD8D59C774F61593
                                                                SHA-256:73012260D3B9C8A1FD695C7C7C9446642DBB0F7B1285E4BA4BC5858DAB380DB3
                                                                SHA-512:BECF59CAADF0492CB48A0128CB7395580315043FE53E448C1BBE996288FD8894944931D99D90242E4A8A6183D8EC89F7FCE2F3018D47F152928E178120DF1C89
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A4659C21-0233-4410-8FE4-FC29D947059C}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 29 15:14:16 2024, Last Saved Time/Date: Fri Nov 29 15:14:16 2024, Last Printed: Fri Nov 29 15:14:16 2024, Number of Pages: 450
                                                                Entropy (8bit):7.980346255968996
                                                                TrID:
                                                                • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                • Microsoft Windows Installer (60509/1) 46.00%
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                File name:installer.msi
                                                                File size:56'124'928 bytes
                                                                MD5:772813518aea3a48271080b42d5c6264
                                                                SHA1:19c152151a15a8ada30dce65648755c60d1ab9d6
                                                                SHA256:a7253143b6d8a97b7b1aba868dac4bd902bd077a5279dea702dfb836f9d6c0b2
                                                                SHA512:bea7f4875fd36955edd69918d57acccd690433c4145c2fdb792cc8cbd588e63f19a8fc6c66cc2f6df4a4e3dddb0c6403059531ab379a00bc8c9e08d6caa09d7c
                                                                SSDEEP:786432:AjCh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZAy:A86FnkF2d6VXXtzR5mgvkz1d2x5wKkA
                                                                TLSH:ABC7337075AAC437D66D11B7A539EEDA423F3D210BB188D7B3E4796E0E348C1A231A17
                                                                File Content Preview:........................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)..................................................................

                                                                File Icon

                                                                Icon Hash:2d2e3797b32b2b99

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-11-30T18:43:19.825809+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.849706104.21.42.101443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 30, 2024 18:43:18.165924072 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:18.165998936 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:18.166099072 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:18.170262098 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:18.170294046 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:19.510966063 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:19.511056900 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:19.821238995 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:19.821264982 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:19.821623087 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:19.821768999 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:19.825623989 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:19.825691938 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:19.825738907 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:21.633224964 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:21.633320093 CET44349706104.21.42.101192.168.2.8
                                                                Nov 30, 2024 18:43:21.633348942 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:21.633371115 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:21.640260935 CET49706443192.168.2.8104.21.42.101
                                                                Nov 30, 2024 18:43:21.640275955 CET44349706104.21.42.101192.168.2.8

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 30, 2024 18:43:17.925354004 CET5528153192.168.2.81.1.1.1
                                                                Nov 30, 2024 18:43:18.157176971 CET53552811.1.1.1192.168.2.8

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 30, 2024 18:43:17.925354004 CET192.168.2.81.1.1.10x66b2Standard query (0)search-keys.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 30, 2024 18:43:18.157176971 CET1.1.1.1192.168.2.80x66b2No error (0)search-keys.com104.21.42.101A (IP address)IN (0x0001)false
                                                                Nov 30, 2024 18:43:18.157176971 CET1.1.1.1192.168.2.80x66b2No error (0)search-keys.com172.67.204.246A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • search-keys.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.849706104.21.42.1014437432C:\Windows\SysWOW64\msiexec.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-11-30 17:43:19 UTC197OUTPOST /licenseUser.php HTTP/1.1
                                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                User-Agent: AdvancedInstaller
                                                                Host: search-keys.com
                                                                Content-Length: 48
                                                                Cache-Control: no-cache
                                                                2024-11-30 17:43:19 UTC48OUTData Raw: 54 69 6d 65 3d 31 32 25 33 41 34 33 25 33 41 31 37 26 44 61 74 65 3d 33 30 25 32 46 31 31 25 32 46 32 30 32 34 26 50 72 6f 64 75 63 74 49 44 3d
                                                                Data Ascii: Time=12%3A43%3A17&Date=30%2F11%2F2024&ProductID=
                                                                2024-11-30 17:43:21 UTC815INHTTP/1.1 200 OK
                                                                Date: Sat, 30 Nov 2024 17:43:21 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=71QjP1RqkJwEq82OvPv%2FEQ2X9rBjWw1YGtubBxRBJrYd5tWnPIKmq%2F06O36ZW%2FELwSEMC7CVcAflpzFjKLF3TCvTjmU3oMNrK%2F9t98o7RxKPU9p%2BXFLDNTQYb5QnjzIhwkk%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8eaca39e2a6a6a5f-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1728&rtt_var=669&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=905&delivery_rate=1610590&cwnd=180&unsent_bytes=0&cid=a45e9897640fbcbf&ts=2136&x=0"
                                                                2024-11-30 17:43:21 UTC7INData Raw: 32 0d 0a 30 61 0d 0a
                                                                Data Ascii: 20a
                                                                2024-11-30 17:43:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:1
                                                                Start time:12:43:05
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer.msi"
                                                                Imagebase:0x7ff75eb00000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:12:43:05
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                Imagebase:0x7ff75eb00000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:3
                                                                Start time:12:43:08
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 06B29DD31BB3147C5D5EACFAE0E901AD
                                                                Imagebase:0x90000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:12:43:21
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss412F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi412C.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr412D.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr412E.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                Imagebase:0x5f0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:12:43:21
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6ee680000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:12:43:29
                                                                Start date:30/11/2024
                                                                Path:C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"
                                                                Imagebase:0x7ff655e50000
                                                                File size:1'039'136 bytes
                                                                MD5 hash:5E807B5DAD1B6C81982037C714DC9AEF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:12:43:29
                                                                Start date:30/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6ee680000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 02BB3A78 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: db67b96c5bbac4e71f7811f567dfffa60cb726f0295c3cbc5352816fdc92fbac
                                                                  • Instruction ID: bcc421ac0caaf541bc1dbcec73f50d0eba067f0e04bab9a6208014e08a696dcb
                                                                  • Opcode Fuzzy Hash: db67b96c5bbac4e71f7811f567dfffa60cb726f0295c3cbc5352816fdc92fbac
                                                                  • Instruction Fuzzy Hash: 4ED17C70A042458FCB16DFA8C490AAAFBF2FF89310B1985DAD8559B755C735EC41CBA0
                                                                  Function 02BB8460 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4d2487d920d8c5c6ef27d2f97ed3c5722d9fca46b2f264d5ac03bb6b3f05f67e
                                                                  • Instruction ID: 8a2d9c7250048fbe3cb51327c6b25cc52b5d309bab0287867fbeb5f474b240d8
                                                                  • Opcode Fuzzy Hash: 4d2487d920d8c5c6ef27d2f97ed3c5722d9fca46b2f264d5ac03bb6b3f05f67e
                                                                  • Instruction Fuzzy Hash: 80A16B31A002089FDB15DFA5C944AAEBBF6FF84314F158598E806AF265DB74ED49CB80
                                                                  Function 07231B50 Relevance: .2, Instructions: 204COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1575425371.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7230000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 59bfe0c19bfddb1bdac3347ae1c0eaceafb3cc1f0030ca216f08e49c0d242535
                                                                  • Instruction ID: 15cce57d4d386aeac12e96bf51a6a3eba77607a59fd38a32729de30a2306a687
                                                                  • Opcode Fuzzy Hash: 59bfe0c19bfddb1bdac3347ae1c0eaceafb3cc1f0030ca216f08e49c0d242535
                                                                  • Instruction Fuzzy Hash: D6612AF172470E9FDB249F68D4406AA7BE2EF85211F14C47AE809CB252DB31CD51C792
                                                                  Function 02BB8BB0 Relevance: .2, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9baaa9bec9ab5d95ef9d4ce3ff2a0d17ed09efa67e8eea5bb71349aaf9155d82
                                                                  • Instruction ID: a7176c923a68ccdbf20d3e6cd3893a2f849934eb50b696fcd8611ab1870d193c
                                                                  • Opcode Fuzzy Hash: 9baaa9bec9ab5d95ef9d4ce3ff2a0d17ed09efa67e8eea5bb71349aaf9155d82
                                                                  • Instruction Fuzzy Hash: 0271BC30A00609CFDB15DF68C894AEEBBF6FF85314F1485AAE406DB651DB75AC46CB80
                                                                  Function 02BB8D1E Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fbb8d162ac5ae3949e23ca6efde506b06521835e1213946e537d5e544744f4f5
                                                                  • Instruction ID: 4e2a32027d87b9a6a1720d3c85dac0cc8c2bac8ad80d3cabe69daee25eb4bb6d
                                                                  • Opcode Fuzzy Hash: fbb8d162ac5ae3949e23ca6efde506b06521835e1213946e537d5e544744f4f5
                                                                  • Instruction Fuzzy Hash: 4D711770E01218DFDB15DFB4D894BAEBBF6FF88344F148469D812AB290DB75A846CB41
                                                                  Function 02BB8941 Relevance: .1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec158f238329d2785304ed1fdff793f6daf7b41efd18c4bebc23b5c424a5f9c7
                                                                  • Instruction ID: 0875a52be7f49214b623126c4d628a72cf9c37f55fa7ac46a7ec09233b2a4f2c
                                                                  • Opcode Fuzzy Hash: ec158f238329d2785304ed1fdff793f6daf7b41efd18c4bebc23b5c424a5f9c7
                                                                  • Instruction Fuzzy Hash: C3418171A402048FEB25DB34C859ABE7BB6EF8D750F1445A9E406EB3A0CF759C45CB50
                                                                  Function 02BB8B9B Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be03ba9667c25387d1c15e49d5b7b387e2988de48cb34c7b64315f93b202250b
                                                                  • Instruction ID: 3869913510945571d879a908e18d378d9490fdb7c3f778c43e9e239297810bce
                                                                  • Opcode Fuzzy Hash: be03ba9667c25387d1c15e49d5b7b387e2988de48cb34c7b64315f93b202250b
                                                                  • Instruction Fuzzy Hash: 33415A70E00258DFDB15DFB5C894AEDBBB6FF84300F148569D406AB751DBB4A845CB80
                                                                  Function 02BB3D08 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e677dc4d182c6324bc2090e4995eabf28f9165a5ffb952da0db20de1db55c87
                                                                  • Instruction ID: dcdfb26d653274b0aaef40eaa9e94a0f7d0a20447884b2e448f0fd1dcbc1b319
                                                                  • Opcode Fuzzy Hash: 8e677dc4d182c6324bc2090e4995eabf28f9165a5ffb952da0db20de1db55c87
                                                                  • Instruction Fuzzy Hash: 09410674A006059FCB06CF59C594AEAFBB1FF48314B1581AAD815AB364C736FC51CBA0
                                                                  Function 07231B36 Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1575425371.0000000007230000.00000040.00000800.00020000.00000000.sdmp, Offset: 07230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_7230000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1384dd70f7052bd433c04dfbbd760a6c8f483e40c9b24916cc2f7dfeb43d940
                                                                  • Instruction ID: be375782db7bf94ef7d3c37b394d82c1cf8baa828919d40a9297856ae7947e5b
                                                                  • Opcode Fuzzy Hash: e1384dd70f7052bd433c04dfbbd760a6c8f483e40c9b24916cc2f7dfeb43d940
                                                                  • Instruction Fuzzy Hash: 6731C4F1624A0FDFCF248F15C5806A977F1EF06310F1885A6D8198B1A1D734C9A2CB52
                                                                  Function 02BBBDC3 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f947821ebd9de0fa3efefe83b079abeafeb878ef5ee10cfabbb1a3a0b7e9e740
                                                                  • Instruction ID: 8595175eef9a167c9d539de38695da81f636f4e711702e365840bb805abcbd4b
                                                                  • Opcode Fuzzy Hash: f947821ebd9de0fa3efefe83b079abeafeb878ef5ee10cfabbb1a3a0b7e9e740
                                                                  • Instruction Fuzzy Hash: C0012C78A002189FDB04DF58C490AAEF761FF8D204B2081A9D91AD7361CB36EC038B50
                                                                  Function 02A5D01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570071387.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2a5d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 107d53ba23479b55f61de80ba52f63c18c7a75c743a0e6b92184755b4af4f9ee
                                                                  • Instruction ID: a2974456107007ea81823af8536a75a23cfb0a82cde9fd50048cd108f90b8dcc
                                                                  • Opcode Fuzzy Hash: 107d53ba23479b55f61de80ba52f63c18c7a75c743a0e6b92184755b4af4f9ee
                                                                  • Instruction Fuzzy Hash: 2A012B71404714ABE7104B15CCC4B67BF98DF81635F18C019DC0A5B642CB789442C7B1
                                                                  Function 02A5D005 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570071387.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2a5d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d262a9b58cbc125c381129770ef71b37eb9838cbedfe06bbaf2b5368bc4851e3
                                                                  • Instruction ID: 803c708aa879768c55528359a9b8fb8b5fc13efaf5a5791f355dcee1db3b7fb8
                                                                  • Opcode Fuzzy Hash: d262a9b58cbc125c381129770ef71b37eb9838cbedfe06bbaf2b5368bc4851e3
                                                                  • Instruction Fuzzy Hash: E5014C6100E7C49FD7128B258C94B52BFB4DF43225F18C1DBDC899F693C2695849C772
                                                                  Function 02BB88D5 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf96e09db1daf0d72c1041b873bfa9bfbd6300ab58e6ebf9a9d346616058c274
                                                                  • Instruction ID: e1bf2c7732506320c3a209078d8bbecc954b373edf6a2032a30fb642d5f202db
                                                                  • Opcode Fuzzy Hash: cf96e09db1daf0d72c1041b873bfa9bfbd6300ab58e6ebf9a9d346616058c274
                                                                  • Instruction Fuzzy Hash: 3CF01C34A4030A9FEB05DBA4C5A5BAE77B2AF84784F104954E5029F254CB7859488B80

                                                                  Non-executed Functions

                                                                  Function 02BB22DF Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1570359903.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_2bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ef0cb5f568e6f4c0bb0513d43a38edc55db5e246407d8db32bb131f6a1705a0
                                                                  • Instruction ID: f2311a702b40db1f0051b32e1489c1490ba6b064f05ad735a47a70cb46ed828c
                                                                  • Opcode Fuzzy Hash: 4ef0cb5f568e6f4c0bb0513d43a38edc55db5e246407d8db32bb131f6a1705a0
                                                                  • Instruction Fuzzy Hash: 8C417A4281F3E21FE703A73898792D67F706D8396574A42CBC4D0CE4A3D649895DC3AB

                                                                  Execution Graph

                                                                  Execution Coverage:5.7%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:50
                                                                  Total number of Limit Nodes:5
                                                                  execution_graph 147290 7ffbbb7f0538 147301 7ffbbb7e99e4 EnterCriticalSection 147290->147301 147292 7ffbbb7f0548 147293 7ffbbb7fa950 11 API calls 147292->147293 147294 7ffbbb7f0551 147293->147294 147295 7ffbbb7f055f 147294->147295 147296 7ffbbb7f0340 13 API calls 147294->147296 147297 7ffbbb7e9a38 _isindst LeaveCriticalSection 147295->147297 147298 7ffbbb7f055a 147296->147298 147299 7ffbbb7f056b 147297->147299 147300 7ffbbb7f0430 GetStdHandle GetFileType 147298->147300 147300->147295 147302 7ffbbb7763b6 147305 7ffbbb77eed0 147302->147305 147304 7ffbbb7763d2 147321 7ffbbb790bc0 147305->147321 147307 7ffbbb77eeee 147308 7ffbbb77eef2 147307->147308 147329 7ffbbb790d90 147307->147329 147308->147304 147310 7ffbbb77ef17 147311 7ffbbb77ef6d 147310->147311 147337 7ffbbb78bd00 12 API calls std::_Facet_Register 147310->147337 147312 7ffbbb77ef7b 147311->147312 147341 7ffbbb78c9d0 12 API calls 147311->147341 147312->147304 147314 7ffbbb77ef31 147314->147311 147338 7ffbbb78be90 6 API calls __std_exception_destroy 147314->147338 147317 7ffbbb77ef42 147339 7ffbbb77be30 18 API calls 147317->147339 147319 7ffbbb77ef5f 147319->147311 147340 7ffbbb78c9d0 12 API calls 147319->147340 147323 7ffbbb790c0c 147321->147323 147328 7ffbbb790d10 147321->147328 147322 7ffbbb790c88 147325 7ffbbb790cdd 147322->147325 147351 7ffbbb7aa5e0 12 API calls 4 library calls 147322->147351 147323->147322 147342 7ffbbb7d88e0 147323->147342 147327 7ffbbb7d88e0 std::_Facet_Register 12 API calls 147325->147327 147325->147328 147327->147328 147328->147307 147330 7ffbbb790e36 147329->147330 147331 7ffbbb790ddd 147329->147331 147355 7ffbbb7baca0 VirtualProtect 147330->147355 147357 7ffbbb7d8868 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 147331->147357 147335 7ffbbb790e4d __std_exception_destroy 147335->147310 147337->147314 147338->147317 147339->147319 147340->147311 147341->147312 147344 7ffbbb7d88eb 147342->147344 147343 7ffbbb7d8904 147343->147322 147344->147343 147346 7ffbbb7d890a 147344->147346 147352 7ffbbb7ec440 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 147344->147352 147349 7ffbbb7d8915 147346->147349 147353 7ffbbb7d733c RtlPcToFileHeader Concurrency::cancel_current_task std::bad_alloc::bad_alloc 147346->147353 147354 7ffbbb761280 12 API calls 2 library calls 147349->147354 147350 7ffbbb7d891b 147351->147325 147352->147344 147354->147350 147356 7ffbbb7bad39 147355->147356 147356->147335

                                                                  Executed Functions

                                                                  Function 00007FFBBB769F00 Relevance: 245.7, APIs: 123, Strings: 17, Instructions: 712threadtimewindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ffbbb769f00-7ffbbb769f28 1 7ffbbb769f2a-7ffbbb769f3c 0->1 2 7ffbbb769f43-7ffbbb769f50 0->2 1->2 3 7ffbbb76a016-7ffbbb76a0f0 call 7ffbbb7d88e0 call 7ffbbb775f70 call 7ffbbb77ae00 call 7ffbbb7d87f4 2->3 4 7ffbbb769f56-7ffbbb76a010 IsSystemResumeAutomatic EscapeCommFunction GetNamedPipeClientProcessId lstrcatW CreateSymbolicLinkTransactedW CheckRadioButton EndDeferWindowPos DlgDirSelectComboBoxExW GetFileMUIPath AttachConsole SetThreadpoolTimer HiliteMenuItem GetLocalTime CreateEventW 2->4 13 7ffbbb76a0f2-7ffbbb76a0f7 3->13 14 7ffbbb76a0f9-7ffbbb76a0fb 3->14 4->3 13->14 15 7ffbbb76a0fd-7ffbbb76a102 14->15 16 7ffbbb76a107-7ffbbb76a115 14->16 19 7ffbbb76a9c8-7ffbbb76a9db 15->19 17 7ffbbb76a1f0-7ffbbb76a1f3 16->17 18 7ffbbb76a11b-7ffbbb76a1ea GetPrivateProfileSectionNamesW SetThreadDescription GetLargestConsoleWindowSize GetCommProperties SetProcessPriorityBoost GetOverlappedResult call 7ffbbb88ed58 GetApplicationRecoveryCallback TransactNamedPipe ReplaceFileW StrokePath GetFullPathNameTransactedW SearchPathW 16->18 20 7ffbbb76a207-7ffbbb76a211 17->20 21 7ffbbb76a1f5-7ffbbb76a202 call 7ffbbb7e9898 17->21 18->17 24 7ffbbb76a321-7ffbbb76a33b 20->24 25 7ffbbb76a217-7ffbbb76a31b CloseThreadpoolIo IsBadReadPtr GetSystemDefaultUILanguage OpenProcess CheckRemoteDebuggerPresent SetThreadLocale InitializeCriticalSection LCIDToLocaleName PeekConsoleInputW GlobalFree AddResourceAttributeAce GetCalendarInfoW SetThreadpoolThreadMinimum GetTapeStatus GetProcessVersion Wow64EnableWow64FsRedirection GetVolumeInformationByHandleW GetConsoleWindow AttachConsole GetThreadPreferredUILanguages 20->25 28 7ffbbb76a342-7ffbbb76a35e 21->28 24->28 25->24 29 7ffbbb76a364-7ffbbb76a379 28->29 30 7ffbbb76a37f-7ffbbb76a476 AddVectoredExceptionHandler SetThreadContext FillConsoleOutputAttribute ConnectNamedPipe GetLogicalProcessorInformationEx SetCommBreak BuildCommDCBAndTimeoutsW GetCPInfoExW FlushViewOfFile FreeResource OpenThread GetHandleInformation ReleaseSRWLockExclusive SetThreadPriorityBoost CopyFile2 SetEvent UnregisterWaitEx FindFirstFileW VirtualFreeEx DebugActiveProcess EnumDateFormatsExEx 29->30 31 7ffbbb76a47c-7ffbbb76a48a 29->31 30->31 31->29 32 7ffbbb76a490-7ffbbb76a4be call 7ffbbb773530 31->32 34 7ffbbb76a4c3-7ffbbb76a4dc GetLocalTime 32->34 35 7ffbbb76a4e2-7ffbbb76a4fc 34->35 36 7ffbbb76a9c5 34->36 37 7ffbbb76a500-7ffbbb76a50a 35->37 36->19 38 7ffbbb76a510-7ffbbb76a5fe GlobalFindAtomW GetConsoleAliasExesLengthW GlobalAddAtomW RemoveVectoredExceptionHandler VirtualQueryEx CreateThreadpoolCleanupGroup SetDynamicTimeZoneInformation EnumSystemFirmwareTables DebugSetProcessKillOnExit call 7ffbbb88eac0 GetShortPathNameW QueryPerformanceFrequency QueryThreadCycleTime GetLongPathNameTransactedW LocaleNameToLCID GetStartupInfoW lstrlenW WritePrivateProfileStructW GetCalendarInfoEx GetThreadDescription 37->38 39 7ffbbb76a604-7ffbbb76a619 37->39 38->39 41 7ffbbb76a620-7ffbbb76a630 call 7ffbbb7da90c 39->41 42 7ffbbb76a61b-7ffbbb76a61e 39->42 44 7ffbbb76a633-7ffbbb76a636 41->44 42->44 47 7ffbbb76a63c-7ffbbb76a644 44->47 48 7ffbbb76a6d7-7ffbbb76a6ea 44->48 47->48 49 7ffbbb76a64a-7ffbbb76a64f 47->49 50 7ffbbb76a6f1-7ffbbb76a701 call 7ffbbb7da90c 48->50 51 7ffbbb76a6ec-7ffbbb76a6ef 48->51 49->48 53 7ffbbb76a655-7ffbbb76a693 RegCreateKeyExW 49->53 54 7ffbbb76a704-7ffbbb76a718 50->54 51->54 53->48 58 7ffbbb76a695-7ffbbb76a6d1 RegSetValueExW RegCloseKey 53->58 56 7ffbbb76a71e-7ffbbb76a730 call 7ffbbb7da90c 54->56 57 7ffbbb76a71a-7ffbbb76a71c 54->57 60 7ffbbb76a732-7ffbbb76a735 56->60 57->60 58->48 62 7ffbbb76a787-7ffbbb76a79b 60->62 63 7ffbbb76a737-7ffbbb76a74e CreateMutexW 60->63 66 7ffbbb76a7a2-7ffbbb76a7b2 call 7ffbbb7da90c 62->66 67 7ffbbb76a79d-7ffbbb76a7a0 62->67 64 7ffbbb76a750-7ffbbb76a775 MessageBoxW CloseHandle 63->64 65 7ffbbb76a777-7ffbbb76a77e OutputDebugStringA 63->65 68 7ffbbb76a784 64->68 65->68 70 7ffbbb76a7b5-7ffbbb76a7dd 66->70 67->70 68->62 72 7ffbbb76a842-7ffbbb76a84c 70->72 73 7ffbbb76a7df-7ffbbb76a83c DeleteFileTransactedW AllocateUserPhysicalPages CancelSynchronousIo CompareFileTime TerminateProcess GetCPInfo GetFullPathNameW AddSIDToBoundaryDescriptor CloseThreadpoolTimer 70->73 74 7ffbbb76a84e-7ffbbb76a861 72->74 75 7ffbbb76a864-7ffbbb76a893 call 7ffbbb773530 72->75 73->72 74->75 78 7ffbbb76a895-7ffbbb76a8a1 75->78 79 7ffbbb76a8a4-7ffbbb76a8ae 75->79 78->79 80 7ffbbb76a9ab 79->80 81 7ffbbb76a8b4-7ffbbb76a9a9 MessageBeep DestroyCursor GetThreadContext GetProcessWindowStation GetSystemDefaultLocaleName ShowOwnedPopups CloseThreadpoolCleanupGroupMembers GetSystemFileCacheSize call 7ffbbb88e710 GetMessageW GetThreadIOPendingFlag GetMenuState EmptyClipboard GetWindowsDirectoryW GetApplicationRestartSettings ShowWindowAsync DrawTextExW SetConsoleMode 79->81 83 7ffbbb76a9ad-7ffbbb76a9b8 80->83 81->83 83->37 85 7ffbbb76a9be 83->85 85->36
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$ConsoleProcess$FileNamePath$Threadpool$CloseCreateInfoSystemTimeWindow$CommInformationLocaleQueryTransacted$DebugFreeGlobalHandleMessageNamedPipe$ApplicationAtomAttachAttributeBoostCalendarCheckCleanupContextDefaultDescriptionEnumEventExceptionFindFullGroupHandlerLocalMenuOpenOutputPerformancePriorityPrivateProfileResourceSectionShowSizeStringTimerVectoredVirtualWow64$ActiveAddressAliasAllocateAsyncAutomaticBeepBoundaryBreakBuildButtonCacheCallbackCancelClientClipboardComboCompareConnectCopyCounterCriticalCursorCycleDateDebuggerDeferDeleteDescriptorDestroyDirectoryDrawDynamicEmptyEnableEscapeExclusiveExesExitFile2FillFirmwareFirstFlagFlushFormatsFrequencyFunctionHiliteInitializeInputItemKillLanguageLanguagesLargestLengthLinkLockLogicalLongMembersMinimumModeMutexNamesOverlappedOwnedPagesPeekPendingPhysicalPopupsPreferredPresentProcProcessorPropertiesRadioReadRecoveryRedirectionReleaseRemoteRemoveReplaceRestartResultResumeSearchSelectSettingsShortStartupStateStationStatusStrokeStructSymbolicSynchronousTablesTapeTerminateTextTimeoutsTransactUnregisterUserValueVersionViewVolumeWaitWindowsWriteZonelstrcatlstrlen
                                                                  • String ID: 3dgT5McsnoDn1h5UmKQQq3bhE5B$5GqbchfxllHZ4vXTV72kJC$61zfpJ6OMKbTwdW5UkVvujwo3$9HSXmVlUnTcVUy1xV7HP$LaZjydNmAZfocxtbRuFchPZ$Software\lISYRvcEFuAbCKNFhD$UcZPNKNLBCBuJMTZUQyWNvxZcTL$WhRv5MYc3FWOSDOy18n4ur9Q$ac8PaKcL4Z11OvrbKx$d66l1OEzY7c8m4eS2$gcNnEzeZNuzcKBsCQVz$smqaByahZdOrbUEiVynN16xOkQr$szoCVZtTGfwqDWAThLq$uFJjf33Uc6kcg6EBlyixM8zZfzebv$xCyThOCP4jXi9CmL$xdtbgPxdVEKMUDOnK$yUCMLfctVaLUIZBtLJS
                                                                  • API String ID: 2490430414-2192411111
                                                                  • Opcode ID: 8020f8047c0b2a80112d3fe85d1c856b8a80c1675ed74661d38c399015a0ff42
                                                                  • Instruction ID: 98ae1a334fe462e9382dce49ec937deea5b5c6559b1d30fa38c4d5f4147c8a20
                                                                  • Opcode Fuzzy Hash: 8020f8047c0b2a80112d3fe85d1c856b8a80c1675ed74661d38c399015a0ff42
                                                                  • Instruction Fuzzy Hash: 22624BB2A28A5287F728DF79EC5566A32A2FF88705F80D439DB4B46974CE3DD045C708
                                                                  Function 00007FFBBB764100 Relevance: 174.0, APIs: 85, Strings: 14, Instructions: 741timememoryfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 86 7ffbbb764100-7ffbbb764146 call 7ffbbb7de7b8 89 7ffbbb76414c-7ffbbb764222 VirtualProtect FindNextFileNameW CopyFileW BuildCommDCBW SetThreadContext HeapLock GetConsoleTitleW call 7ffbbb88f128 VirtualAllocEx DebugBreak ReleaseSRWLockExclusive call 7ffbbb88e900 IsValidLanguageGroup ResetWriteWatch LocalFlags CheckTokenMembershipEx GetCompressedFileSizeTransactedW 86->89 90 7ffbbb764229-7ffbbb76423c 86->90 89->90 92 7ffbbb7642c2-7ffbbb7642c9 90->92 93 7ffbbb764242-7ffbbb76425b call 7ffbbb7d8c8c 90->93 96 7ffbbb7642d2-7ffbbb7642d4 92->96 97 7ffbbb7642cb-7ffbbb7642d0 92->97 105 7ffbbb764261-7ffbbb7642bd GetIconInfo EnumDateFormatsExW UnregisterHotKey GetTempPathW SetMenuDefaultItem UnpackDDElParam QueryUnbiasedInterruptTime GetSystemDefaultUILanguage AreFileApisANSI 93->105 106 7ffbbb764bae-7ffbbb764bb1 93->106 100 7ffbbb7648e7-7ffbbb7648ea 96->100 101 7ffbbb7642da-7ffbbb7642e4 call 7ffbbb7de7b8 96->101 97->96 103 7ffbbb7648f0-7ffbbb764927 call 7ffbbb773450 100->103 104 7ffbbb76497b-7ffbbb764982 100->104 114 7ffbbb7642ed-7ffbbb7642f1 101->114 115 7ffbbb7642e6-7ffbbb7642eb 101->115 123 7ffbbb76495e-7ffbbb764976 call 7ffbbb88e988 103->123 124 7ffbbb764929-7ffbbb764958 ReleaseSemaphoreWhenCallbackReturns GetSystemInfo GlobalFree lstrlenW SetConsoleTitleW AcquireSRWLockExclusive 103->124 112 7ffbbb764aa0-7ffbbb764b86 call 7ffbbb7d88e0 call 7ffbbb7780c0 104->112 113 7ffbbb764988-7ffbbb764a9a SetVolumeLabelW SetFirmwareEnvironmentVariableExW GetLongPathNameTransactedW SetCommMask DebugBreak SetThreadUILanguage GetNumberOfConsoleInputEvents SetMailslotInfo SetDefaultCommConfigW AddResourceAttributeAce CommConfigDialogW DefineDosDeviceW FreeResource LockFileEx OpenWaitableTimerW CreatePrivateNamespaceW InitAtomTable SetCommMask FatalExit AcquireSRWLockShared DisableThreadLibraryCalls HeapUnlock FlushConsoleInputBuffer 104->113 105->106 110 7ffbbb764bb7-7ffbbb764bc1 106->110 111 7ffbbb764cf9-7ffbbb764d07 106->111 117 7ffbbb764cbc-7ffbbb764cf8 call 7ffbbb772940 110->117 118 7ffbbb764bc7-7ffbbb764cb6 call 7ffbbb88ee38 GetConsoleAliasExesLengthW FlushInstructionCache call 7ffbbb88ed68 GetFirmwareType BindIoCompletionCallback SetThreadErrorMode EnumTimeFormatsEx LocaleNameToLCID LoadLibraryW GetLocalTime RemoveDllDirectory RemoveDirectoryW SetConsoleScreenBufferInfoEx CreateTimerQueue WaitForMultipleObjects StartThreadpoolIo ConnectNamedPipe ReadConsoleOutputW CheckNameLegalDOS8Dot3W 110->118 135 7ffbbb764b8b-7ffbbb764ba9 call 7ffbbb77ae00 call 7ffbbb7d87f4 112->135 113->112 121 7ffbbb7642f7-7ffbbb7645e1 call 7ffbbb7d88e0 call 7ffbbb778de0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb7d88e0 call 7ffbbb778bb0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb7d88e0 call 7ffbbb778980 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb76b970 call 7ffbbb7730a0 * 4 114->121 122 7ffbbb764835-7ffbbb764855 LocalAlloc 114->122 115->114 118->117 176 7ffbbb7645f3-7ffbbb7645f7 121->176 177 7ffbbb7645e3-7ffbbb7645ee call 7ffbbb7730a0 121->177 127 7ffbbb7648ae-7ffbbb7648e2 call 7ffbbb773360 122->127 128 7ffbbb764857-7ffbbb7648a8 GetAsyncKeyState OpenDesktopW ApplicationRecoveryInProgress IsImmersiveProcess ShowCursor GetFinalPathNameByHandleW CharUpperBuffW FileTimeToDosDateTime 122->128 123->106 124->123 127->106 128->127 135->106 179 7ffbbb764609-7ffbbb76460d 176->179 180 7ffbbb7645f9-7ffbbb764604 call 7ffbbb7730a0 176->180 177->176 182 7ffbbb76461f-7ffbbb764623 179->182 183 7ffbbb76460f-7ffbbb76461a call 7ffbbb7730a0 179->183 180->179 185 7ffbbb764635-7ffbbb764639 182->185 186 7ffbbb764625-7ffbbb764630 call 7ffbbb7730a0 182->186 183->182 188 7ffbbb76464b-7ffbbb76464f 185->188 189 7ffbbb76463b-7ffbbb764646 call 7ffbbb7730a0 185->189 186->185 191 7ffbbb764661-7ffbbb764665 188->191 192 7ffbbb764651-7ffbbb76465c call 7ffbbb7730a0 188->192 189->188 194 7ffbbb764677-7ffbbb76467b 191->194 195 7ffbbb764667-7ffbbb764672 call 7ffbbb7730a0 191->195 192->191 197 7ffbbb76468d-7ffbbb764830 call 7ffbbb7704b0 call 7ffbbb7d88e0 call 7ffbbb778750 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb76df20 call 7ffbbb773360 call 7ffbbb76c090 call 7ffbbb7d785c 194->197 198 7ffbbb76467d-7ffbbb764688 call 7ffbbb7730a0 194->198 195->194 197->106 198->197
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: File$Console$NameTime$CheckDefaultDirectoryEnumFormatsInfoLanguageLocalLockReadRemoveThreadTypeVirtual$AliasAllocApisBindBreakBufferBuildCacheCallbackCommCompletionCompressedConnectContextCopyCreateDateDebugDebuggerDot3ErrorExceptionExclusiveExesFindFirmwareFlagsFlushGroupHeapIconInstructionInterruptItemLegalLengthLibraryLoadLocaleMembershipMenuModeMultipleNamedNextObjectsOutputParamPathPipePresentProtectQueryQueueRaiseReleaseResetScreenSizeStartStringSystemTempThreadpoolTimerTitleTokenTransactedUnbiasedUnpackUnregisterValidWaitWatchWrite
                                                                  • String ID: - Archive$ - Compressed$ - Directory$ - Encrypted$ - Hidden$ - Read-only$ - System$ - Temporary$Attributes:$Current Directory: $Dk4XPkGMO9YFtK6JQNhevnbHLZ$MP4lS7IyIwmzf54DyeFn5PS18YZ$VUUU$eKRKKT9FoQzyoro5Rjx7cz
                                                                  • API String ID: 690041173-3528780782
                                                                  • Opcode ID: 491161eb273464e6994132cd1ab817b7a6852653fa12b47a198df09c75183e42
                                                                  • Instruction ID: efda6bd151ef7f84ea89f05b81bfdbb0c7516124137157276206280038dcf338
                                                                  • Opcode Fuzzy Hash: 491161eb273464e6994132cd1ab817b7a6852653fa12b47a198df09c75183e42
                                                                  • Instruction Fuzzy Hash: 91725B72A28B918AF7149FB9EC512AE3371FB98709F50803ADB4E56A78DE3CD145C704
                                                                  Function 00007FFBBB7657B0 Relevance: 153.3, APIs: 73, Strings: 14, Instructions: 1039timethreadfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 218 7ffbbb7657b0-7ffbbb765b0a call 7ffbbb773450 call 7ffbbb7d88e0 call 7ffbbb7777b0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb76b970 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7704b0 call 7ffbbb7d88e0 call 7ffbbb777580 call 7ffbbb77ae00 call 7ffbbb7d87f4 GetCurrentProcess GetProcessTimes 263 7ffbbb765b10-7ffbbb765d3c call 7ffbbb7d88e0 call 7ffbbb777350 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb76b970 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7730a0 call 7ffbbb76c600 call 7ffbbb7704b0 OutputDebugStringW call 7ffbbb76df20 call 7ffbbb76c090 call 7ffbbb7d785c 218->263 264 7ffbbb765d3d-7ffbbb765d47 218->264 263->264 265 7ffbbb765e40-7ffbbb765e5a OpenMutexW 264->265 266 7ffbbb765d4d-7ffbbb765e3a ReadThreadProfilingData lstrcatW WriteProfileSectionW SetMiterLimit SetCurrentDirectoryW LockFileEx ReadProcessMemory CreateFiberEx SetFileAttributesW FindVolumeMountPointClose GetMiterLimit GetConsoleOriginalTitleW DeleteBoundaryDescriptor CreatePrivateNamespaceW IsValidLanguageGroup RemoveSecureMemoryCacheCallback Rectangle CreateCompatibleDC SetTimeZoneInformation UnregisterBadMemoryNotification 264->266 269 7ffbbb765e5c-7ffbbb765e72 OutputDebugStringW CloseHandle 265->269 270 7ffbbb765e74-7ffbbb765e7b OutputDebugStringW 265->270 266->265 272 7ffbbb765e81-7ffbbb765fc9 GetTempPathW call 7ffbbb7610c0 call 7ffbbb7d88e0 call 7ffbbb777110 call 7ffbbb77ae00 call 7ffbbb7d87f4 GetFileAttributesW 269->272 270->272 293 7ffbbb765fcf-7ffbbb765feb call 7ffbbb76d720 272->293 294 7ffbbb766239-7ffbbb766264 RegOpenKeyExW 272->294 306 7ffbbb765ff1-7ffbbb766027 293->306 307 7ffbbb7661ce-7ffbbb766234 call 7ffbbb76d4a0 call 7ffbbb7d785c 293->307 296 7ffbbb766358 294->296 297 7ffbbb76626a-7ffbbb766356 call 7ffbbb7d88e0 call 7ffbbb779240 call 7ffbbb77ae00 call 7ffbbb7d87f4 294->297 300 7ffbbb76635f OutputDebugStringW 296->300 297->300 304 7ffbbb766365-7ffbbb766435 call 7ffbbb773530 call 7ffbbb76df20 call 7ffbbb76c090 call 7ffbbb7d785c 300->304 313 7ffbbb766032-7ffbbb766045 306->313 314 7ffbbb766029-7ffbbb76602d 306->314 307->304 319 7ffbbb76648f-7ffbbb766494 call 7ffbbb761320 313->319 320 7ffbbb76604b-7ffbbb76604e 313->320 321 7ffbbb766116-7ffbbb766147 call 7ffbbb77c3c0 call 7ffbbb772690 314->321 347 7ffbbb766495-7ffbbb76658d call 7ffbbb7e9820 call 7ffbbb7d88e0 call 7ffbbb776cb0 call 7ffbbb77ae00 call 7ffbbb7d87f4 319->347 322 7ffbbb7660d7 320->322 323 7ffbbb766054-7ffbbb76605e 320->323 358 7ffbbb76617a-7ffbbb766186 call 7ffbbb7708a0 321->358 359 7ffbbb766149-7ffbbb76615a 321->359 338 7ffbbb7660db-7ffbbb7660f0 322->338 330 7ffbbb766060-7ffbbb76606d 323->330 331 7ffbbb766098-7ffbbb7660ab 323->331 341 7ffbbb766071-7ffbbb76607c call 7ffbbb7d88e0 330->341 344 7ffbbb7660cd-7ffbbb7660d5 331->344 345 7ffbbb7660ad-7ffbbb7660b4 331->345 339 7ffbbb7660f2-7ffbbb766103 338->339 340 7ffbbb766105-7ffbbb766112 338->340 339->339 339->340 340->321 341->347 366 7ffbbb766082-7ffbbb766096 341->366 344->338 353 7ffbbb7660b6-7ffbbb7660bd 345->353 354 7ffbbb7660c5-7ffbbb7660ca call 7ffbbb7d88e0 345->354 401 7ffbbb766697-7ffbbb7666b6 347->401 402 7ffbbb766593-7ffbbb766690 VirtualProtectEx CreateProcessW FindResourceExW WriteConsoleW GetTimeFormatEx SystemTimeToTzSpecificLocalTime OpenEventW HeapUnlock call 7ffbbb88eb80 VirtualLock GetFileSizeEx InitOnceBeginInitialize CreateThreadpoolWork GetCommTimeouts Wow64DisableWow64FsRedirection InterlockedPopEntrySList 347->402 361 7ffbbb766489-7ffbbb76648e call 7ffbbb761280 353->361 362 7ffbbb7660c3 353->362 354->344 382 7ffbbb766188-7ffbbb7661b4 358->382 383 7ffbbb7661ba-7ffbbb7661c7 OutputDebugStringA 358->383 370 7ffbbb76615c-7ffbbb76616f 359->370 371 7ffbbb766175 call 7ffbbb7d87f4 359->371 361->319 362->341 366->338 370->347 370->371 371->358 382->383 386 7ffbbb766436-7ffbbb766439 382->386 383->307 389 7ffbbb76643b-7ffbbb766442 386->389 390 7ffbbb766444-7ffbbb766455 386->390 392 7ffbbb766459-7ffbbb766488 call 7ffbbb761440 call 7ffbbb762340 call 7ffbbb7da988 389->392 390->392 392->361 407 7ffbbb7666bc-7ffbbb766813 WaitForMultipleObjectsEx ReclaimVirtualMemory IsDBCSLeadByteEx WaitForDebugEvent GetFileBandwidthReservation CreateFileMappingW call 7ffbbb88eb00 GetVersion SetProcessPriorityBoost call 7ffbbb88ee28 GetWriteWatch RemoveVectoredExceptionHandler HeapCreate CreateThreadpoolIo CreateThreadpoolWait CreateEventExW FindNextFileW GetLocalTime SetThreadpoolWait DnsHostnameToComputerNameW GetPrivateProfileIntW CloseThreadpool Wow64RevertWow64FsRedirection SetFileBandwidthReservation 401->407 408 7ffbbb766819-7ffbbb76681b 401->408 402->401 407->408 413 7ffbbb76681d-7ffbbb766821 408->413 414 7ffbbb766827-7ffbbb7668cd call 7ffbbb7d88e0 call 7ffbbb776a80 408->414 413->414 416 7ffbbb7668ee-7ffbbb7668f8 413->416 427 7ffbbb7668d2-7ffbbb7668e9 call 7ffbbb77ae00 call 7ffbbb7d87f4 414->427 427->416
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Create$File$DebugTime$OutputProcessStringThreadpool$MemoryWaitWow64$CloseConcurrency::cancel_current_taskEventFindOpenVirtualWrite$AttributesBandwidthConsoleCurrentExceptionFormatHeapLimitLocalLockMiterPrivateProfileReadRedirectionRemoveReservation$BeginBoostBoundaryByteCacheCallbackCommCompatibleComputerDataDeleteDescriptorDirectoryDisableEntryFiberFilterGroupHandleHandlerHostnameInformationInitInitializeInterlockedLanguageLeadLibraryListLoadMappingMountMultipleMutexNameNamespaceNextNotificationObjectsOnceOriginalPathPointPriorityProfilingProtectReclaimRectangleResourceRevertSectionSecureSizeSpecificSystemTempThreadTimeoutsTimesTitleUnhandledUnlockUnregisterValidVectoredVersionVolumeWatchWorkZone__std_exception_copylstrcat
                                                                  • String ID: %s\wMujoAHvPDAzPmygZHAyipQlctT$1dCrFHpOkmhYRH9V9SAFm$GzEigLlxvnBkxNWQeFrLqkmhhnR$IrGwpoRRlFOjnBs$MVKoWgOhCOcEjeENiINMkeGcQ$Mutex does not exist.$Mutex exists.$MyUniqueMutex$Process started at: $Software\lKUQcjWjYjyBWgWIhV$UH6M61aOuUuIz3qYFYz$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 3810036003-2109439787
                                                                  • Opcode ID: 70003d70a00b20c477f8b355f789aecb7d4181fdc540b285642e441e510bfdcf
                                                                  • Instruction ID: cb340845fef4ae75335f14d8df06b7f5479598897423456f4e7a2986a5ac9c06
                                                                  • Opcode Fuzzy Hash: 70003d70a00b20c477f8b355f789aecb7d4181fdc540b285642e441e510bfdcf
                                                                  • Instruction Fuzzy Hash: 69B26F72A187818AE710DF79E8502AE77A1FB98748F44913AEB8E47A79DF3CD144C704
                                                                  Function 00007FFBBB763490 Relevance: 153.0, APIs: 80, Strings: 7, Instructions: 784threadtimestringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 434 7ffbbb763490-7ffbbb763586 call 7ffbbb769930 call 7ffbbb7d88e0 call 7ffbbb779d50 call 7ffbbb77ae00 call 7ffbbb7d87f4 445 7ffbbb76358c-7ffbbb763672 call 7ffbbb7d88e0 call 7ffbbb779b20 call 7ffbbb77ae00 call 7ffbbb7d87f4 434->445 446 7ffbbb763914-7ffbbb763961 call 7ffbbb7de7b8 434->446 445->446 467 7ffbbb763678-7ffbbb763768 call 7ffbbb7d88e0 call 7ffbbb7798d0 call 7ffbbb77ae00 call 7ffbbb7d87f4 445->467 451 7ffbbb763aab-7ffbbb763b07 call 7ffbbb772940 446->451 452 7ffbbb763967-7ffbbb763aa5 SetPaletteEntries CreateTimerQueue CancelThreadpoolIo GetQueuedCompletionStatus SetThreadStackGuarantee GetCompressedFileSizeW CreateFileTransactedW EnterSynchronizationBarrier OffsetClipRgn SetThreadLocale SwapBuffers GetFileType GetTextExtentPointW GetNativeSystemInfo EnumFontsW call 7ffbbb88ed58 CreateDIBSection WaitCommEvent GetFontData GetThreadPriorityBoost SetThreadpoolThreadMinimum GetNumaHighestNodeNumber SetMiterLimit CreateFontIndirectExW GetErrorMode 446->452 461 7ffbbb763c3f-7ffbbb763c54 451->461 462 7ffbbb763b0d-7ffbbb763c39 FindNLSStringEx CancelSynchronousIo SetConsoleCtrlHandler GetTempFileNameW GetDurationFormatEx VirtualUnlock BackupSeek GetACP call 7ffbbb88e518 TryAcquireSRWLockExclusive GetLogicalProcessorInformationEx GetUserPreferredUILanguages GetConsoleScreenBufferInfo GetCommandLineW lstrlenW RemoveDirectoryW CheckTokenMembershipEx GlobalLock SetConsoleCP GetCPInfo 451->462 452->451 462->461 467->446 476 7ffbbb76376e-7ffbbb763788 467->476 477 7ffbbb763790-7ffbbb763798 476->477 477->477 478 7ffbbb76379a-7ffbbb7637bd call 7ffbbb773d20 477->478 481 7ffbbb7637bf-7ffbbb7637d6 478->481 482 7ffbbb7637ea 478->482 483 7ffbbb7637d8-7ffbbb7637db 481->483 484 7ffbbb7637e5-7ffbbb7637e8 481->484 485 7ffbbb7637f1-7ffbbb7638e1 call 7ffbbb770c00 call 7ffbbb7d88e0 call 7ffbbb7796a0 call 7ffbbb77ae00 call 7ffbbb7d87f4 482->485 483->482 486 7ffbbb7637dd-7ffbbb7637e3 483->486 484->485 485->446 497 7ffbbb7638e3-7ffbbb7638f4 485->497 486->483 486->484 498 7ffbbb76390f call 7ffbbb7d87f4 497->498 499 7ffbbb7638f6-7ffbbb763909 497->499 498->446 499->498 500 7ffbbb763c55-7ffbbb763cf1 call 7ffbbb7e9820 call 7ffbbb772a30 499->500 506 7ffbbb763e27-7ffbbb763e29 500->506 507 7ffbbb763cf7-7ffbbb763e21 CreateFiberEx SetEvent GetProcessId CreateTimerQueueTimer CreateFileTransactedW ReadDirectoryChangesW GetLogicalDrives Wow64DisableWow64FsRedirection ReadConsoleInputW ConvertThreadToFiber GetUserPreferredUILanguages GetCommProperties SetLocalTime WritePrivateProfileStringW SetVolumeLabelW IsProcessInJob CreateThreadpool RegisterApplicationRecoveryCallback GetConsoleOutputCP AreFileApisANSI CreateMutexW 500->507 508 7ffbbb763e2f-7ffbbb763eab call 7ffbbb772d60 506->508 509 7ffbbb7640e4 506->509 507->506 513 7ffbbb763f51-7ffbbb763ff2 call 7ffbbb7d88e0 call 7ffbbb779240 508->513 514 7ffbbb763eb1-7ffbbb763f4b GetUserDefaultLangID GetConsoleDisplayMode LocaleNameToLCID GetFileTime GetNumaAvailableMemoryNode lstrlenW GetUserPreferredUILanguages GetThreadId EnumTimeFormatsW FindCloseChangeNotification CreateFiber SystemTimeToTzSpecificLocalTimeEx GetProfileIntW HeapValidate 508->514 510 7ffbbb7640e6-7ffbbb7640f8 509->510 518 7ffbbb763ff7-7ffbbb764015 call 7ffbbb77ae00 call 7ffbbb7d87f4 513->518 514->513 523 7ffbbb764017-7ffbbb76401b 518->523 524 7ffbbb764024-7ffbbb7640df call 7ffbbb7d88e0 call 7ffbbb779010 call 7ffbbb77ae00 call 7ffbbb7d87f4 518->524 523->524 525 7ffbbb76401d-7ffbbb76401f 523->525 524->509 525->510
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Create$Console$FileThreadThreadpool$Time$Info$CloseLanguagesPreferredUser$FiberInputLocalLocaleLockModeNameSystemTimerWaitWindow$CancelClipboardCommConcurrency::cancel_current_taskDataDirectoryEnumEventFindFontFormatsLoadLogicalNodeNumaOutputProcessProfileQueueReadRectStringTransactedTypeWorkWow64Writelstrlen$AcquireApisApplicationAvailableBackupBarrierBitmapBoostBufferBuffersByteCallbackCallbacksChangeChangesCheckClipCommandCompletionCompressedComputerConvertCountCounterCtrlDefaultDevicesDisableDisplayDrivesDurationEnterEntriesEnvironmentErrorExclusiveExpandExtentFirmwareFontsFormatGlobalGuaranteeHandlerHeapHighestIndirectInformationLabelLangLeadLibraryLimitLineMembershipMemoryMinimumMiterMoveMutexNativeNotificationNumberOffsetPalettePathPerformancePointPriorityPrivateProcessorPropertiesQueryQueuedRecoveryRedirectionRegisterRegisteredRemoteRemoveResourceScreenScrollSearchSectionSeekSentrySizeSoundSpecificStackStatusStringsSwapSynchronizationSynchronousTempTextTokenUnlockValidateVirtualVolume
                                                                  • String ID: 1KRkM49aBj2c6k6ICVKT8xRB$4Y54I9Z3LKuoLGu$4inlpWbQq594kzFO$B3CLvGykeGZLcZaWo3y/2u0PuwPky3ud/mGpjhEO6FmcFuzysMFwvBD0U7Xf/KJpMm16UKNgNHuAxtdQJc3OOfQQViXw8ND8AmQ/Ssb1Im6/Ubih3KamrxZtZgWxDvI8GcgV+YxltQYnx6YEwcaOzHcNnvr22K/cH0DuhSxLoi4qGMm3rOJUq+aB9KRLxNlM95LTBJnXNGOnkzwdoxE0Jn9N3h0QJn9mOOBWR6ZB8aLRaTNQXUsnSnU2xsHvCW6H8qFV$G9z2yovPc2Q1tbA9hT$S239B4Y8nbpWJm29jMjg58U$hwakbaS2uN52UH7iMCVBJZLZZb5
                                                                  • API String ID: 583393112-277654473
                                                                  • Opcode ID: 5d61334a5c406d43a595148fea73e72b0223fbd2e2f95ddd2bd118fcdba12034
                                                                  • Instruction ID: 1e07bc9d0cb3a2fd79cd9c7393c7f0c87771694d0bf0b5a01b3fb3a0e86a49b2
                                                                  • Opcode Fuzzy Hash: 5d61334a5c406d43a595148fea73e72b0223fbd2e2f95ddd2bd118fcdba12034
                                                                  • Instruction Fuzzy Hash: B9828172A28B918AF714CFB9E84129E37B5FB58758F10813AEB8946E68DF3CD105C704
                                                                  Function 00007FFBBB767AF0 Relevance: 141.1, APIs: 69, Strings: 11, Instructions: 1078timeencryptionfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 533 7ffbbb767af0-7ffbbb767baa call 7ffbbb7e8738 call 7ffbbb7de7e4 call 7ffbbb773610 CryptAcquireContextW 540 7ffbbb767bac-7ffbbb767bd4 CryptGenRandom CryptReleaseContext 533->540 541 7ffbbb767bd6 533->541 542 7ffbbb767bd9-7ffbbb767cad call 7ffbbb773610 * 2 call 7ffbbb7d88e0 540->542 541->542 549 7ffbbb768061-7ffbbb768305 call 7ffbbb7d88e0 call 7ffbbb776860 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb7d88e0 call 7ffbbb7763f0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb7d88e0 call 7ffbbb776620 call 7ffbbb77ae00 call 7ffbbb7d87f4 542->549 550 7ffbbb767cb3-7ffbbb767d25 call 7ffbbb772210 542->550 616 7ffbbb768471-7ffbbb76864a call 7ffbbb7d88e0 call 7ffbbb7763f0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb7d88e0 call 7ffbbb7763f0 call 7ffbbb77ae00 call 7ffbbb7d87f4 549->616 617 7ffbbb76830b-7ffbbb76830e 549->617 554 7ffbbb767d2a-7ffbbb767d79 call 7ffbbb772130 550->554 560 7ffbbb767d80-7ffbbb767d83 554->560 562 7ffbbb767d9a-7ffbbb767e14 call 7ffbbb7d7ac4 call 7ffbbb76dba0 call 7ffbbb772690 560->562 563 7ffbbb767d85-7ffbbb767d88 560->563 562->560 582 7ffbbb767e1a-7ffbbb767e4e 562->582 563->562 565 7ffbbb767d8a-7ffbbb767d95 call 7ffbbb772690 563->565 565->562 584 7ffbbb767e50-7ffbbb767e5d 582->584 585 7ffbbb767e7d-7ffbbb767e80 582->585 584->585 587 7ffbbb767e5f-7ffbbb767e7b 584->587 588 7ffbbb767e82-7ffbbb767e8f 585->588 589 7ffbbb767ead-7ffbbb767eb1 585->589 591 7ffbbb767eb5-7ffbbb767eb8 587->591 588->589 592 7ffbbb767e91-7ffbbb767eab 588->592 589->591 594 7ffbbb767ec8-7ffbbb767ed0 591->594 595 7ffbbb767eba-7ffbbb767ec3 call 7ffbbb7722c0 591->595 592->591 597 7ffbbb767ed2-7ffbbb767ee3 594->597 598 7ffbbb767f03-7ffbbb768060 call 7ffbbb7d88e0 call 7ffbbb7777b0 call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb76b840 call 7ffbbb7d785c 594->598 595->594 601 7ffbbb767efe call 7ffbbb7d87f4 597->601 602 7ffbbb767ee5-7ffbbb767ef8 597->602 598->549 601->598 602->601 605 7ffbbb768d6f-7ffbbb768d74 call 7ffbbb7e9820 602->605 665 7ffbbb768650-7ffbbb768793 SystemTimeToFileTime SystemTimeToTzSpecificLocalTimeEx PrepareTape SetEvent SetWaitableTimerEx FindFirstFileExW GetSystemDefaultLCID WriteFileEx GetProcessAffinityMask PeekNamedPipe GetThreadPreferredUILanguages GetNumaProcessorNode SetConsoleCursorPosition GetLogicalProcessorInformationEx LCMapStringW GetNumaNodeProcessorMaskEx OpenProcess FindFirstFileW RemoveVectoredContinueHandler lstrcmpiW SetFileBandwidthReservation GetErrorMode 616->665 666 7ffbbb768799-7ffbbb7687a1 616->666 617->616 620 7ffbbb768314-7ffbbb76834b GetTempPathW GetTempFileNameW 617->620 623 7ffbbb768352-7ffbbb76835b 620->623 623->623 624 7ffbbb76835d-7ffbbb768398 call 7ffbbb7e98a0 call 7ffbbb76d720 623->624 639 7ffbbb76839a-7ffbbb7683c1 call 7ffbbb77c3c0 call 7ffbbb7708a0 624->639 640 7ffbbb768408 624->640 644 7ffbbb76840b-7ffbbb768470 call 7ffbbb76d4a0 call 7ffbbb7d785c 639->644 656 7ffbbb7683c3-7ffbbb7683f2 639->656 640->644 644->616 656->644 658 7ffbbb7683f4-7ffbbb7683f6 656->658 660 7ffbbb768d2d-7ffbbb768d3d 658->660 661 7ffbbb7683fc-7ffbbb768403 658->661 662 7ffbbb768d41-7ffbbb768d6e call 7ffbbb761440 call 7ffbbb762340 call 7ffbbb7da988 660->662 661->662 662->605 665->666 668 7ffbbb7687cd-7ffbbb7688bf call 7ffbbb7d88e0 call 7ffbbb7763f0 call 7ffbbb77ae00 call 7ffbbb7d87f4 666->668 669 7ffbbb7687a3-7ffbbb7687a6 666->669 684 7ffbbb7689ec-7ffbbb768af7 call 7ffbbb7d88e0 call 7ffbbb7763f0 call 7ffbbb77ae00 call 7ffbbb7d87f4 668->684 685 7ffbbb7688c5-7ffbbb7689e6 CloseThreadpoolWait GlobalDeleteAtom CreateTimerQueueTimer QueryIdleProcessorCycleTime GetConsoleScreenBufferInfoEx LocalFlags CreateFileMappingFromApp GetConsoleDisplayMode call 7ffbbb88ec80 EnumLanguageGroupLocalesW call 7ffbbb88f128 InitializeProcThreadAttributeList GetConsoleProcessList GetConsoleScreenBufferInfo GetNLSVersion GetLocalTime GetNamedPipeClientProcessId FindFirstStreamW call 7ffbbb88e6e8 GetFileInformationByHandleEx GetConsoleDisplayMode GetModuleHandleExW GetVersion 668->685 669->668 671 7ffbbb7687a8-7ffbbb7687c2 CreateSemaphoreW 669->671 671->668 674 7ffbbb7687c4-7ffbbb7687c7 CloseHandle 671->674 674->668 700 7ffbbb768afd-7ffbbb768bf4 UnlockFileEx LockFile OpenFile GetDefaultCommConfigW FlushViewOfFile GetConsoleAliasesW GetDriveTypeW EnumCalendarInfoExEx IsThreadAFiber SetConsoleTextAttribute MapViewOfFileExNuma call 7ffbbb88eb40 GlobalGetAtomNameW SetProcessAffinityUpdateMode LocalAlloc OpenEventW CopyFileW 684->700 701 7ffbbb768bfa-7ffbbb768ce3 call 7ffbbb7d88e0 call 7ffbbb7761a0 684->701 685->684 700->701 707 7ffbbb768ce8-7ffbbb768d2c call 7ffbbb77ae00 call 7ffbbb7d87f4 call 7ffbbb770ba0 701->707
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: FileTime$LockitProcessorSystemstd::_$CryptTimer$CloseConsoleContextCreateFindFirstLockit::_Lockit::~_MaskNodeNumaProcessTemp$AcquireAffinityAtomBandwidthBufferContinueCursorCycleDefaultDeleteErrorEventGlobalHandleHandlerIdleInfoInformationLanguagesLocalLogicalModeNameNamedOpenPathPeekPipePositionPreferredPrepareQueryQueueRandomReleaseRemoveReservationScreenSemaphoreSpecificStringTapeThreadThreadpoolVectoredWaitWaitableWritelstrcmpi
                                                                  • String ID: HEX$KpjrNRbB6JU83mp1$LxYeHC3Fv1ovWvb$W25WD92Ga8o1O1lk6CF6jd7WA$cinTiGXBs8XJurc1oYnIHdOADqZQe$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$pFBDjdJcekeAOkPRYjWHSn$pH6hj8emoiU279vtrnYXhicwJ$txt
                                                                  • API String ID: 3552715291-460884858
                                                                  • Opcode ID: 529287cf7a629eeed955ce15f05e2accc7377dac80fad6f2d0c100e21ed98f40
                                                                  • Instruction ID: 72c69643e6caac040a4375dca23c439b480654c4e90853e1b24fa0b87c1acba0
                                                                  • Opcode Fuzzy Hash: 529287cf7a629eeed955ce15f05e2accc7377dac80fad6f2d0c100e21ed98f40
                                                                  • Instruction Fuzzy Hash: FFC23872A18B818AE710CFB9E8402EE77B1FB94748F50852ADB8D57A79DF38D144C748
                                                                  Function 00007FFBBB76AE10 Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 197threadtimememoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleProcessThread$Output$BoostCompletionEnumInformationOncePriorityTimeVersionWrite$AllocAttributeBuffersCalendarCallbackCharacterCommConnectCreateCtrlDebugDescriptionDriveDynamicExecuteFileFillFlushFormatFromGlobalHandleHandlerHeapInfoInitLanguageLogicalLongNamedNodeNumaNumberPipePortPostPurgeQueryQueuedReadResourceStatusStringStringsTerminateTimesTypesValidZone
                                                                  • String ID: 9QAxr1EIAUj4iSN21bEu6bmHcq827$burPtoM5NossWo1lmwZB1w6z4$iNwaSuDUiaySOHHwaSaRoLfytQe$znX2VT8lH5XNJV3rqdELI9U2e77
                                                                  • API String ID: 2687856181-1712720938
                                                                  • Opcode ID: bfd818de752abb4e4209b6b395b1bde4b300373b3d4ef6ae9517ac1f2e7e5ff6
                                                                  • Instruction ID: d5c3db464aa95a28ff627beecf98b442390291f3afc0c41714a919fae8ac4890
                                                                  • Opcode Fuzzy Hash: bfd818de752abb4e4209b6b395b1bde4b300373b3d4ef6ae9517ac1f2e7e5ff6
                                                                  • Instruction Fuzzy Hash: 82915D72A24B418AE728DF79EC156AE73A2FF58709F40C439DB4A46978DE3DD114C708
                                                                  Function 00007FFBBB7BB4B0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1705453755-0
                                                                  • Opcode ID: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
                                                                  • Instruction ID: d6bd023aef13f88f7da155c71dc16a27506a3a5de3dcecbee528923cabe123b6
                                                                  • Opcode Fuzzy Hash: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
                                                                  • Instruction Fuzzy Hash: ECF092B7600A8496CB50CFAAD584AAD77A0F758BD8B258027EB5C83714CB3AC495CB00
                                                                  Function 00007FFBBB7D8CC0 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 734 7ffbbb7d8cc0-7ffbbb7d8cc6 735 7ffbbb7d8cc8-7ffbbb7d8ccb 734->735 736 7ffbbb7d8d01-7ffbbb7d8d0b 734->736 738 7ffbbb7d8cf5-7ffbbb7d8d2d call 7ffbbb7d8a88 735->738 739 7ffbbb7d8ccd-7ffbbb7d8cd0 735->739 737 7ffbbb7d8e28-7ffbbb7d8e3d 736->737 741 7ffbbb7d8e3f 737->741 742 7ffbbb7d8e4c-7ffbbb7d8e66 call 7ffbbb7d891c 737->742 752 7ffbbb7d8d32-7ffbbb7d8d34 738->752 743 7ffbbb7d8ce8 __scrt_dllmain_crt_thread_attach 739->743 744 7ffbbb7d8cd2-7ffbbb7d8cd5 739->744 750 7ffbbb7d8e41-7ffbbb7d8e4b 741->750 755 7ffbbb7d8e68-7ffbbb7d8e99 call 7ffbbb7d8a44 call 7ffbbb7d968c call 7ffbbb7d9700 call 7ffbbb7d8be8 call 7ffbbb7d8c0c call 7ffbbb7d8a74 742->755 756 7ffbbb7d8e9b-7ffbbb7d8ecc call 7ffbbb7d9488 742->756 746 7ffbbb7d8ced-7ffbbb7d8cf4 743->746 748 7ffbbb7d8cd7-7ffbbb7d8ce0 744->748 749 7ffbbb7d8ce1-7ffbbb7d8ce6 call 7ffbbb7d89cc 744->749 749->746 757 7ffbbb7d8d3a-7ffbbb7d8d4f call 7ffbbb7d891c 752->757 758 7ffbbb7d8e02 752->758 755->750 766 7ffbbb7d8ece-7ffbbb7d8ed4 756->766 767 7ffbbb7d8edd-7ffbbb7d8ee3 756->767 769 7ffbbb7d8e1a-7ffbbb7d8e27 call 7ffbbb7d9488 757->769 770 7ffbbb7d8d55-7ffbbb7d8d66 call 7ffbbb7d898c 757->770 762 7ffbbb7d8e04-7ffbbb7d8e19 758->762 766->767 771 7ffbbb7d8ed6-7ffbbb7d8ed8 766->771 772 7ffbbb7d8f25-7ffbbb7d8f2d call 7ffbbb76b130 767->772 773 7ffbbb7d8ee5-7ffbbb7d8eef 767->773 769->737 788 7ffbbb7d8d68-7ffbbb7d8d8c call 7ffbbb7d96c4 call 7ffbbb7d967c call 7ffbbb7d96a0 call 7ffbbb7ed78c 770->788 789 7ffbbb7d8db7-7ffbbb7d8dc1 call 7ffbbb7d8be8 770->789 777 7ffbbb7d8fc2-7ffbbb7d8fcf 771->777 784 7ffbbb7d8f32-7ffbbb7d8f3b 772->784 779 7ffbbb7d8ef6-7ffbbb7d8efc call 7ffbbb88f3d0 773->779 780 7ffbbb7d8ef1-7ffbbb7d8ef4 773->780 785 7ffbbb7d8efe-7ffbbb7d8f04 779->785 780->785 790 7ffbbb7d8f73-7ffbbb7d8f75 784->790 791 7ffbbb7d8f3d-7ffbbb7d8f3f 784->791 794 7ffbbb7d8fb8-7ffbbb7d8fc0 785->794 795 7ffbbb7d8f0a-7ffbbb7d8f12 call 7ffbbb7d8cc0 785->795 788->789 839 7ffbbb7d8d8e-7ffbbb7d8d95 __scrt_dllmain_after_initialize_c 788->839 789->758 811 7ffbbb7d8dc3-7ffbbb7d8dcf call 7ffbbb7d96bc 789->811 801 7ffbbb7d8f77-7ffbbb7d8f7a 790->801 802 7ffbbb7d8f7c-7ffbbb7d8f91 call 7ffbbb7d8cc0 790->802 791->790 799 7ffbbb7d8f41-7ffbbb7d8f63 call 7ffbbb76b130 call 7ffbbb7d8e28 791->799 794->777 809 7ffbbb7d8f17-7ffbbb7d8f1f 795->809 799->790 833 7ffbbb7d8f65-7ffbbb7d8f6d call 7ffbbb88f3d0 799->833 801->794 801->802 802->794 821 7ffbbb7d8f93-7ffbbb7d8f9d 802->821 809->772 809->794 822 7ffbbb7d8df5-7ffbbb7d8e00 811->822 823 7ffbbb7d8dd1-7ffbbb7d8ddb call 7ffbbb7d8b50 811->823 826 7ffbbb7d8fa4-7ffbbb7d8fb2 call 7ffbbb88f3d0 821->826 827 7ffbbb7d8f9f-7ffbbb7d8fa2 821->827 822->762 823->822 838 7ffbbb7d8ddd-7ffbbb7d8deb 823->838 830 7ffbbb7d8fb4 826->830 827->830 830->794 833->790 838->822 839->789 840 7ffbbb7d8d97-7ffbbb7d8db4 call 7ffbbb7ed748 839->840 840->789
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: 6390aeb57d05bbcbc04ba519758010bfa20ba30c057aeb50f64369f5d6eeed7e
                                                                  • Instruction ID: 29fe0d3c738ea6d12cfdbb2b8e3df5f0a96dec6a5f04411e1d56f58fefaab137
                                                                  • Opcode Fuzzy Hash: 6390aeb57d05bbcbc04ba519758010bfa20ba30c057aeb50f64369f5d6eeed7e
                                                                  • Instruction Fuzzy Hash: D3818EE1E1A2438AFA50AB3FD8412B96691BF857C0F58C475EB4D473B6DE3CE8018708
                                                                  Function 00007FFBBB761A50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 843 7ffbbb761a50-7ffbbb761a76 844 7ffbbb761bb1-7ffbbb761bcd 843->844 845 7ffbbb761a7c-7ffbbb761a7f 843->845 845->844 846 7ffbbb761a85-7ffbbb761a9d call 7ffbbb7d88e0 845->846 849 7ffbbb761a9f-7ffbbb761aa6 846->849 850 7ffbbb761aae 846->850 851 7ffbbb761aa8-7ffbbb761aac 849->851 852 7ffbbb761ab5-7ffbbb761af6 call 7ffbbb7d6eec 849->852 850->852 851->852 855 7ffbbb761afc-7ffbbb761b36 call 7ffbbb7d76f8 call 7ffbbb7d7bd8 call 7ffbbb7d7764 852->855 856 7ffbbb761bce-7ffbbb7d7cad call 7ffbbb7d73c8 852->856 872 7ffbbb761b3b-7ffbbb761b42 855->872 863 7ffbbb7d7caf-7ffbbb7d7cbf call 7ffbbb7ea158 call 7ffbbb7ea128 856->863 864 7ffbbb7d7cc1-7ffbbb7d7cc5 856->864 867 7ffbbb7d7cc7-7ffbbb7d7cca 863->867 864->867 870 7ffbbb7d7ccc-7ffbbb7d7cd2 867->870 871 7ffbbb7d7cde-7ffbbb7d7ce4 867->871 874 7ffbbb7d7cd7-7ffbbb7d7cd9 870->874 875 7ffbbb7d7cd4 870->875 876 7ffbbb7d7ce6-7ffbbb7d7ce9 871->876 877 7ffbbb7d7d3b-7ffbbb7d7d45 871->877 878 7ffbbb761b49-7ffbbb761b54 872->878 879 7ffbbb761b44 call 7ffbbb7e8af4 872->879 886 7ffbbb7d7dbc-7ffbbb7d7dc8 874->886 875->874 887 7ffbbb7d7cf8-7ffbbb7d7d06 876->887 888 7ffbbb7d7ceb-7ffbbb7d7cf4 call 7ffbbb7ea080 876->888 884 7ffbbb7d7d47-7ffbbb7d7d5f call 7ffbbb7e9f98 877->884 885 7ffbbb7d7d08-7ffbbb7d7d1e 877->885 881 7ffbbb761b5b-7ffbbb761b66 878->881 882 7ffbbb761b56 call 7ffbbb7e8af4 878->882 879->878 891 7ffbbb761b6d-7ffbbb761b78 881->891 892 7ffbbb761b68 call 7ffbbb7e8af4 881->892 882->881 893 7ffbbb7d7d21-7ffbbb7d7d23 884->893 885->893 887->874 887->885 888->874 902 7ffbbb7d7cf6 888->902 899 7ffbbb761b7f-7ffbbb761b8a 891->899 900 7ffbbb761b7a call 7ffbbb7e8af4 891->900 892->891 896 7ffbbb7d7d25-7ffbbb7d7d39 893->896 897 7ffbbb7d7d61-7ffbbb7d7d6b 893->897 903 7ffbbb7d7d70-7ffbbb7d7da2 call 7ffbbb7d8384 896->903 897->903 905 7ffbbb761b91-7ffbbb761b9c 899->905 906 7ffbbb761b8c call 7ffbbb7e8af4 899->906 900->899 902->884 903->874 915 7ffbbb7d7da8-7ffbbb7d7db0 903->915 909 7ffbbb761b9e call 7ffbbb7e8af4 905->909 910 7ffbbb761ba3-7ffbbb761bb0 call 7ffbbb7d6f64 905->910 906->905 909->910 910->844 915->886 916 7ffbbb7d7db2-7ffbbb7d7dba 915->916 916->886
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                  • String ID: bad locale name
                                                                  • API String ID: 2967684691-1405518554
                                                                  • Opcode ID: 4d618d0bc471f78bf964697d2d9909a3f66bb0115f7f296f8eb1e3041bb195f1
                                                                  • Instruction ID: 373ec40bbff744f1bcaf90e85b9c50f600fe90eb51a185126b4323d7d25879b4
                                                                  • Opcode Fuzzy Hash: 4d618d0bc471f78bf964697d2d9909a3f66bb0115f7f296f8eb1e3041bb195f1
                                                                  • Instruction Fuzzy Hash: 43414B62B1AB8189FB50DBBAD4902BC3374BF40B44F049539DF4E26AB9DE38D516D348
                                                                  Function 00007FFBBB772580 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: LockitLockit::_std::_
                                                                  • String ID:
                                                                  • API String ID: 3382485803-0
                                                                  • Opcode ID: 4f21e6f75f7f50f25eb7c8a0aeaaddd4b641bc91c9529967ac6621c9aced8bf0
                                                                  • Instruction ID: 0770371f9946b17a37bf3751153b2eb15f5b2baca6518d8a0d0a2813a35dd64c
                                                                  • Opcode Fuzzy Hash: 4f21e6f75f7f50f25eb7c8a0aeaaddd4b641bc91c9529967ac6621c9aced8bf0
                                                                  • Instruction Fuzzy Hash: E901D292A0994284FA15EB7BE9002752351FB417B4F088231DF2D466F5EE3CE887C308
                                                                  Function 00007FFBBB7F0430 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleType
                                                                  • String ID:
                                                                  • API String ID: 3000768030-0
                                                                  • Opcode ID: d652bc23b0b5090fa4b93a99e9b015a9ba57940693667ccc7341c28d2e76c0c3
                                                                  • Instruction ID: 0d9014eabf764771fb0a5e4525d7ac8e74d8bcecdbbbee4559970d45cc3db01b
                                                                  • Opcode Fuzzy Hash: d652bc23b0b5090fa4b93a99e9b015a9ba57940693667ccc7341c28d2e76c0c3
                                                                  • Instruction Fuzzy Hash: 2C318961D18B9686D7608F2ED94017C6651FB45BB0B685336DB6E473F0CF38E4A1D348
                                                                  Function 00007FFBBB7BAED0 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1032 7ffbbb7baed0-7ffbbb7baf91 call 7ffbbb769f00 RegCloseKey 1034 7ffbbb7baf97-7ffbbb7bafa8 1032->1034
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID:
                                                                  • API String ID: 3535843008-0
                                                                  • Opcode ID: d86bdaa27196374e294cfbf7bd1d5411a5a7b569221d59ed5ed9ded445e4de73
                                                                  • Instruction ID: 8041b56636e3ccaecd76df5b7e4b71c10e48dee34af6e403c57365ed96fc53ad
                                                                  • Opcode Fuzzy Hash: d86bdaa27196374e294cfbf7bd1d5411a5a7b569221d59ed5ed9ded445e4de73
                                                                  • Instruction Fuzzy Hash: A411F0F7610A84D6DB50CFAAC4853A877A0E799F8AF29D01ACF1D47350EB3AC189C701
                                                                  Function 00007FFBBB7BACA0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1151 7ffbbb7baca0-7ffbbb7bad32 VirtualProtect 1152 7ffbbb7bad39-7ffbbb7bad53 1151->1152
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
                                                                  • Instruction ID: 010ad77b46231546ad8e563a91b9bd877a52f49bfa2d6eec000b6cc97054d2fc
                                                                  • Opcode Fuzzy Hash: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
                                                                  • Instruction Fuzzy Hash: 381133B7600A88C6CB50CF6AD988AA87760F79CB89F268116DF0D43350DB36C495CB40
                                                                  Function 00007FFBBB795B50 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB795C19
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: e296d3fb9d14b402445ae2c2f51c668b9a2c80fb8a04aa2e7203e4f5c1d70b7a
                                                                  • Instruction ID: ac608272306c51a9fb0346e7e50f0323d74fe73c2bf4739fc476d4d97fd61ff6
                                                                  • Opcode Fuzzy Hash: e296d3fb9d14b402445ae2c2f51c668b9a2c80fb8a04aa2e7203e4f5c1d70b7a
                                                                  • Instruction Fuzzy Hash: F921E3B2A18B4296E710DB2AEC4016973A5FB88790F548235EA9C43B74EF3CE595C708
                                                                  Function 00007FFBBB791A90 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB791B59
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 279bae7837d6f6f69874f15a745aac6c15627e59299a3d55bd8c87cee1630aab
                                                                  • Instruction ID: 69a0b2fe1db98173b32ca85f5777e79c75d8150cc329a0e97053b3ece33def66
                                                                  • Opcode Fuzzy Hash: 279bae7837d6f6f69874f15a745aac6c15627e59299a3d55bd8c87cee1630aab
                                                                  • Instruction Fuzzy Hash: C4213EB1A18B82D2E610CB2AFC401A573A5FB84790F548236D78C53B74EF3CE955C708
                                                                  Function 00007FFBBB78D970 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB78DA39
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 4293f361947186d06a293cb7579da7f0dc36eefbbab1a4f260493dd47c058e40
                                                                  • Instruction ID: 64dd5a1c32b9407c3f9da2d174c8acba8e5ba632e30a88b94f2a2dc2a7975859
                                                                  • Opcode Fuzzy Hash: 4293f361947186d06a293cb7579da7f0dc36eefbbab1a4f260493dd47c058e40
                                                                  • Instruction Fuzzy Hash: 762114B2A19F8282EA10CB2AFC400657365FB887A0F198236D79D43770EF7CE595C708
                                                                  Function 00007FFBBB7A3870 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7A3939
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: c5be7f9f27dbb81c650e794225b8f5323966d61d075e865e1edacc639caf48f6
                                                                  • Instruction ID: ab94c5f1672675da71514806bfeac65fc429ff4e52070a5191489dffd9412a74
                                                                  • Opcode Fuzzy Hash: c5be7f9f27dbb81c650e794225b8f5323966d61d075e865e1edacc639caf48f6
                                                                  • Instruction Fuzzy Hash: 26213CB2A18B4296E790CB2AFC801697364FB88794F158235D78D43774EF3CE595C708
                                                                  Function 00007FFBBB7A2B20 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7A2BE9
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 502541c00ad85915940d34b73a98afe3559057d4a256d2cb13a42dc9b0b57828
                                                                  • Instruction ID: 816505096d34a1695c1c88514f900835f633178cb2f4f913c09b7b373064094d
                                                                  • Opcode Fuzzy Hash: 502541c00ad85915940d34b73a98afe3559057d4a256d2cb13a42dc9b0b57828
                                                                  • Instruction Fuzzy Hash: C62116B2A18B4386E650CB2AFD4016973A5FB887A1F188235E74D47774EF7CE654C708
                                                                  Function 00007FFBBB79D040 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB79D109
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 82e5c436cb6b6a87f28b2c2d076a12de56762f545e4111dddacb3920ad758b1a
                                                                  • Instruction ID: 06f1c3150d149f1f1668eccf02e191b0644e7255dfd5c3b16804e2599881e562
                                                                  • Opcode Fuzzy Hash: 82e5c436cb6b6a87f28b2c2d076a12de56762f545e4111dddacb3920ad758b1a
                                                                  • Instruction Fuzzy Hash: 5D2103B2A18F8296E6108B2AFD4017973A5FB88790F548235D78D57770EF3CE555C708
                                                                  Function 00007FFBBB794E70 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB794F39
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 4cecbc449f2d1fc503eb5c226c550831a156e6d3ddeffc459497b5f4054cf27c
                                                                  • Instruction ID: 282bba8426a3e7c85ccaae49b1b6641b3b28d166506adbcec5f2cf4cf6794437
                                                                  • Opcode Fuzzy Hash: 4cecbc449f2d1fc503eb5c226c550831a156e6d3ddeffc459497b5f4054cf27c
                                                                  • Instruction Fuzzy Hash: 3D21E9B1A18B8392E610CB2AFC8016573A5FB88790F558235E79D43B74EF3CE595C708
                                                                  Function 00007FFBBB790D90 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB790E59
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 8ff4cf218442946a47409954c6bdcddfcc72e23f447749912050ddd79df53b7f
                                                                  • Instruction ID: 514a8ff4be376bdabd8c71133563c91fbc1f32c958b6e76fb71c0ac74eb7930d
                                                                  • Opcode Fuzzy Hash: 8ff4cf218442946a47409954c6bdcddfcc72e23f447749912050ddd79df53b7f
                                                                  • Instruction Fuzzy Hash: 2B2105B2A28B429AE6108B2AFC401657365FB88790F58C236EB9D43774EF3CE554C708
                                                                  Function 00007FFBBB79C360 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB79C429
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: ed2826583cad6295795af3109690288e1b0bd3b7b7bfda67f546132329332a5b
                                                                  • Instruction ID: 284130eaf382ed60e18bce41489e2f2276225e04cfa1b06a95432d3305373eb1
                                                                  • Opcode Fuzzy Hash: ed2826583cad6295795af3109690288e1b0bd3b7b7bfda67f546132329332a5b
                                                                  • Instruction Fuzzy Hash: 072119B2A18B4296E610CB2EFC401697765FB88790F548235EB8D43774EF3CE955C708
                                                                  Function 00007FFBBB798230 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7982F9
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 18d28e4d831b5e94347aebe1f4bdbf731c05b8c754a50473aad6caea470f264a
                                                                  • Instruction ID: 628e85e867a6bbcee3acfbaefb271b5300e4233b548fa5797c920b6bdec82eb2
                                                                  • Opcode Fuzzy Hash: 18d28e4d831b5e94347aebe1f4bdbf731c05b8c754a50473aad6caea470f264a
                                                                  • Instruction Fuzzy Hash: DE2128F1A18B8292E610DB2AFC4016973A4FB88B90F148235E79C43B70EF3CE554C708
                                                                  Function 00007FFBBB794170 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB794239
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: daa2f514db4d2db07f26c866d74deb298289b0694568f1c2d02ad6947cb92a37
                                                                  • Instruction ID: 42364d987088e1d9c6db3c456643a0da711ec04b8da9c0b9ae933410a9f6ca79
                                                                  • Opcode Fuzzy Hash: daa2f514db4d2db07f26c866d74deb298289b0694568f1c2d02ad6947cb92a37
                                                                  • Instruction Fuzzy Hash: 9F21E4B1A28B8296E650CB2AED401A97364FB88790F548235E79C43774EF3CE955C708
                                                                  Function 00007FFBBB7AA0C0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7AA189
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: c7f27a65d19f0997298aff9fa48fd471941a2cdc1a282deccb426cb5ca628336
                                                                  • Instruction ID: d9d2f960895ce4e15ad87115e1976f15ed8ca3b2c609b37595a467eb0a2b8d8d
                                                                  • Opcode Fuzzy Hash: c7f27a65d19f0997298aff9fa48fd471941a2cdc1a282deccb426cb5ca628336
                                                                  • Instruction Fuzzy Hash: DD216AB1A18F8292E610CB2AFC40065B364FB98794F548236E74C43771EF3CE595C708
                                                                  Function 00007FFBBB7A86A0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7A8769
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 5c66b7f453cf2cb8c94d99da9b25df813414510b6cf397550893bd168ad211dd
                                                                  • Instruction ID: 7500904d16e98741d2768a9ea4f83efb53cf6eb8319146b039f075372602ac3b
                                                                  • Opcode Fuzzy Hash: 5c66b7f453cf2cb8c94d99da9b25df813414510b6cf397550893bd168ad211dd
                                                                  • Instruction Fuzzy Hash: 7B213AB2A19B4286E720CB2AFD800A973A4FB88790F198235D79D43774EF3CE554C748
                                                                  Function 00007FFBBB7A45A0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FFBBB7A4669
                                                                    • Part of subcall function 00007FFBBB7D8868: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D8878
                                                                    • Part of subcall function 00007FFBBB7D87FC: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D880C
                                                                    • Part of subcall function 00007FFBBB7D87FC: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBBB7D884C
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
                                                                  • String ID:
                                                                  • API String ID: 507308885-0
                                                                  • Opcode ID: 06a706eaf33dd1a474d49b539d6ca3c460ccd7ae60b2d7133b95aa6fc3856135
                                                                  • Instruction ID: d017d04c18c53750dbb69c9f418e3c23bf36d987cdef2413f93aea29e5077762
                                                                  • Opcode Fuzzy Hash: 06a706eaf33dd1a474d49b539d6ca3c460ccd7ae60b2d7133b95aa6fc3856135
                                                                  • Instruction Fuzzy Hash: B821E3B1A18B4686EB50CB2AEC801A973A5FB88790F648235DA8D43774EF3CE555C748
                                                                  Function 00007FFBBB7FA950 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 3215553584-0
                                                                  • Opcode ID: e1a5f6e0d354ffd4a61172b02e688634fd896e91eb8340d25ab8f061e3ee3a04
                                                                  • Instruction ID: faf5cd90b0ecb750e77144a28cd29872e284de4c1fce526bee49813b6559dde0
                                                                  • Opcode Fuzzy Hash: e1a5f6e0d354ffd4a61172b02e688634fd896e91eb8340d25ab8f061e3ee3a04
                                                                  • Instruction Fuzzy Hash: 07116DB291D68282F311DB2EE84156973A5FF84740F568035D79D576B2DE3CE810CB0D
                                                                  Function 00007FFBBB7EF614 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 3215553584-0
                                                                  • Opcode ID: 3bcebe679e15fd20b0a9c9f9063ff4da7fcd470830ba3c38193455c5fdbb8212
                                                                  • Instruction ID: 6a607c7593d84e09822f92cb9c0beecc21f73660f66a78a3008d5d9f4251337a
                                                                  • Opcode Fuzzy Hash: 3bcebe679e15fd20b0a9c9f9063ff4da7fcd470830ba3c38193455c5fdbb8212
                                                                  • Instruction Fuzzy Hash: 331112B2A04B069DEB109FB4D4812ED37B8FB0835CF504626EB4D12B69EF34C194C799
                                                                  Function 00007FFBBB7BB260 Relevance: 1.5, APIs: 1, Instructions: 35registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: b6326df03547ea6f84f29f9ee147747a304e1d365c9d8797de04ee65a0ac18c9
                                                                  • Instruction ID: 8f8d52afec40f46d0eeadfd85e36a0686173138d1b6a7b5bb6e5a7a16d19a297
                                                                  • Opcode Fuzzy Hash: b6326df03547ea6f84f29f9ee147747a304e1d365c9d8797de04ee65a0ac18c9
                                                                  • Instruction Fuzzy Hash: AE01CE7B604F8896CB50CF5AE48469D77A0F38CBD4B25812AEF9C93724CB3AC451CB00
                                                                  Function 00007FFBBB7BB2F0 Relevance: 1.5, APIs: 1, Instructions: 30registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
                                                                  • Instruction ID: 7c15578d300e577eb2588c54f86070f396cfde503b42f02a8c29891fe5e503b2
                                                                  • Opcode Fuzzy Hash: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
                                                                  • Instruction Fuzzy Hash: EEF0B2BB610A84D6CB50CF6AE484A9D7760F359FD8B258126DF5C43724CB3AC455CB00
                                                                  Function 00007FFBBB7E9A80 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor
                                                                  • String ID:
                                                                  • API String ID: 2325560087-0
                                                                  • Opcode ID: aaebc418823c9575415179538005d26b0c6be2ef4514bb23be5254d80d95a457
                                                                  • Instruction ID: 648604ba1b0746e9f17e6e6eae74db3a5f573fd35a5032b7aa5dd023c8fffa29
                                                                  • Opcode Fuzzy Hash: aaebc418823c9575415179538005d26b0c6be2ef4514bb23be5254d80d95a457
                                                                  • Instruction Fuzzy Hash: A3E06DA1A0D18B42F618A27AD8163B92255AF80304F14C438C70E0A6F6CE3CB805C31B
                                                                  Function 00007FFBBB7D8A88 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBBB7D8A9C
                                                                    • Part of subcall function 00007FFBBB7DAA9C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFBBB7DAAA4
                                                                    • Part of subcall function 00007FFBBB7DAA9C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFBBB7DAAA9
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                  • String ID:
                                                                  • API String ID: 1208906642-0
                                                                  • Opcode ID: 38e1f9dd353ab1311430ed46a4c818225c8d45ce28ef063a1c26dd7149f9699a
                                                                  • Instruction ID: f86df2029349a3603d37447861ac132b2b4eddc32e676166b9e58093e3f0a287
                                                                  • Opcode Fuzzy Hash: 38e1f9dd353ab1311430ed46a4c818225c8d45ce28ef063a1c26dd7149f9699a
                                                                  • Instruction Fuzzy Hash: 2FE0B6D0D1F14344FE652B7FDA022B906403FA1384E91D2B8DB0E062B39E1E3446526D
                                                                  Function 00007FFBBB7BADB0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExitFatal
                                                                  • String ID:
                                                                  • API String ID: 3155629236-0
                                                                  • Opcode ID: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
                                                                  • Instruction ID: acba1fe49ee8351d4f0489dbb5485bd46bb8baaf7d3ea97e89b45ff6e6ab8d73
                                                                  • Opcode Fuzzy Hash: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
                                                                  • Instruction Fuzzy Hash: BEE0E2F3701A80C6DB14CF69C48536877A1EB58B8AF19D019CB1C4B394EA3AC489CB10
                                                                  Function 00007FFBBB7BAFB0 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
                                                                  • Instruction ID: 3d8f7e631a3ccd99bc0deaa089928b8581e76186698eec05205fca20e431eef2
                                                                  • Opcode Fuzzy Hash: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
                                                                  • Instruction Fuzzy Hash: 1411F0B7700A88C6CB10CF6AD888AA837A4F75CB89F268016DF1C83750DB36C495CB00
                                                                  Function 00007FFBBB7F05B4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 4292702814-0
                                                                  • Opcode ID: 0affdaf1a022709bc3323f129481ba28d19f5a0fd1859835d8584e645e53ea15
                                                                  • Instruction ID: ba18d7ce0ac62fa2cc9064cd97827644505cdc25f1aafa8a9cc229324a90ddab
                                                                  • Opcode Fuzzy Hash: 0affdaf1a022709bc3323f129481ba28d19f5a0fd1859835d8584e645e53ea15
                                                                  • Instruction Fuzzy Hash: 06F049C4B0A68649FE655ABBD9107B552943F84B80F588430CB0E8A3F1EE5CE480822D
                                                                  Function 00007FFBBB7F25AC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap
                                                                  • String ID:
                                                                  • API String ID: 4292702814-0
                                                                  • Opcode ID: 6bc2fdb58f91452390f0bcded91a8559289126f5c4b3127bbf0fa4feb56deb03
                                                                  • Instruction ID: c4e7b413ac62ba584f8524e497800d8c84266ad065051b525280b9bd95cd42be
                                                                  • Opcode Fuzzy Hash: 6bc2fdb58f91452390f0bcded91a8559289126f5c4b3127bbf0fa4feb56deb03
                                                                  • Instruction Fuzzy Hash: D9F05E84B09A8241FA6456BBD92067811807F447A0F188270EB3E4A2F1DD6CE440952D

                                                                  Non-executed Functions

                                                                  Function 00007FFBBB766900 Relevance: 272.0, APIs: 150, Strings: 5, Instructions: 749threadtimefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: File$Process$Info$Thread$NameSystem$Create$Time$CommFind$ConsoleEnumLocalThreadpoolWindow$FirstFormatProcessorTransactedUserVariableWow64$AttributesCallbackDirectoryFlushGroupLanguageNodeNumaObjectPolicyResourceStateTimer$AffinityAllocApplicationBeginCalendarCloseCodeComputerConditionConfigCurrencyCursorCycleDefaultDeferDeleteEnvironmentHandleInformationInterlockedListLocaleLocalesLongMailslotMaskMenuMessageMoveOpenPathPriorityProfilingQueryReadReturnsSizeSpecificTerminateVirtualVolumeWaitWaitableWhen$ActiveApisAppendAssignAttachAttributeBackupBarrierBoostBuffersCacheCallCallbacksCancelCheckClassCleanupClipboardComboCommandCompletionContextControlCopyCountCriticalDataDateDefinedDisableDot3DrawDuplicateEnableErrorExceptionFiberFilterFirmwareFlagsFrameFreeFullGlobalGroupsHeapHeapsIconImageInvertLanguagesLastLeaveLegalLibraryLineMappingMaximumMetaModeModesMountMutexNamedNamesNativeNextNotificationOriginalPagePagesParametersPeekPhysicalPipePointPopupPowerPreferredPrepareProgressProtectProtectedProximityPurgeRaiseRecoveryRedirectionRegisterRemoteRemoveRequestRestartRevertScatterScopedSectionSecuritySeekSelectionSettingsShutdownSizeofSleepStreamStringSubmitSwitchSynchronizationTapeTextTitleUnlockUpdateValidValueWakeWalkWithWorkWriteZone
                                                                  • String ID: 6dqMwwpXusbpjbxmX$GeJPo9z2VP1nr634jyYR16TtQ$QXCQ93lJDlEh7Vkf5$mNt6VOkMx7UXEjUY9s6JO93LZ7$n2O9wafCsGaUkxf98y4
                                                                  • API String ID: 1145931551-900010751
                                                                  • Opcode ID: d702d5d4f74ecbb666bd605baf23bafeddee0f3ccc5859352403c3117b16a20c
                                                                  • Instruction ID: 83614ab94fa72518363090e5b88397811b92935e1e5d0710426381a97ff18fb5
                                                                  • Opcode Fuzzy Hash: d702d5d4f74ecbb666bd605baf23bafeddee0f3ccc5859352403c3117b16a20c
                                                                  • Instruction Fuzzy Hash: EE6262B2B2865283F728DF3AEC25A2B3652FF89706B85D539DB4B45874CF3DD0458608
                                                                  Function 00007FFBBB769930 Relevance: 152.7, APIs: 85, Strings: 2, Instructions: 405threadtimememoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Console$FileThreadpool$Create$SystemThread$CloseEnumProcessorTimeTimerWindowWrite$FirmwareInformationInputListLoadNameProcessResourceVolumeWait$ClipboardCommDeleteEnvironmentFindFirstHeapIdealLanguagesLibraryLocalLockOpenOutputPathPreferredPrivateProfileQueueReadRectScrollSizeStringTransactedVirtualWork$AllocAttributesBandwidthBitmapBufferBuildButtonsByteCallbackCallbacksClearCodeComputerConvertCountDataDefinedDevicesDirectoryEventExpandFiberFormatsHandleInfoInterlockedLargestLeadLogicalLongMenuMitigationModeMountMouseMoveMutexNodeNumaNumberOriginalPackagedPagesPartitionPointPointerPolicyPopupPowerPropertiesPushQueryRegisteredReleaseRemoteRequestReservationResetReturnsScreenSearchSemaphoreSentrySoundSpecificStartStringsTablesTapeTimeoutsTitleTrackTypeTypesUpdateUserValidateVariableWaitableWatchWhenWorkinglstrcat
                                                                  • String ID: 2JBAbVH6t2LkZp7$9wMl92NI15CjZC8t948c
                                                                  • API String ID: 513850785-278050621
                                                                  • Opcode ID: 9f2df8f6e841554de71ffd59eb7b9e07131ac80317d1c3eb3b17ee4c29d275ac
                                                                  • Instruction ID: 6f88aa5b39cac155ecbd7c35b54aa951b6fa4f8229e71597255e7185b50496ba
                                                                  • Opcode Fuzzy Hash: 9f2df8f6e841554de71ffd59eb7b9e07131ac80317d1c3eb3b17ee4c29d275ac
                                                                  • Instruction Fuzzy Hash: ECF120B6B2465183F72CDF7AEC26A2F3252FF89706B45D439DB4B49964CE3DD0058A08
                                                                  Function 00007FFBBB8B3C40 Relevance: 147.7, APIs: 82, Strings: 2, Instructions: 732COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_malloc$ErrorLastO_freeO_readR_clear_errorR_newR_set_debugR_set_error
                                                                  • String ID: DTLSv1_listen$ssl\d1_lib.c
                                                                  • API String ID: 1134317782-1780782668
                                                                  • Opcode ID: a6e507d84cff2ab15b7b0a671dc35dcdb28fa1be44fcbb459d3f1ba971c3f532
                                                                  • Instruction ID: 857e7c4111cb8980439dbbfa2222dd14ceb7dfae62c92e9beeb872f0609f0dfa
                                                                  • Opcode Fuzzy Hash: a6e507d84cff2ab15b7b0a671dc35dcdb28fa1be44fcbb459d3f1ba971c3f532
                                                                  • Instruction Fuzzy Hash: 1262E1A2A18A5342F7649B79D8126FD2761BF84384F488131EB5D43AF6EF3DE404C719
                                                                  Function 00007FFBBB93AA80 Relevance: 114.5, APIs: 62, Strings: 3, Instructions: 727COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$L_sk_freeL_sk_num$L_sk_valueO_free$L_sk_dup$O_memcmpmemcmpmemcpy
                                                                  • String ID: P$ssl\statem\statem_srvr.c$tls_early_post_process_client_hello
                                                                  • API String ID: 642479057-77815245
                                                                  • Opcode ID: ff131c9b2350538b5ef4abb80ada6214b1a1af0a77f066e52deabf65dddfd0b6
                                                                  • Instruction ID: 5431fdc20c446270542654476ca1f4455df8f6b154c1f43d8b05cd0696f2e9bb
                                                                  • Opcode Fuzzy Hash: ff131c9b2350538b5ef4abb80ada6214b1a1af0a77f066e52deabf65dddfd0b6
                                                                  • Instruction Fuzzy Hash: 59728AA2A08A8782EB549B39D4947BD27A1FB84B48F54C036DB8D477B5DF3CE481C358
                                                                  Function 00007FFBBB8C3A70 Relevance: 87.8, APIs: 49, Strings: 1, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3AD4
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3AF7
                                                                  • CRYPTO_free_ex_data.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B29
                                                                  • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B32
                                                                  • X509_STORE_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B3B
                                                                  • CTLOG_STORE_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B47
                                                                  • OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B50
                                                                  • OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B59
                                                                  • OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B62
                                                                  • OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B81
                                                                  • OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3B94
                                                                  • OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3BA0
                                                                  • OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3BB3
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3BE0
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3BF9
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C12
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C2B
                                                                  • CRYPTO_secure_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C44
                                                                  • EVP_MD_get0_provider.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C58
                                                                  • EVP_MD_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C65
                                                                  • EVP_MD_get0_provider.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C79
                                                                  • EVP_MD_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3C86
                                                                  • EVP_CIPHER_get0_provider.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3CA2
                                                                  • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3CAF
                                                                  • EVP_MD_get0_provider.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3CDB
                                                                  • EVP_MD_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3CE8
                                                                    • Part of subcall function 00007FFBBB8D34E0: CRYPTO_THREAD_write_lock.LIBCRYPTO-3-X64(00000000,?,?,00007FFBBB8C3B1A,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8D3506
                                                                    • Part of subcall function 00007FFBBB8D34E0: OPENSSL_LH_delete.LIBCRYPTO-3-X64(00000000,?,?,00007FFBBB8C3B1A,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8D3565
                                                                    • Part of subcall function 00007FFBBB8D34E0: OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFBBB8D3598
                                                                    • Part of subcall function 00007FFBBB8D34E0: OPENSSL_LH_set_down_load.LIBCRYPTO-3-X64(00000000,?,?,00007FFBBB8C3B1A,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8D35B9
                                                                    • Part of subcall function 00007FFBBB8D34E0: CRYPTO_THREAD_unlock.LIBCRYPTO-3-X64(00000000,?,?,00007FFBBB8C3B1A,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8D35C5
                                                                    • Part of subcall function 00007FFBBB8D34E0: OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(00000000,?,?,00007FFBBB8C3B1A,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8D35D4
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3D28
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3D46
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3D64
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3D8D
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3DC8
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3DE6
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E04
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E22
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E40
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E5E
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E7C
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3E9A
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3EB8
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3EE5
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3EFE
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F17
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F30
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F49
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F62
                                                                  • CRYPTO_THREAD_lock_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F6E
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3F87
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3FA0
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB8C3FB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$L_sk_free$D_freeD_get0_providerL_sk_pop_free$E_free$D_lock_freeD_unlockD_write_lockH_deleteH_freeH_set_down_loadL_sk_pushO_free_ex_dataO_secure_freeR_freeR_get0_providerX509_X509_free
                                                                  • String ID: ssl\ssl_lib.c
                                                                  • API String ID: 389487842-1984206432
                                                                  • Opcode ID: c04102453d1db59da9679edc27e59a271c2dae9ec1612ed5e41d8d72557cf2fd
                                                                  • Instruction ID: ba86ed8b702a0194c5ccb1c57fe3379e67842569d5d45b42037e64a665ae20ab
                                                                  • Opcode Fuzzy Hash: c04102453d1db59da9679edc27e59a271c2dae9ec1612ed5e41d8d72557cf2fd
                                                                  • Instruction Fuzzy Hash: EDD10BA6B18A8780EA10DB3AC5901E96361FF85F84F048031DF8D4B7B6CE69E556C728
                                                                  Function 00007FFBBB929A2F Relevance: 84.6, APIs: 45, Strings: 3, Instructions: 644COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$O_free$memcmp
                                                                  • String ID: ssl\statem\statem_clnt.c$tls_process_as_hello_retry_request$tls_process_server_hello
                                                                  • API String ID: 3833834430-1850396259
                                                                  • Opcode ID: 8c729082002e9cfa7a1eafb331431c2461d9896bc4377fc92d757f52f53728db
                                                                  • Instruction ID: 00207d7116bd5e6a2ca56d15c12f18f4e845ea214889d85829cd4cee4ddd4397
                                                                  • Opcode Fuzzy Hash: 8c729082002e9cfa7a1eafb331431c2461d9896bc4377fc92d757f52f53728db
                                                                  • Instruction Fuzzy Hash: 5A5256A2E08A4786FB109B39D8447BD37A1FB84B84F54C132DB8D46AA5DF3CE5518718
                                                                  Function 00007FFBBB936BB0 Relevance: 68.7, APIs: 35, Strings: 4, Instructions: 420COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_freeO_mallocX_freeX_new
                                                                  • String ID: AES-256-CBC$SHA256$construct_stateless_ticket$ssl\statem\statem_srvr.c
                                                                  • API String ID: 1847107836-3117162005
                                                                  • Opcode ID: 90c366323b68ef24faddebb9dee4dc44e4d6301bb9cdb3a74cbd22a0d6d07597
                                                                  • Instruction ID: f7f62298501759f44e9f13cb95e4fa38e1c72e09849a898d771648db49d9a87d
                                                                  • Opcode Fuzzy Hash: 90c366323b68ef24faddebb9dee4dc44e4d6301bb9cdb3a74cbd22a0d6d07597
                                                                  • Instruction Fuzzy Hash: C50250A2B0CA4385FB20EB79D8406BD6361BF85784F40C431EF8D97AA5DE3CE5058759
                                                                  Function 00007FFBBB929B6C Relevance: 68.6, APIs: 37, Strings: 2, Instructions: 333COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeR_newR_set_debug$R_vset_errorX509_get0_pubkeyX_freeX_new
                                                                  • String ID: ssl\statem\statem_lib.c$tls_process_cert_verify
                                                                  • API String ID: 866029706-605054429
                                                                  • Opcode ID: 35390a3ecdc164a0991c63003aae187b0ec28cde386b9a84fd2919fcd9910f69
                                                                  • Instruction ID: e8c45a40780b0ffe1c47b5453ef2f6e24dbc7c299e2fe43881dcd794bbc3635d
                                                                  • Opcode Fuzzy Hash: 35390a3ecdc164a0991c63003aae187b0ec28cde386b9a84fd2919fcd9910f69
                                                                  • Instruction Fuzzy Hash: BFE170A2A08A8382EA109B79D4543BD67A1FFC8794F44C032DBCD476B6DF3CE5458318
                                                                  Function 00007FFBBB8BDA50 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: X509_$R_newR_set_debugR_set_error$X_free$L_sk_num$D_run_onceL_sk_valueM_move_peernameM_set1X509_freeX_get0_chainX_get1_chainX_get_errorX_initX_new_exX_set0_daneX_set_defaultX_set_ex_dataX_set_flagsX_set_verify_cb
                                                                  • String ID: ssl\ssl_cert.c$ssl_client$ssl_server$ssl_verify_internal
                                                                  • API String ID: 39775831-3409017996
                                                                  • Opcode ID: 5c44e0598fe01823b60e0f3527982ffaf986ef63fc916fb156ab68a5797f0aea
                                                                  • Instruction ID: b440c6d79a66e80da06fb999c9908ae74793f8b5de56681b7e8a79be61eb40e0
                                                                  • Opcode Fuzzy Hash: 5c44e0598fe01823b60e0f3527982ffaf986ef63fc916fb156ab68a5797f0aea
                                                                  • Instruction Fuzzy Hash: 718172D6B08A4356FA68EB39D9112BA2391BF84780F44C435EF8D473B6EE3CE4558718
                                                                  Function 00007FFBBB8BCB70 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 274COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64(00000000,?,00007FFBBB8C6D26,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8BCB92
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64(00000000,?,00007FFBBB8C6D26,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8BCBBC
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(00000000,?,00007FFBBB8C6D26,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8BCBDB
                                                                  • EVP_PKEY_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCC37
                                                                  • X509_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCC89
                                                                  • EVP_PKEY_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCC9F
                                                                  • X509_chain_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCCAD
                                                                  • CRYPTO_memdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCCD9
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD22
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD3E
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD50
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD68
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD79
                                                                  • EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCD98
                                                                  • X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCDBA
                                                                  • EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCDC6
                                                                  • OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCDD3
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCDED
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE18
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE2E
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE44
                                                                  • X509_STORE_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE4D
                                                                  • X509_STORE_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE56
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE7B
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCE91
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCEA6
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCEEB
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCF0B
                                                                  • CRYPTO_memdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCF38
                                                                  • X509_STORE_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCF71
                                                                  • X509_STORE_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCF87
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBB8BCFF0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$X509_$E_freeE_up_refO_mallocO_memdupO_zallocX509_freeY_freeY_up_refmemcpy$O_strdupR_newR_set_debugR_set_errorX509_chain_up_refX509_up_ref
                                                                  • String ID: gfffffff$ssl\ssl_cert.c$ssl_cert_dup
                                                                  • API String ID: 2506476208-2918673968
                                                                  • Opcode ID: 4aabc9e47b0b68d61cbab0a4cf733eace30f04e56d1890a6f5a4c8303ad38d70
                                                                  • Instruction ID: ca83514d766778b6e2b303e499c2d3228ab905d29cb4278f2fd6c6154a8c8dc8
                                                                  • Opcode Fuzzy Hash: 4aabc9e47b0b68d61cbab0a4cf733eace30f04e56d1890a6f5a4c8303ad38d70
                                                                  • Instruction Fuzzy Hash: D7D149B6B05B4696EB64DF39E4902AC33A0FB88B84F048436DB8D47B65DF39E460C715
                                                                  Function 00007FFBBB8CDAA0 Relevance: 56.4, APIs: 29, Strings: 3, Instructions: 384COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: D_lock_freeO_free$D_lock_newO_free_ex_dataO_new_ex_dataO_zallocR_newR_set_debugR_set_error
                                                                  • String ID: SSL_set_ct_validation_callback$ossl_ssl_connection_new_int$ssl\ssl_lib.c
                                                                  • API String ID: 3044204582-3251968464
                                                                  • Opcode ID: 3102baa1412d9dc2fe6f24f4c092df0f04db6a9f7d3249aafc757541ecd36df3
                                                                  • Instruction ID: 7013579b05061b927632acb5ce3cf03ebc80d13bf777f0541b12c9f151bb5103
                                                                  • Opcode Fuzzy Hash: 3102baa1412d9dc2fe6f24f4c092df0f04db6a9f7d3249aafc757541ecd36df3
                                                                  • Instruction Fuzzy Hash: A5121AB6609F8296EB98DF39D9802A873A5FB48B44F088035DB5D477A5DF38E460C724
                                                                  Function 00007FFBBB8E79E0 Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB8B1030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBB8B1075
                                                                    • Part of subcall function 00007FFBBB8B1030: GetACP.KERNEL32 ref: 00007FFBBB8B108E
                                                                    • Part of subcall function 00007FFBBB8B1030: MultiByteToWideChar.KERNEL32 ref: 00007FFBBB8B10DC
                                                                    • Part of subcall function 00007FFBBB8B1030: MultiByteToWideChar.KERNEL32 ref: 00007FFBBB8B1187
                                                                    • Part of subcall function 00007FFBBB8B1030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBB8B119D
                                                                    • Part of subcall function 00007FFBBB8B1030: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBB8B114E
                                                                    • Part of subcall function 00007FFBBB8B1030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBB8B1237
                                                                    • Part of subcall function 00007FFBBB8B1030: WideCharToMultiByte.KERNEL32 ref: 00007FFBBB8B1269
                                                                    • Part of subcall function 00007FFBBB8B1030: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B1286
                                                                    • Part of subcall function 00007FFBBB8B1030: WideCharToMultiByte.KERNEL32 ref: 00007FFBBB8B12B6
                                                                    • Part of subcall function 00007FFBBB8B1030: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8B12CE
                                                                    • Part of subcall function 00007FFBBB8B1030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBB8B12E3
                                                                    • Part of subcall function 00007FFBBB8B1030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBB8B12FB
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7AC1
                                                                  • memcpy.VCRUNTIME140(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7ADB
                                                                  • BIO_snprintf.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7B08
                                                                  • BIO_snprintf.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7B45
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7B5C
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7BB4
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7BDC
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C00
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C24
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C5D
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C73
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C89
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7C9F
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7CB4
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7CC9
                                                                  • BIO_new_file.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7D09
                                                                  • BIO_free_all.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7D26
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7D74
                                                                  • BIO_free_all.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7D89
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7D9F
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7DB5
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7DCB
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7DE1
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E7E0B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$ByteCharMultiO_strdupWide$EnvironmentVariable$O_free_allO_mallocO_snprintffree$O_new_fileO_zallocmallocmemcpy
                                                                  • String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl\quic\qlog.c
                                                                  • API String ID: 2723435664-422815081
                                                                  • Opcode ID: d291c5b6610de2aacd351f813fe5934e297f341e1d8762b199336e3a418291ea
                                                                  • Instruction ID: 3495f19074049dc83ec8c4f60fd528fcde42f6a03547a97840a55dea78166b05
                                                                  • Opcode Fuzzy Hash: d291c5b6610de2aacd351f813fe5934e297f341e1d8762b199336e3a418291ea
                                                                  • Instruction Fuzzy Hash: 05B1ADA6B08B8385EA50DB7DD8407B92761BF88B84F449035DF8D077A6EE7CE544C718
                                                                  Function 00007FFBBB929B55 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 304COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EB2D
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EB45
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  • EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EB7A
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EBBF
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EBD7
                                                                  • OPENSSL_sk_new_null.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EBEC
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EC04
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB92EC1C
                                                                  • X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBB92EF8D
                                                                  • OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBB92EFA0
                                                                    • Part of subcall function 00007FFBBB936360: ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB92EB23), ref: 00007FFBBB936431
                                                                    • Part of subcall function 00007FFBBB936360: ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB92EB23), ref: 00007FFBBB936449
                                                                    • Part of subcall function 00007FFBBB936360: CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB92EB23), ref: 00007FFBBB9367A8
                                                                    • Part of subcall function 00007FFBBB936360: EVP_PKEY_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB92EB23), ref: 00007FFBBB9367B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$X509_freeY_free$L_sk_new_nullO_freeR_vset_error
                                                                  • String ID: ssl\statem\statem_clnt.c$tls_process_server_certificate$tls_process_server_rpk
                                                                  • API String ID: 3083030328-984152608
                                                                  • Opcode ID: 4f77af51717fa47250094d16074ece9982fc57611b79eccb9418e9a006679a37
                                                                  • Instruction ID: 5a9327bdb2fd1ff5fb421d9c1d427a15dc9cfb23c425e39f9417927005d52763
                                                                  • Opcode Fuzzy Hash: 4f77af51717fa47250094d16074ece9982fc57611b79eccb9418e9a006679a37
                                                                  • Instruction Fuzzy Hash: 8CD190A2A08E8385E750CB79D4806BD37A1FB84B94F14C131EB9D57AA5DF3CE582C718
                                                                  Function 00007FFBBB93CA60 Relevance: 51.0, APIs: 24, Strings: 5, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB93DF98), ref: 00007FFBBB93CAA7
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB93DF98), ref: 00007FFBBB93CABF
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB93DF98), ref: 00007FFBBB93CB5A
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB93DF98), ref: 00007FFBBB93CB72
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: 0$ssl\statem\statem_srvr.c$tls-client-version$tls-negotiated-version$tls_process_cke_rsa
                                                                  • API String ID: 4275876640-318422981
                                                                  • Opcode ID: b253f0ec271dd4d4fec9762877033f44960b318a703691b6c2ddc4c3ce2ed16d
                                                                  • Instruction ID: 7ab7147879f28c9ce6a37a500ff08918715a7952b83f6484602f13dc4b352e06
                                                                  • Opcode Fuzzy Hash: b253f0ec271dd4d4fec9762877033f44960b318a703691b6c2ddc4c3ce2ed16d
                                                                  • Instruction Fuzzy Hash: E6A19CA2A08F8782E660AB39D8416F96761FBC4784F50C131EFDD13AA6DF2CE585C714
                                                                  Function 00007FFBBB923A90 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_freeO_zallocY_freeY_get1_encoded_public_key
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_key_share
                                                                  • API String ID: 2756426569-2687154660
                                                                  • Opcode ID: d6301c219b4144918654012e90a7f0dbb0688797a36166dbefa5fe85e91f40b0
                                                                  • Instruction ID: e9745fc834e6a5afbcb531312c6f06194a21eed61cdb4506d251d275dfc79a8a
                                                                  • Opcode Fuzzy Hash: d6301c219b4144918654012e90a7f0dbb0688797a36166dbefa5fe85e91f40b0
                                                                  • Instruction Fuzzy Hash: 65C1AFA1F1CA8346F750AB3AE8516B97751BF84BC0F448032EF8D47AA6DE2DE500C759
                                                                  Function 00007FFBBB767690 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 248windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Cpp_errorExclusiveLockObjectPaintThrow_std::_$AcquireCreateDeleteWindow$BeginBrowseClientCompatibleDrawFolderFreeFromImageListLoadMessagePathPostProcQuitRectReleaseSelectTaskText
                                                                  • String ID: $%$BUTTON$No BMP files found. Select a folder.$Select Folder$Select a folder containing BMP files
                                                                  • API String ID: 2467847484-1198062606
                                                                  • Opcode ID: 6900a6f15c5860e29b246483d0789c40867092c5ca544c00eb963886f9179065
                                                                  • Instruction ID: ba5a6400948a22a7896af069139c585a9d562e089ab632f3ce04e59e96dc74e9
                                                                  • Opcode Fuzzy Hash: 6900a6f15c5860e29b246483d0789c40867092c5ca544c00eb963886f9179065
                                                                  • Instruction Fuzzy Hash: 81C16DB1A28B4287EB14CB3EEC541B963A1FB84784F548539DB4E46AB8DF3CE545C708
                                                                  Function 00007FFBBB92C9B0 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_clear_free$L_cleanse$O_freeR_vset_errorY_freeY_get1_encoded_public_key
                                                                  • String ID: ssl\statem\statem_clnt.c$tls_construct_cke_ecdhe$tls_construct_cke_srp$tls_construct_client_key_exchange
                                                                  • API String ID: 309064216-3169014888
                                                                  • Opcode ID: 47dd147f5dece61c8c85f6c9e8e2785a4fa4c8d8c9abf5c5ad49d04fe83e6340
                                                                  • Instruction ID: 6326fb91346c7521d1885a4dc65fdd285c77def0eecd9a2a366a75a1f9d0ca81
                                                                  • Opcode Fuzzy Hash: 47dd147f5dece61c8c85f6c9e8e2785a4fa4c8d8c9abf5c5ad49d04fe83e6340
                                                                  • Instruction Fuzzy Hash: E5915EA2E08A4381F650EB39D8557BD3261BF84B84F548132DF9D4B7B6DF6CE5418328
                                                                  Function 00007FFBBB8C6A90 Relevance: 42.5, APIs: 20, Strings: 4, Instructions: 486COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6AE2
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6AFA
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6B0C
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6B29
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6B41
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6D6B
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6D7F
                                                                  • OPENSSL_sk_new_reserve.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6DB7
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6DC8
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6DE0
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6DF1
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6E19
                                                                  • OSSL_PARAM_construct_int.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6F6D
                                                                  • OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C6F96
                                                                  • X509_VERIFY_PARAM_get_depth.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C707D
                                                                  • X509_VERIFY_PARAM_set_depth.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C70C7
                                                                  • CRYPTO_dup_ex_data.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C7124
                                                                  • X509_VERIFY_PARAM_inherit.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C7192
                                                                  • OPENSSL_sk_dup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C71A3
                                                                  • OPENSSL_sk_dup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFBBB8B34DD), ref: 00007FFBBB8C71C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugX509_$L_sk_dupL_sk_numR_set_error$L_sk_new_reserveL_sk_valueM_construct_endM_construct_intM_get_depthM_inheritM_set_depthO_dup_ex_data
                                                                  • String ID: SSL_new$read_ahead$ssl\ssl_lib.c$ssl_dane_dup
                                                                  • API String ID: 2291486214-3332040259
                                                                  • Opcode ID: 1712f1bb4d599dd753748df8d23975f98364a04c4ee4c467de011ed0b70bdac9
                                                                  • Instruction ID: 418ef77f01ba7c0ab5e7af493865637b7727283ac74ab446c57698bd7d52b965
                                                                  • Opcode Fuzzy Hash: 1712f1bb4d599dd753748df8d23975f98364a04c4ee4c467de011ed0b70bdac9
                                                                  • Instruction Fuzzy Hash: 70226CF6A09A8286EBA49B39D8507B927A4FF84B84F048436DF4D477E1DF79E440C708
                                                                  Function 00007FFBBB764DA0 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 267pipethreadmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleFile$FindLockNameNamedPipeThreadVirtualVolume$AcquireAssignAtomAttachCallCompareContextCriticalCursorDirectoryDisableEnumEventFirstFreeGlobalInfoInitializeInputLanguagesMountObjectOpenPagesPeekPhysicalPointPointerProcessProfilingProtectResourceSectionServerSessionSharedTimeUser
                                                                  • String ID: t2x576cN3gs3qd8D182X
                                                                  • API String ID: 2138549970-694838073
                                                                  • Opcode ID: 208882817ee470d069e7af2d25902de4c00345b2494807bce0065ad1496638de
                                                                  • Instruction ID: 97a1a96fb73aac2f3d40fe8086f46afd0ea009713f4683eb323d31c58dfb74b9
                                                                  • Opcode Fuzzy Hash: 208882817ee470d069e7af2d25902de4c00345b2494807bce0065ad1496638de
                                                                  • Instruction Fuzzy Hash: A9D10D73A18B818AE710CFB9E84129E77B5FB99348F50852ADB8957E79DF38C144CB04
                                                                  Function 00007FFBBB768E10 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 181timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: File$ConsoleTime$Concurrency::cancel_current_taskFindNumaOutputString$AttributesAvailableBandwidthButtonsCalendarCriticalCycleDateDebugFirstFormatIdleInfoInitializeListLocalLockMemoryModeMouseNodeNumberPathProcessProcessorQueryReadReservationSearchSectionViewVirtual
                                                                  • String ID: IJUUSMfvuSbooBJdQDkEU$TWKybXk$ah2dWNNLg7ZaS5HVWt$epQ1JrQDfAF17dXg6phN3J$qPw1SheJ7WGJzLi3u7
                                                                  • API String ID: 1391066521-1754252
                                                                  • Opcode ID: f9ede0f77a2ad743d43f73d69da6c79a37257c1e48cabef0deea894aaa54fa3c
                                                                  • Instruction ID: 5ccab8ce52805fe4e347dbe607a6b544c375cdd1a397bb8b4987090236e8802f
                                                                  • Opcode Fuzzy Hash: f9ede0f77a2ad743d43f73d69da6c79a37257c1e48cabef0deea894aaa54fa3c
                                                                  • Instruction Fuzzy Hash: CC9138B2A18B8186E724CF39EC5476A77A1FB88B54F44C139DB8E46A64CF3DE045CB04
                                                                  Function 00007FFBBB8BAB80 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 307COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BABF6
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAC0E
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAC20
                                                                  • ASN1_item_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAC2F
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAC82
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAC9A
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BACC3
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BACDB
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAD45
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAD7F
                                                                  • X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BADDB
                                                                  • EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BADF6
                                                                  • d2i_PUBKEY_ex.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAE31
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAE6D
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAEFB
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAF41
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAF59
                                                                    • Part of subcall function 00007FFBBB8BB500: CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBB8BAE9A,?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BB52E
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BAFC4
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BB02D
                                                                  • ASN1_item_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB8BAB6E), ref: 00007FFBBB8BB07F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeR_newR_set_debug$memcpy$N1_item_free$R_set_errorX509_freeY_exY_freed2i_
                                                                  • String ID: d2i_SSL_SESSION_ex$ssl\ssl_asn1.c
                                                                  • API String ID: 3345805239-3787699099
                                                                  • Opcode ID: b3d73e685dff178624565b53021dc5f85bd6414ecc8e7a2ca2140fad4d6d86c7
                                                                  • Instruction ID: 49d2fe1998d3fb6d0709b412d10bce144c9950dc54d57ff60a9b219466784540
                                                                  • Opcode Fuzzy Hash: b3d73e685dff178624565b53021dc5f85bd6414ecc8e7a2ca2140fad4d6d86c7
                                                                  • Instruction Fuzzy Hash: 73E12AB2609B8686EB659F39D9902BD23A4FB44B84F488036DF8D477B5DF39E450C318
                                                                  Function 00007FFBBB92BC70 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_cleanseO_clear_freeR_newR_set_debug$R_vset_errormemset
                                                                  • String ID: ssl\statem\statem_clnt.c$tls_construct_cke_psk_preamble
                                                                  • API String ID: 1497096399-961470946
                                                                  • Opcode ID: 96c9cc94501576d294ebac76d590668ebc025fcfb407287dbfab9ab9591df6af
                                                                  • Instruction ID: 2cc68441dd7b2e5885d3f37c4852c9bd9d57873823d5ea71bb635a6e32a132c0
                                                                  • Opcode Fuzzy Hash: 96c9cc94501576d294ebac76d590668ebc025fcfb407287dbfab9ab9591df6af
                                                                  • Instruction Fuzzy Hash: 367195A2B08A4782F650AB39E844BFE6650BF94784F448036EFCD4B6B5DF3CE5468354
                                                                  Function 00007FFBBB906921 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printf$O_puts$O_freeO_zalloc
                                                                  • String ID: <unexpected trailing frame data skipped>$ Ack delay (raw) %llu$ Ack range count: %llu$ Ack range len: %llu$ First ack range: %llu$ Gap: %llu$ Largest acked: %llu$ (with ECN)$ (without ECN)$Ack $ssl\quic\quic_trace.c
                                                                  • API String ID: 1392080105-452490795
                                                                  • Opcode ID: 07dc2538a52216d5fded38c3e8a5a43232d8080ea45924f94e8f5f6bb705cb00
                                                                  • Instruction ID: ef8cc90e25b9813b8d615dc18b5df5bc857b36d795be6893e982d18570abc66d
                                                                  • Opcode Fuzzy Hash: 07dc2538a52216d5fded38c3e8a5a43232d8080ea45924f94e8f5f6bb705cb00
                                                                  • Instruction Fuzzy Hash: EB4148A2B08B4399EF10DBB9D8952F82361BB85794F81C036CF8D576A5DE7CE1468318
                                                                  Function 00007FFBBB8CE9C0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\ssl_lib.c$ssl_cache_cipherlist
                                                                  • API String ID: 4275876640-2653005832
                                                                  • Opcode ID: b2d3ff2e7460bfd685355b8b56e15b030dc783cb0c699efb69fd5f80ed53db83
                                                                  • Instruction ID: 1c7ee1bc8353f420e460733620a34b8aa08a970676eabe00ca6e2772f1a90392
                                                                  • Opcode Fuzzy Hash: b2d3ff2e7460bfd685355b8b56e15b030dc783cb0c699efb69fd5f80ed53db83
                                                                  • Instruction Fuzzy Hash: FB71DFB2B19A8382E760DB39E9406F92351FF98B80F448131DF8D16AB6DF3CE5408318
                                                                  Function 00007FFBBB8D4A30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$D_unlock$D_read_lock$memset
                                                                  • String ID: ssl\ssl_sess.c$ssl_generate_session_id
                                                                  • API String ID: 3158670085-908510661
                                                                  • Opcode ID: c5c92589f067380b4c16620f942855eb683668670b87ab6595c67f881281faa4
                                                                  • Instruction ID: 090433b60dacc65126bb9c7537c180332703bc0868995176dcbba67fe3911c37
                                                                  • Opcode Fuzzy Hash: c5c92589f067380b4c16620f942855eb683668670b87ab6595c67f881281faa4
                                                                  • Instruction Fuzzy Hash: EB6180A2B1898382F768DB3AE8457F92360FB84784F588136DB4D47AB5DF2CE5418718
                                                                  Function 00007FFBBB926C00 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$O_free$O_memcmpO_strndupmemchr
                                                                  • String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_server_name
                                                                  • API String ID: 780431574-97801704
                                                                  • Opcode ID: 8cd8da31e0efa234568788e742ee5960ecf7d41de1af41978b5eb7089d68118f
                                                                  • Instruction ID: d8d5e075dbe088829a745ac68706d6acf6502e6fb5e08c81479dcd07ac2f8a11
                                                                  • Opcode Fuzzy Hash: 8cd8da31e0efa234568788e742ee5960ecf7d41de1af41978b5eb7089d68118f
                                                                  • Instruction Fuzzy Hash: 0C71AFA2E08A8782EB609B39D4117B97751FB84B84F448036DFCC47AA6DF2CE554C758
                                                                  Function 00007FFBBB8E4A70 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: N_clear_free$R_newR_set_debug$O_clear_freeO_malloc
                                                                  • String ID: srp_generate_client_master_secret$ssl\tls_srp.c
                                                                  • API String ID: 2561172722-329117511
                                                                  • Opcode ID: d8bfd6816ed20cacce01f4058fbd8d47f862d689326d9f6c77e7e6bee7343707
                                                                  • Instruction ID: 01822d5dc797eaa9908a002c08c6c3aee60b9c0c21ac03d56cfd4978dbe51696
                                                                  • Opcode Fuzzy Hash: d8bfd6816ed20cacce01f4058fbd8d47f862d689326d9f6c77e7e6bee7343707
                                                                  • Instruction Fuzzy Hash: 256190A6A09B4342E614AB3AD8507BD6751BF89B84F848435EF9D477A2DF3CE101C318
                                                                  Function 00007FFBBB8B9C50 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_mallocR_newR_set_debug$O_clear_freeO_freeR_vset_errorX_freeX_new_from_pkeyY_encapsulate
                                                                  • String ID: ssl\s3_lib.c$ssl_encapsulate
                                                                  • API String ID: 3419928332-3980050716
                                                                  • Opcode ID: 14dc24e26e97b8e29fd39556cd48225bede60dd23707989e48314ad64baebf11
                                                                  • Instruction ID: a87c98451783ed327f1460f875c413e452e9bd8c9899fd5d10d59a3f8dcc0633
                                                                  • Opcode Fuzzy Hash: 14dc24e26e97b8e29fd39556cd48225bede60dd23707989e48314ad64baebf11
                                                                  • Instruction Fuzzy Hash: 1D5171B2A08B5342FB20AB7AE8405AA6756BF84784F448031EF8C47BB5DF3DE505C754
                                                                  Function 00007FFBBB8BFBB0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 370stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: strncmp$R_new$R_set_debugR_set_error
                                                                  • String ID: SECLEVEL=$STRENGTH$ssl\ssl_ciph.c$ssl_cipher_process_rulestr
                                                                  • API String ID: 2651782980-2883399597
                                                                  • Opcode ID: be49c8fbb92ce15e49d716310c819b843e0d8a16d0e530c733032fc10c4ff7d7
                                                                  • Instruction ID: 03258e18e7ff4b7a0c71b2a79940dd004cecc2fdf0775cbed3ffab993dccc3f0
                                                                  • Opcode Fuzzy Hash: be49c8fbb92ce15e49d716310c819b843e0d8a16d0e530c733032fc10c4ff7d7
                                                                  • Instruction Fuzzy Hash: DAE170B2A0C6968AE7748A3DE85073E7791FB45B84F148035EF89477A5DF3DE8418B08
                                                                  Function 00007FFBBB8B9A20 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$O_clear_freeO_mallocX_freeX_new_from_pkeyY_deriveY_is_a
                                                                  • String ID: ssl\s3_lib.c$ssl_derive
                                                                  • API String ID: 2419129917-758944717
                                                                  • Opcode ID: 2421948a54597ff3ca5b9774a60d19595f7767848053e8193c947c2826dae9bd
                                                                  • Instruction ID: 284f4aa0a5e59f07a6a5209fa7dca6925a079dc443f45f16eaa260d42368859b
                                                                  • Opcode Fuzzy Hash: 2421948a54597ff3ca5b9774a60d19595f7767848053e8193c947c2826dae9bd
                                                                  • Instruction Fuzzy Hash: 8151E6B2A0CA5342EA64EB7AE8402FD6751BF84BD0F44C431EF8C476B6DE6DE5418358
                                                                  Function 00007FFBBB8D7B60 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $ $key expansion$ssl\t1_enc.c$tls1_setup_key_block
                                                                  • API String ID: 0-1703762739
                                                                  • Opcode ID: 75910e5e171926d91b1d22f83e03249d724c47a74bb7d714a6100aecbd94a4c8
                                                                  • Instruction ID: a00faa245c1eeebd8d5daad1eefa23ad4bf554392fc2bf9ae2b746e04f7d1d31
                                                                  • Opcode Fuzzy Hash: 75910e5e171926d91b1d22f83e03249d724c47a74bb7d714a6100aecbd94a4c8
                                                                  • Instruction Fuzzy Hash: 20618E72A09B8286E760DB28E4403ED73A4FB84B94F448136EF8C47BA9DF3CD1458B14
                                                                  Function 00007FFBBB8B8C60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$Y_free$L_sk_pop_freeO_clear_freememset
                                                                  • String ID: ssl\s3_lib.c
                                                                  • API String ID: 4031674668-3639828702
                                                                  • Opcode ID: d239469249c074a6f7263cfa99ef2d0d81c5b96c2e022865a3032791c1df6fc3
                                                                  • Instruction ID: 40d0aed98035cb95bc8fcb1f0d18c2704338a8d0da4c673503643e629225047f
                                                                  • Opcode Fuzzy Hash: d239469249c074a6f7263cfa99ef2d0d81c5b96c2e022865a3032791c1df6fc3
                                                                  • Instruction Fuzzy Hash: 4E413DE2B18A4791EB54EBB9D4913E92711FF88B84F448432DF5D4B2A6CE6DE1018339
                                                                  Function 00007FFBBB916C00 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastO_test_flagsO_writeR_newR_set_debugR_vset_error
                                                                  • String ID: ssl\record\methods\tls_common.c$tls_retry_write_records$tls_write_records
                                                                  • API String ID: 1843479370-2458201149
                                                                  • Opcode ID: 1c3d643740030ebba10683027bb18aa0663fc07538660bf2464e3744198de7ac
                                                                  • Instruction ID: 5daa04ea328568622256d275fbf45d5666b8ed6155e93ed329fd3dfe73cf8487
                                                                  • Opcode Fuzzy Hash: 1c3d643740030ebba10683027bb18aa0663fc07538660bf2464e3744198de7ac
                                                                  • Instruction Fuzzy Hash: 3171B0A2F08A4793EB54DF39D9403A827A5FB84B84F148131DB8D47BA5DF39E461D318
                                                                  Function 00007FFBBB912940 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 361COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_mallocR_newR_set_debug
                                                                  • String ID: dtls_rlayer_buffer_record$ssl\record\methods\dtls_meth.c
                                                                  • API String ID: 681801835-4006006387
                                                                  • Opcode ID: d1e40b224e7aa041597fd7949e90134614a80a3abe17238167f3f3e7c597aadb
                                                                  • Instruction ID: c37b006f1b25b859e5416bd46b5d334577b99025d88a02c384c05dbe73aceb07
                                                                  • Opcode Fuzzy Hash: d1e40b224e7aa041597fd7949e90134614a80a3abe17238167f3f3e7c597aadb
                                                                  • Instruction Fuzzy Hash: 0D026BA2A08B8392E710DF39D5446B933A0FB58B88F45D235DF9D476A6DF38E190D314
                                                                  Function 00007FFBBB924B90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_memdupR_newR_set_debug
                                                                  • String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_alpn
                                                                  • API String ID: 779157885-2990447755
                                                                  • Opcode ID: 99071bf1c0f39c3966d1226b97a738cf9636e218d2d8595192d6f60a1532231a
                                                                  • Instruction ID: 65e470a7a1cec6145410d326d76866dca163bab1859b1ec7530d61b7253ad575
                                                                  • Opcode Fuzzy Hash: 99071bf1c0f39c3966d1226b97a738cf9636e218d2d8595192d6f60a1532231a
                                                                  • Instruction Fuzzy Hash: B3415DA2E09AC242E7109B38E4143A97791FB85784F488535DFCC57BA6DF2CE1918B28
                                                                  Function 00007FFBBB8FEAB0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEB83
                                                                  • BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEB94
                                                                  • memcmp.VCRUNTIME140(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEBB3
                                                                  • BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEBD0
                                                                  • BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEBE1
                                                                  • memcmp.VCRUNTIME140(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEC00
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBB90A0DF,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB8FEC5E
                                                                  • BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFBBB8FED6E
                                                                  • BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFBBB8FED98
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_family$R_clearmemcmp$O_malloc
                                                                  • String ID: ssl\quic\quic_record_tx.c
                                                                  • API String ID: 552621978-2432027203
                                                                  • Opcode ID: 6bfcb68d58344265a4efeaccda8c05a7ad97266604ac16126b3e74441e48d790
                                                                  • Instruction ID: 0be2f45031ab697e2fa1810f9da01dd57b0446766a5b93085e800fef316bf34f
                                                                  • Opcode Fuzzy Hash: 6bfcb68d58344265a4efeaccda8c05a7ad97266604ac16126b3e74441e48d790
                                                                  • Instruction Fuzzy Hash: 03C1D3A2A09B8282EA69CF39D9402796395FF84B85F14C935DF5D437A4DF3CE591C304
                                                                  Function 00007FFBBB8CB950 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_set_error$C_get_current_jobC_start_jobX_newX_set_callback
                                                                  • String ID: SSL_shutdown$expect_quic$ssl\quic\quic_impl.c$ssl\ssl_lib.c
                                                                  • API String ID: 4003173745-1009376166
                                                                  • Opcode ID: 5aaadb69b8dcf25a1fd3656a33fa8523ebff7e907417a239c1e0d91b0b7d5460
                                                                  • Instruction ID: 7729526010ffdd6b7ee6e2eedefd91957b5c870046d0a9bd637d38dd88bde82f
                                                                  • Opcode Fuzzy Hash: 5aaadb69b8dcf25a1fd3656a33fa8523ebff7e907417a239c1e0d91b0b7d5460
                                                                  • Instruction Fuzzy Hash: A351A4B2A18A4682FA50DB3AE8402BE6251FF84794F148131EF8D47BB5DF7DE481C708
                                                                  Function 00007FFBBB929B83 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$O_mallocR_vset_error
                                                                  • String ID: ssl\statem\statem_clnt.c$tls_process_cert_status_body
                                                                  • API String ID: 683522601-145685350
                                                                  • Opcode ID: 6b1c9004cca454a110a8600a8dfc1ff3546eaac744be6963035e3afe3a7165ba
                                                                  • Instruction ID: 27832f92a217fa52f38f77e0f9643cdd2d30d93f338831564fc6e0f5722f764e
                                                                  • Opcode Fuzzy Hash: 6b1c9004cca454a110a8600a8dfc1ff3546eaac744be6963035e3afe3a7165ba
                                                                  • Instruction Fuzzy Hash: 10418DB2E08A8781EB50DB3AE8506BD7791BB80784F44C532DB9D477A6DF2CE1468318
                                                                  Function 00007FFBBB917AC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_mallocP_expand_blockR_vset_error
                                                                  • String ID: ssl\record\methods\tls_common.c$tls_default_post_process_record
                                                                  • API String ID: 496873950-3963434292
                                                                  • Opcode ID: 3254e8f872546ffeed461956e4be197e14653935d0b453bae56f0e3bb3ba8a4f
                                                                  • Instruction ID: 25500065b22ba42e53e089f15f34e9c3a80b6f3bc777035ee1c352e16c71c9c2
                                                                  • Opcode Fuzzy Hash: 3254e8f872546ffeed461956e4be197e14653935d0b453bae56f0e3bb3ba8a4f
                                                                  • Instruction Fuzzy Hash: 884161B2B08A5392E740DB39E5417A963A0FB84784F508432EB9C83BB5DF3DE5958708
                                                                  Function 00007FFBBB8B7BEE Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_freeO_strdup
                                                                  • String ID: ssl3_ctrl$ssl\s3_lib.c
                                                                  • API String ID: 2909881267-3530330221
                                                                  • Opcode ID: 744f9d79419faa372c454c5497de04f30c975520e87eec781d7790dc1c658eca
                                                                  • Instruction ID: 7d85a43caab44aa2b520b9043f79618b0fc133aa2dacabe322cd20f6a4627bfb
                                                                  • Opcode Fuzzy Hash: 744f9d79419faa372c454c5497de04f30c975520e87eec781d7790dc1c658eca
                                                                  • Instruction Fuzzy Hash: 13219CA5A1DA4752F721ABBCD8103BE2702BF84700F94C436DB8D066B6CE2EE542C318
                                                                  Function 00007FFBBB925930 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_freeO_memdup
                                                                  • String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_ec_pt_formats
                                                                  • API String ID: 3243760035-4207898287
                                                                  • Opcode ID: a5cb3cfac51d2fb980ae162c6260175031453ec37e137aae4c8953a729e6e62f
                                                                  • Instruction ID: 68cf582b30e1ba1686dc15b627be614d2e0aacefb2b798e67c19e20672d59117
                                                                  • Opcode Fuzzy Hash: a5cb3cfac51d2fb980ae162c6260175031453ec37e137aae4c8953a729e6e62f
                                                                  • Instruction Fuzzy Hash: 3A3174A1F09A8352F7509B38E4416B97360FB48744F548132EBDC47766DF2CE591C708
                                                                  Function 00007FFBBB8FAA60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAA9B
                                                                  • OPENSSL_LH_new.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAABA
                                                                  • OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAAE3
                                                                  • OPENSSL_LH_new.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAAFF
                                                                  • OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAB28
                                                                  • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAB46
                                                                  • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAB4F
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8FAE75,?,00007FFBBB8F23F0), ref: 00007FFBBB8FAB64
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: H_freeH_newH_set_thunks$O_freeO_zalloc
                                                                  • String ID: ssl\quic\quic_lcidm.c
                                                                  • API String ID: 1806772546-3923830422
                                                                  • Opcode ID: 1cbf031f9bea2eff8fd88924a696d3042bc3a542781c8f8eb628b8e5fdb26544
                                                                  • Instruction ID: c281f107c05ada1cfe20bba1776cec17ffe29e7468881f6ed8221f15e62472b9
                                                                  • Opcode Fuzzy Hash: 1cbf031f9bea2eff8fd88924a696d3042bc3a542781c8f8eb628b8e5fdb26544
                                                                  • Instruction Fuzzy Hash: AB3108A2A09B0790EA10DB3CEC405A973A4FF84B84B448431EB8C473B9FE7DE515C798
                                                                  Function 00007FFBBB8DCB90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFBBB8E3EA7,?,00007FFBBB8B7BE9), ref: 00007FFBBB8DCBC8
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFBBB8E3EA7,?,00007FFBBB8B7BE9), ref: 00007FFBBB8DCBE0
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00007FFBBB8E3EA7,?,00007FFBBB8B7BE9), ref: 00007FFBBB8DCBF0
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,00007FFBBB8E3EA7,?,00007FFBBB8B7BE9), ref: 00007FFBBB8DCC1C
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,00007FFBBB8E3EA7,?,00007FFBBB8B7BE9), ref: 00007FFBBB8DCC87
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_mallocR_newR_set_debugR_set_error
                                                                  • String ID: ssl\t1_lib.c$tls1_set_groups
                                                                  • API String ID: 3444577743-501428225
                                                                  • Opcode ID: cc75286bb425705fef7834e09f28b632de305e6e622a973262ee144350e80776
                                                                  • Instruction ID: 966ff87596c24a1e457d00ff4dbe9faac6bdf04e66c5b588985dadbd569a3727
                                                                  • Opcode Fuzzy Hash: cc75286bb425705fef7834e09f28b632de305e6e622a973262ee144350e80776
                                                                  • Instruction Fuzzy Hash: E041C2A2A1865782EB14DF29E8407B56390FF84784F908435EF4D43AA4DF7DD542CB18
                                                                  Function 00007FFBBB8001EC Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                  • String ID:
                                                                  • API String ID: 1617910340-0
                                                                  • Opcode ID: a5cfe8f4f0840723787e9e80da090d08c7121abd78ca3f1cd503ce30b5636365
                                                                  • Instruction ID: 086cd12347d06de77bb8d958cbea643a9b4096806a9c871a25570419615a5928
                                                                  • Opcode Fuzzy Hash: a5cfe8f4f0840723787e9e80da090d08c7121abd78ca3f1cd503ce30b5636365
                                                                  • Instruction Fuzzy Hash: AAC1D176B28A468AEB11CFB9C8906AC3761FB49B98F518235DB1E977A4DF38D051C304
                                                                  Function 00007FFBBB93FC20 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 313767242-0
                                                                  • Opcode ID: 4b500e0cdaba8bda5ce7d4c35988e25b740622c51b13bd991134b9d58df2b060
                                                                  • Instruction ID: b6eb6d6b56938cc75a17bb1544902cd7e2676d15b59a3a33528278db47b77463
                                                                  • Opcode Fuzzy Hash: 4b500e0cdaba8bda5ce7d4c35988e25b740622c51b13bd991134b9d58df2b060
                                                                  • Instruction Fuzzy Hash: 6D312CB2609B828AEB648F74E8543ED7360FB85748F44803ADB8E47BA5DF38D548C714
                                                                  Function 00007FFBBB8CBC10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_strdupR_newR_set_debugR_set_error
                                                                  • String ID: SSL_use_psk_identity_hint$ssl\ssl_lib.c
                                                                  • API String ID: 598019968-2430927796
                                                                  • Opcode ID: 3baff2fc1e8685b0d151f9108cfa0568fb7bdcd114a1de066ee2270765700677
                                                                  • Instruction ID: 8f25e48fa57cb527fc67f046e422ef2864bb0b1f0c02ea20d3313e1a75a46389
                                                                  • Opcode Fuzzy Hash: 3baff2fc1e8685b0d151f9108cfa0568fb7bdcd114a1de066ee2270765700677
                                                                  • Instruction Fuzzy Hash: 0A316FE2F18A4785FB908B39D9807BD2290FF84B80F588031DB4D876F6DE6DD4858709
                                                                  Function 00007FFBBB7FC9A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                  • String ID: utf8
                                                                  • API String ID: 3069159798-905460609
                                                                  • Opcode ID: 63d6e5a6600c1051b474f5c753c00adf19893d73ce19ec82e2eac2640e90ec51
                                                                  • Instruction ID: bce848412621f9d979ebcdf8baf09c46cdd35b3e09d55204e14e2ffa5c14b5e3
                                                                  • Opcode Fuzzy Hash: 63d6e5a6600c1051b474f5c753c00adf19893d73ce19ec82e2eac2640e90ec51
                                                                  • Instruction Fuzzy Hash: 329159A6A0878286EB649F3AD8092A923A4FF44B80F448131DB5C577B6DFBCE551C34D
                                                                  Function 00007FFBBB7FD3E8 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7A5
                                                                  • GetUserDefaultLCID.KERNEL32 ref: 00007FFBBB7FD558
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7D2
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7E3
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7F4
                                                                  • EnumSystemLocalesW.KERNEL32 ref: 00007FFBBB7FD53F
                                                                  • ProcessCodePage.LIBCMT ref: 00007FFBBB7FD582
                                                                  • IsValidCodePage.KERNEL32 ref: 00007FFBBB7FD594
                                                                  • IsValidLocale.KERNEL32 ref: 00007FFBBB7FD5AA
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FD606
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FD622
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                  • String ID:
                                                                  • API String ID: 2591520935-0
                                                                  • Opcode ID: 5ec076995c2cca5436549f3d11b3b47e2662f6e74c60f6c6a155a304ec252ba6
                                                                  • Instruction ID: 5d195006bc75531723aa32dd0e2c706763f77a49648a44abae97fbf5c85939a8
                                                                  • Opcode Fuzzy Hash: 5ec076995c2cca5436549f3d11b3b47e2662f6e74c60f6c6a155a304ec252ba6
                                                                  • Instruction Fuzzy Hash: 84714DA2B186828AFB20DB7AD854AB823A4BF44788F448435CF1D576B5DF3CE445C358
                                                                  Function 00007FFBBB901A39 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_malloc
                                                                  • String ID: PATH_CHALLENGE valid only in 0/1-RTT$decode error$depack_do_frame_path_challenge$internal error
                                                                  • API String ID: 1457121658-3387751582
                                                                  • Opcode ID: f00e439d2853123465585058925cdb77a23586c173649bdcf62750eb30f2c9c6
                                                                  • Instruction ID: 1812bac4110d1f8e21bae402ddffa536cf3eb0dd7b9d0e450ee489266de469f9
                                                                  • Opcode Fuzzy Hash: f00e439d2853123465585058925cdb77a23586c173649bdcf62750eb30f2c9c6
                                                                  • Instruction Fuzzy Hash: EE51A172618B4286EB65CB69E8407AE73A4FB84784F408136EF8D47BA9DF7CD144C704
                                                                  Function 00007FFBBB7D9488 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 7e65325b78d7956080ee6c537b0fd4c7241b1923697f1f45a8801a620be26ebc
                                                                  • Instruction ID: 8c858bfb6bc0315db7d6f8fa6a17357c376b626d1a8f2094dfea1053a81f1085
                                                                  • Opcode Fuzzy Hash: 7e65325b78d7956080ee6c537b0fd4c7241b1923697f1f45a8801a620be26ebc
                                                                  • Instruction Fuzzy Hash: FA315DB2619B818AEB609F65E8403EE7360FB84748F44843ADB4E47BA9DF3CD548C714
                                                                  Function 00007FFBBB8FA920 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_LH_set_down_load.LIBCRYPTO-3-X64(?,00007FFBBB8FB46B,?,00007FFBBB8FAED7,?,00007FFBBB8F23F0), ref: 00007FFBBB8FA93C
                                                                  • OPENSSL_LH_doall_arg.LIBCRYPTO-3-X64(?,00007FFBBB8FB46B,?,00007FFBBB8FAED7,?,00007FFBBB8F23F0), ref: 00007FFBBB8FA94F
                                                                  • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFBBB8FB46B,?,00007FFBBB8FAED7,?,00007FFBBB8F23F0), ref: 00007FFBBB8FA958
                                                                  • OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFBBB8FB46B,?,00007FFBBB8FAED7,?,00007FFBBB8F23F0), ref: 00007FFBBB8FA961
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8FB46B,?,00007FFBBB8FAED7,?,00007FFBBB8F23F0), ref: 00007FFBBB8FA976
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: H_free$H_doall_argH_set_down_loadO_free
                                                                  • String ID: ssl\quic\quic_lcidm.c
                                                                  • API String ID: 2477462044-3923830422
                                                                  • Opcode ID: 8c11cb9a583b6df68c3a92829cfb72320e7c810d5cc71f1adbf7023f3121d8ee
                                                                  • Instruction ID: 9153b27e6521869db25c4b3849f45d09173f28f77be8c61f7dacd9f7429b51c9
                                                                  • Opcode Fuzzy Hash: 8c11cb9a583b6df68c3a92829cfb72320e7c810d5cc71f1adbf7023f3121d8ee
                                                                  • Instruction Fuzzy Hash: A7F0DA92B15A0341EA04AB7AD8511B81250BFC5B80F54C431DB5D872A69E28D5428719
                                                                  Function 00007FFBBB7F4DDC Relevance: 9.3, APIs: 6, Instructions: 335timeCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                  • String ID:
                                                                  • API String ID: 355007559-0
                                                                  • Opcode ID: 4f31ec9aa001f71ffcc6ad5da09f958a14275581acab81c81eabb95eb68978be
                                                                  • Instruction ID: 46ee7a11b9b56bc1c1892b07109e5d2bd9ddc95d57b9d4dd76ad73b429e308d8
                                                                  • Opcode Fuzzy Hash: 4f31ec9aa001f71ffcc6ad5da09f958a14275581acab81c81eabb95eb68978be
                                                                  • Instruction Fuzzy Hash: BDD1B1A2E1828286EB20AF3AD8901B967A1FF48794F55C135EB1D47AB5DF3CE441C74C
                                                                  Function 00007FFBBB7E87AC Relevance: 9.2, APIs: 6, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 1405656091-0
                                                                  • Opcode ID: 50c6c7c4cd7dda206fd48c92d6c0741a8e5f9c778eba4ecc57e8d512f4480117
                                                                  • Instruction ID: 9336893a9e7badef8edfdaae447f8ad54fd9c5c09636b4a86a573ddf4992e095
                                                                  • Opcode Fuzzy Hash: 50c6c7c4cd7dda206fd48c92d6c0741a8e5f9c778eba4ecc57e8d512f4480117
                                                                  • Instruction Fuzzy Hash: 2291A2F2F042464BEB588F7AC9412A923A5FF54B88F04D135DB0D8B7A9EE3CE4418749
                                                                  Function 00007FFBBB7E9534 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 1239891234-0
                                                                  • Opcode ID: c33fc773bbbf0e09594302f7c022fa51baa6a01edb50065d4e78f6144738901c
                                                                  • Instruction ID: 04c4aedd720cb2a8b551746f8d156b3c095cf4c368cd5ccb326bceefdcdc5011
                                                                  • Opcode Fuzzy Hash: c33fc773bbbf0e09594302f7c022fa51baa6a01edb50065d4e78f6144738901c
                                                                  • Instruction Fuzzy Hash: 9E315E72618B8186EB608F39E8402AE73A4FB89794F504136EB9D43BA9DF38D145CB04
                                                                  Function 00007FFBBB8BCAB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: X509_free$O_freeY_free
                                                                  • String ID: ssl\ssl_cert.c
                                                                  • API String ID: 3239439570-188639428
                                                                  • Opcode ID: 9268a1b8882ed91f8901bbb3e86682302bf313b190bfb8a00db69ff10e519511
                                                                  • Instruction ID: 500e8da707e4c6ea696deeab1c8ee447c9f45d2c7c4013b34a68c544938248a1
                                                                  • Opcode Fuzzy Hash: 9268a1b8882ed91f8901bbb3e86682302bf313b190bfb8a00db69ff10e519511
                                                                  • Instruction Fuzzy Hash: 53113076A08F4186D7509F39E48016D7764FB89F84F188135EF8E17B69CF39D4618748
                                                                  Function 00007FFBBB900920 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,00000000,00007FFBBB9002E1,?,00007FFBBB8EC994,00000000,?,?,00007FFBBB8F01CA,00000000,00007FFBBB8F8635,?,00000000), ref: 00007FFBBB900993
                                                                  • memcpy.VCRUNTIME140(?,?,00000000,00007FFBBB9002E1,?,00007FFBBB8EC994,00000000,?,?,00007FFBBB8F01CA,00000000,00007FFBBB8F8635,?,00000000), ref: 00007FFBBB900AA1
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,?,00000000,00007FFBBB9002E1,?,00007FFBBB8EC994,00000000,?,?,00007FFBBB8F01CA,00000000,00007FFBBB8F8635,?,00000000), ref: 00007FFBBB900B58
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_mallocmemcpy
                                                                  • String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/ring_buf.h
                                                                  • API String ID: 2350084802-864110966
                                                                  • Opcode ID: 1f8337097ab0e9eab019308427cb9981b841b877fd89d93a37c0bf78e39196b5
                                                                  • Instruction ID: 118ecd82c159c35b2a06dc9db1d986896652f6bbd20e0ae0e169905f64b1c4e6
                                                                  • Opcode Fuzzy Hash: 1f8337097ab0e9eab019308427cb9981b841b877fd89d93a37c0bf78e39196b5
                                                                  • Instruction Fuzzy Hash: BE518F62B08B868AEA10CB29F55036AB7A5FB85BD4F588031EFCD07B65DF3CD0958704
                                                                  Function 00007FFBBB8C1950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8C1A1C
                                                                  • CRYPTO_strdup.LIBCRYPTO-3-X64 ref: 00007FFBBB8C1A31
                                                                    • Part of subcall function 00007FFBBB8D0D20: ERR_clear_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D2894
                                                                    • Part of subcall function 00007FFBBB8D0D20: BIO_s_file.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D28EF
                                                                    • Part of subcall function 00007FFBBB8D0D20: BIO_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D28F7
                                                                    • Part of subcall function 00007FFBBB8D0D20: ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D2904
                                                                    • Part of subcall function 00007FFBBB8D0D20: ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D291C
                                                                    • Part of subcall function 00007FFBBB8D0D20: ERR_set_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D2AD5
                                                                    • Part of subcall function 00007FFBBB8D0D20: X509_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D2ADF
                                                                    • Part of subcall function 00007FFBBB8D0D20: BIO_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBB8D2AE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_newO_s_fileO_strdupR_clear_errorR_newR_set_debugR_set_errorX509_free
                                                                  • String ID: gfffffff$ssl\ssl_conf.c
                                                                  • API String ID: 3937575344-992112152
                                                                  • Opcode ID: 30befadb44901a11da1a2a5a6cc01c4b6a1323948ad9fc00ed1da4299eef0760
                                                                  • Instruction ID: f4d29f1bc4b32b5dc4842ba6b2b31f0a541eb6abee6157e130346cba97abf5a4
                                                                  • Opcode Fuzzy Hash: 30befadb44901a11da1a2a5a6cc01c4b6a1323948ad9fc00ed1da4299eef0760
                                                                  • Instruction Fuzzy Hash: CF31B3E2B09A4685EA51DB2AE88026923A4FF88FC4F188031DF4D877A5DE7CE4018314
                                                                  Function 00007FFBBB8C4A72 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_memdup
                                                                  • String ID: ssl\ssl_lib.c
                                                                  • API String ID: 3545228654-1984206432
                                                                  • Opcode ID: 95d028bb463391584d0361753a6eba371d2483a971597a34abf715b4fb796697
                                                                  • Instruction ID: 0d8bcd470f61830de1e8f68ed5b6938f8a6e14625ae72c4d6a8b8802a44b4a2d
                                                                  • Opcode Fuzzy Hash: 95d028bb463391584d0361753a6eba371d2483a971597a34abf715b4fb796697
                                                                  • Instruction Fuzzy Hash: 4721F4A2B19B8241E755877AD8403A96791FF88B84F4C9035DF4D87BA9CF2CD4828718
                                                                  Function 00007FFBBB8DC9B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_malloc
                                                                  • String ID: ssl\t1_lib.c
                                                                  • API String ID: 2767441526-1168734446
                                                                  • Opcode ID: 8a540f19bf6c6cce4edfbbe672a87511dc1d221653dfd8b3e9f844bbc82defd4
                                                                  • Instruction ID: 83e896ed6a521f0996501f72b76ff0de99611114d9fba3403954e014da08972c
                                                                  • Opcode Fuzzy Hash: 8a540f19bf6c6cce4edfbbe672a87511dc1d221653dfd8b3e9f844bbc82defd4
                                                                  • Instruction Fuzzy Hash: BA217AB2709B9281E751CB29D900269A7A0FB85BC0F548136EF8C43BA9EF6DD551C728
                                                                  Function 00007FFBBB922A50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8BD131,?,00007FFBBB8C3B73,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB922A9B
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8BD131,?,00007FFBBB8C3B73,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB922AB1
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8BD131,?,00007FFBBB8C3B73,?,00007FFBBB8C73AB,?,00007FFBBB8F82BD,?,?,00000001,00007FFBBB8F361B), ref: 00007FFBBB922AD8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\statem\extensions_cust.c
                                                                  • API String ID: 2581946324-1564674317
                                                                  • Opcode ID: f7e249d39463fa4e98ee219c1edbb1e72e985cfafb7a25e033d46be64e0b6379
                                                                  • Instruction ID: 218b9a0d1104479f8af045e08551a8b7aca259d09d3274c70dc985ef4f1710d4
                                                                  • Opcode Fuzzy Hash: f7e249d39463fa4e98ee219c1edbb1e72e985cfafb7a25e033d46be64e0b6379
                                                                  • Instruction Fuzzy Hash: 90114C72A08F4385EB109B2AE4503A97361FB84B84F54C036DBDC47BA9DE7CD141C748
                                                                  Function 00007FFBBB8B2940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_zalloc_beginthreadex
                                                                  • String ID: crypto\thread\arch\thread_win.c
                                                                  • API String ID: 1240409343-2915021490
                                                                  • Opcode ID: e610ef9307fcdb7c3a57e82bf61b3f8bc2563524d2285efb24a92d146ff539f5
                                                                  • Instruction ID: a1380c31eaa6152f154e93fb6f12bb111ac87414265158e32fb9892d01cd1100
                                                                  • Opcode Fuzzy Hash: e610ef9307fcdb7c3a57e82bf61b3f8bc2563524d2285efb24a92d146ff539f5
                                                                  • Instruction Fuzzy Hash: 13019272B19B4282EB25DB38E9053A963A0FF48788F448135DB8C0B7A5EF3DE555C708
                                                                  Function 00007FFBBB90A9E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\quic\quic_txpim.c
                                                                  • API String ID: 2581946324-1264249673
                                                                  • Opcode ID: 6328e5f5ab6b1a9dffc21c852796eb498179218bda839ac44fee52acb60c7577
                                                                  • Instruction ID: 17d7afd09af10e29a7f77e41af7975b10aa9cb9a888817c45fa2b2aa07d147f5
                                                                  • Opcode Fuzzy Hash: 6328e5f5ab6b1a9dffc21c852796eb498179218bda839ac44fee52acb60c7577
                                                                  • Instruction Fuzzy Hash: 57019EA2A19B8384EE449B29E9806A96265FB48BC0F499031EFCD47BA5DE3CD540C704
                                                                  Function 00007FFBBB7F5058 Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                  • String ID:
                                                                  • API String ID: 3458911817-0
                                                                  • Opcode ID: 987967f747af66d449d9160d0e378aec49a579fe4d22bd51b0f42853f3dec781
                                                                  • Instruction ID: d19d67089cb5c60eead2a444b27d68734fc7bf75d02700392e507fb6f2289a06
                                                                  • Opcode Fuzzy Hash: 987967f747af66d449d9160d0e378aec49a579fe4d22bd51b0f42853f3dec781
                                                                  • Instruction Fuzzy Hash: 715151B2E1868286E720EF3AEC915B96760BF48784F44D135EB4D47AB6DF3CE4418748
                                                                  Function 00007FFBBB8C49F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_memdup
                                                                  • String ID: ssl\ssl_lib.c
                                                                  • API String ID: 3962629258-1984206432
                                                                  • Opcode ID: 4bdc884f8559bea3c8bfc6b7a6d1a32371452adfed0a2dd1d3a8d1090ca1afbb
                                                                  • Instruction ID: a0b2c2bb9bf35d391cfbf0addc20a86a4b6a679d0706b1c3075e19059b824b85
                                                                  • Opcode Fuzzy Hash: 4bdc884f8559bea3c8bfc6b7a6d1a32371452adfed0a2dd1d3a8d1090ca1afbb
                                                                  • Instruction Fuzzy Hash: FA21AEE1F09B4381EA608A6AEA443756591FF59BC0F18D431DF4C43BE5DDADE522830C
                                                                  Function 00007FFBBB8B2C60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B2C9E
                                                                    • Part of subcall function 00007FFBBB8B2860: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B287D
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8B2D3F
                                                                    • Part of subcall function 00007FFBBB8B2860: InitializeCriticalSection.KERNEL32 ref: 00007FFBBB8B2893
                                                                    • Part of subcall function 00007FFBBB8B2460: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B247F
                                                                    • Part of subcall function 00007FFBBB8B2940: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B2964
                                                                    • Part of subcall function 00007FFBBB8B2940: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBB8B2990
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_zalloc$CriticalInitializeO_freeO_mallocSection_beginthreadex
                                                                  • String ID: crypto\thread\arch.c
                                                                  • API String ID: 4205757297-147645559
                                                                  • Opcode ID: 1c3112d941afe6a30f7f40d9b63247e3cda19d80b9fcd5c1098ac3325d91da15
                                                                  • Instruction ID: 67a7028a4f9e39aecce94414b697401995ad7c7111da92c8c5885b60353e2387
                                                                  • Opcode Fuzzy Hash: 1c3112d941afe6a30f7f40d9b63247e3cda19d80b9fcd5c1098ac3325d91da15
                                                                  • Instruction Fuzzy Hash: 5C21C4A2A19F4781EA64DF39D84006D2AA4FF44B84F589434EB4D4BBA6DF3DE402C318
                                                                  Function 00007FFBBB904950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_LH_delete.LIBCRYPTO-3-X64(?,00007FFBBB8F86D2,?,00000000,?,?,?,00007FFBBB8F359D), ref: 00007FFBBB904A04
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8F86D2,?,00000000,?,?,?,00007FFBBB8F359D), ref: 00007FFBBB904A19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: H_deleteO_free
                                                                  • String ID: ssl\quic\quic_stream_map.c
                                                                  • API String ID: 2213166339-1155244460
                                                                  • Opcode ID: 196c196c5625afe70f311e6a1313024a4950aa07d94e071f6b26e8974bb172d2
                                                                  • Instruction ID: 840fc292622ce063c3c693ba43447589a43c049e56c5109a753a9bb439bbc972
                                                                  • Opcode Fuzzy Hash: 196c196c5625afe70f311e6a1313024a4950aa07d94e071f6b26e8974bb172d2
                                                                  • Instruction Fuzzy Hash: 2B21D4B6615F5585EB44CF2AE89011873B8F748F987259136EF8C47769CF38C862C384
                                                                  Function 00007FFBBB8B2A80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: crypto\thread\arch.c
                                                                  • API String ID: 0-147645559
                                                                  • Opcode ID: cb41939f81c7aeb18c65ae6ee8f9a90a6b971ac782a90b7b5bfa488e73637c69
                                                                  • Instruction ID: 67c92b4a9bd4173cb696e503eb35d78b7405519c1913ec9a13d3aeb00d17a50e
                                                                  • Opcode Fuzzy Hash: cb41939f81c7aeb18c65ae6ee8f9a90a6b971ac782a90b7b5bfa488e73637c69
                                                                  • Instruction Fuzzy Hash: 82018492F28D4381EB60EF79D8812BD1754FF84784F44A030EF4D4B2A6DE1DD5828718
                                                                  Function 00007FFBBB8E6B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB8E7050: BIO_ctrl.LIBCRYPTO-3-X64(00000000,00007FFBBB8E6B67,00000000,00007FFBBB8E7D85,?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E70C3
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBB8E7D85,?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E6B7A
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBB8E7D85,?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E6BA3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free$O_ctrl
                                                                  • String ID: ssl\quic\json_enc.c
                                                                  • API String ID: 1134426049-3790216822
                                                                  • Opcode ID: 339a19dacbbf345560f7325da9f9d72bddfdd24b3860b04fa443278b3fa4fc41
                                                                  • Instruction ID: 21bb3bdc970ff9163afd981fb583ec61a8e076281a57aab9237271e67acde27c
                                                                  • Opcode Fuzzy Hash: 339a19dacbbf345560f7325da9f9d72bddfdd24b3860b04fa443278b3fa4fc41
                                                                  • Instruction Fuzzy Hash: 55018672A28B5281EB50DF79E88016D7368FB84B84F449132EB4D47B6ACF7CD591C744
                                                                  Function 00007FFBBB7FCE64 Relevance: 4.7, APIs: 3, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7A5
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FCED0
                                                                    • Part of subcall function 00007FFBBB7F88D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBBB7F88F5
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FCF19
                                                                    • Part of subcall function 00007FFBBB7F88D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBBB7F894E
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FCFE1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 1791019856-0
                                                                  • Opcode ID: 678cf8370fe943a93472cccd10bc988af177c65a5db1db88ba9149ef1aff0060
                                                                  • Instruction ID: 5faf2ca8ff068659bc2141fbe491a7e08c878cc9eaad2ee7632d6fc71085d75a
                                                                  • Opcode Fuzzy Hash: 678cf8370fe943a93472cccd10bc988af177c65a5db1db88ba9149ef1aff0060
                                                                  • Instruction Fuzzy Hash: 3B618FB2A0868686EB348F3AD5406B9B3A1FB44744F40C135D78E936B5DF7CE551C748
                                                                  Function 00007FFBBB90E920 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB90E860: CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFBBB90EDA6,00000000,00007FFBBB8EB14A,?,00007FFBBB8EA9AE), ref: 00007FFBBB90E886
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8EABBA), ref: 00007FFBBB90EC42
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_freeO_malloc
                                                                  • String ID: ssl\quic\uint_set.c
                                                                  • API String ID: 2609694610-544055092
                                                                  • Opcode ID: edf30d6beeb91099b88bb9bdf2f7598ec9961820903f5bd9a088bb64ab766bff
                                                                  • Instruction ID: fc594dcc144842112c4ccc09dbfcfaf1e7b2db75263d8f97ef27d4a3c7c57b3b
                                                                  • Opcode Fuzzy Hash: edf30d6beeb91099b88bb9bdf2f7598ec9961820903f5bd9a088bb64ab766bff
                                                                  • Instruction Fuzzy Hash: E5A149B2A0AF4685EE548F2AD95037873A4FB54F84F94C432DB8D477A4DF39E8918348
                                                                  Function 00007FFBBB922B00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_realloc.LIBCRYPTO-3-X64(?,00000000,?,00007FFBBB9061D8,?,00007FFBBB8EF4E2,?,00007FFBBB8F0F50), ref: 00007FFBBB922C21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_realloc
                                                                  • String ID: ssl\statem\extensions_cust.c
                                                                  • API String ID: 3931833713-1564674317
                                                                  • Opcode ID: 5dc7d7272c6bfd534e1a47d789c624da942c186901d59761e6a9da8c2f81b571
                                                                  • Instruction ID: af8a31d258d5d082def2a1539444e10fef9b0b052aad3ccbef2dd4ad32c222b6
                                                                  • Opcode Fuzzy Hash: 5dc7d7272c6bfd534e1a47d789c624da942c186901d59761e6a9da8c2f81b571
                                                                  • Instruction Fuzzy Hash: 1C417BB6E08F8285EA648F39D490129B7A0FB45B94F148636DF9D437B4DF39E8528708
                                                                  Function 00007FFBBB90AAD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFBBB908D4F,?,?,00000004,?,?,00000004,00007FFBBB907981,?,?,?,?,?,?,00007FFBBB8EF82E), ref: 00007FFBBB90AAFF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_zalloc
                                                                  • String ID: ssl\quic\quic_txpim.c
                                                                  • API String ID: 1208671065-1264249673
                                                                  • Opcode ID: f8be8636c87180ea30fa82bd2c032d5e55fcf9c4df070983545b0fe2c1c1c5b3
                                                                  • Instruction ID: 48a4d0f4280aa688354d3801f172eaf9703a4457a1c9f95ea3c21ba5c7de8801
                                                                  • Opcode Fuzzy Hash: f8be8636c87180ea30fa82bd2c032d5e55fcf9c4df070983545b0fe2c1c1c5b3
                                                                  • Instruction Fuzzy Hash: C131F9B2904B8285DA88CF29E9403A873E4FB59B84F58D236DB8C47B65EF34D4E4C344
                                                                  Function 00007FFBBB90AC00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_realloc.LIBCRYPTO-3-X64(00000000,00007FFBBB90A08B,00000000,?,?,00000004,?,?,00007FFBBB907D38), ref: 00007FFBBB90AC8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_realloc
                                                                  • String ID: ssl\quic\quic_txpim.c
                                                                  • API String ID: 3931833713-1264249673
                                                                  • Opcode ID: fc242aa284e312594a74a2bea89cccd4ee618b6b78464d2cddba3294317bd399
                                                                  • Instruction ID: cc3fc856cfdd37d979b1f39418ac4b8c689ab4cd6855a3848e176b05319303c5
                                                                  • Opcode Fuzzy Hash: fc242aa284e312594a74a2bea89cccd4ee618b6b78464d2cddba3294317bd399
                                                                  • Instruction Fuzzy Hash: 35217F62A05B868AEB448F2DE9443A86360FB58BC8F498531EF8D4776ADF38D581C354
                                                                  Function 00007FFBBB8B1C50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B1C95
                                                                    • Part of subcall function 00007FFBBB8B1A20: BUF_MEM_grow.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBB8B136E), ref: 00007FFBBB8B1AB1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: M_growO_zalloc
                                                                  • String ID: crypto\packet.c
                                                                  • API String ID: 1786808141-224687097
                                                                  • Opcode ID: ce9518be9f35356f5dc96ee70a4c77462c3d6dbdf1d6a790163304a02aabc4d2
                                                                  • Instruction ID: 89b14b5f3a044789b3c9cdd474cf95a29378b834e49bc769dbe1344de38080e3
                                                                  • Opcode Fuzzy Hash: ce9518be9f35356f5dc96ee70a4c77462c3d6dbdf1d6a790163304a02aabc4d2
                                                                  • Instruction Fuzzy Hash: 3511D2B2A18B0181DB658B39EA4436C62E4FF48BC8F199131DB4C4BBA5DF3DD9A0C344
                                                                  Function 00007FFBBB911A60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(000004A0,00007FFBBB910114,?,00000000,000004A0), ref: 00007FFBBB911AFA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\record\rec_layer_s3.c
                                                                  • API String ID: 2581946324-1276297817
                                                                  • Opcode ID: 0832a26f5bc52293d2ce6184a747fb608d2f758e1ce3ecd034623b745028a34c
                                                                  • Instruction ID: 9da3e08bb1d93c2c2d8c4989a1a35df98a77c909494cc9e26deb401b9ee9f2dd
                                                                  • Opcode Fuzzy Hash: 0832a26f5bc52293d2ce6184a747fb608d2f758e1ce3ecd034623b745028a34c
                                                                  • Instruction Fuzzy Hash: 9F2160A2609E53A1E6708B3AE54036AB7A4FB45BC4F148131DFCD03AB5EF3CE5818308
                                                                  Function 00007FFBBB8F19B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_malloc
                                                                  • String ID: ssl\quic\quic_demux.c
                                                                  • API String ID: 1457121658-194952269
                                                                  • Opcode ID: f4bd08bf262fc76bbaa63431d5fc54462baf3d9b81014e68ac9f25c3f6b250f9
                                                                  • Instruction ID: f5d96ec4159d3257967b511d4655460ca354c0d6dbda5e5a913b81c29f032774
                                                                  • Opcode Fuzzy Hash: f4bd08bf262fc76bbaa63431d5fc54462baf3d9b81014e68ac9f25c3f6b250f9
                                                                  • Instruction Fuzzy Hash: AA219D72609B4186D7059F39E84022C77A4FB54F94F588A34EB9C437A9EF39E8A1C308
                                                                  Function 00007FFBBB8F1A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\quic\quic_demux.c
                                                                  • API String ID: 2581946324-194952269
                                                                  • Opcode ID: 2478f51679711b79efec2d88b54a6df360b1db138f584480d6ceb409422a2fa1
                                                                  • Instruction ID: 726071840d22fe8f85a730807c48764294094cc1ea2fb51779f87d8ad0cfe870
                                                                  • Opcode Fuzzy Hash: 2478f51679711b79efec2d88b54a6df360b1db138f584480d6ceb409422a2fa1
                                                                  • Instruction Fuzzy Hash: 51112AA2A16B8580EE529F2DD54022863A5FF54FC8B28D531DB4C47768EE2DD4A1C304
                                                                  Function 00007FFBBB8E6BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFBBB8E7C44,?,00000000,?,?,02000100,00007FFBBB8EC1FB,02000100,00007FFBBB8EE4EA,?,00007FFBBB8F0F24), ref: 00007FFBBB8E6C0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_malloc
                                                                  • String ID: ssl\quic\json_enc.c
                                                                  • API String ID: 1457121658-3790216822
                                                                  • Opcode ID: a812761d5be0521279246a99b307856972bfaf4717839bd69038e363915a064f
                                                                  • Instruction ID: 2783d7220c6ab3ce02d617259a6caded338218348d481076c98f954afcd06b9c
                                                                  • Opcode Fuzzy Hash: a812761d5be0521279246a99b307856972bfaf4717839bd69038e363915a064f
                                                                  • Instruction Fuzzy Hash: 9001A563D187C186D340CF2CE54036D77A0FB68B88F24E225EB8C02266EA76D5D2C304
                                                                  Function 00007FFBBB7F1E68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID: GetLocaleInfoEx
                                                                  • API String ID: 2299586839-2904428671
                                                                  • Opcode ID: bb598a1f472f759a90bc18668d120ab468c8aa729e463f67cb55042580be057d
                                                                  • Instruction ID: 7a518f137c8710264eb623c964e150fa8bc09d301bc6ee4ca77358363675a8ce
                                                                  • Opcode Fuzzy Hash: bb598a1f472f759a90bc18668d120ab468c8aa729e463f67cb55042580be057d
                                                                  • Instruction Fuzzy Hash: 4601A7A5B18B8186EB109BABF8005A6A361FF88BD0F58C035DF4D43B76CE3CD5418388
                                                                  Function 00007FFBBB9089A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CRYPTO_realloc.LIBCRYPTO-3-X64(?,00007FFBBB9087E3,?,?,?,?,?,00000000,?,00007FFBBB907CC1), ref: 00007FFBBB9089F1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_realloc
                                                                  • String ID: ssl\quic\quic_txp.c
                                                                  • API String ID: 3931833713-3700743932
                                                                  • Opcode ID: 7f0d074b31978773a87242dd835540c81a5dcb31978fde13dd91076c6bfffc33
                                                                  • Instruction ID: 6b09b493904005e0556575ceeb9b7630c75951554b52e206f73b8043226fd749
                                                                  • Opcode Fuzzy Hash: 7f0d074b31978773a87242dd835540c81a5dcb31978fde13dd91076c6bfffc33
                                                                  • Instruction Fuzzy Hash: 35F0C8E2B15B4283FF448729E5403642291FB547C8F545431DF9C57795EF2DE5A1C318
                                                                  Function 00007FFBBB8FBC50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB8FC220: CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8FBC7D,?,00007FFBBB8EBA05), ref: 00007FFBBB8FC29B
                                                                    • Part of subcall function 00007FFBBB8FD7F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,00007FFBBB8FE85B,?,00007FFBBB8EB964), ref: 00007FFBBB8FD879
                                                                    • Part of subcall function 00007FFBBB8FD7F0: OPENSSL_cleanse.LIBCRYPTO-3-X64(?,00007FFBBB8FE85B,?,00007FFBBB8EB964), ref: 00007FFBBB8FD88F
                                                                    • Part of subcall function 00007FFBBB8FD7F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,00007FFBBB8FE85B,?,00007FFBBB8EB964), ref: 00007FFBBB8FD8C9
                                                                    • Part of subcall function 00007FFBBB8FD7F0: OPENSSL_cleanse.LIBCRYPTO-3-X64(?,00007FFBBB8FE85B,?,00007FFBBB8EB964), ref: 00007FFBBB8FD8DF
                                                                    • Part of subcall function 00007FFBBB8FD7F0: EVP_MD_free.LIBCRYPTO-3-X64(?,00007FFBBB8FE85B,?,00007FFBBB8EB964), ref: 00007FFBBB8FD8ED
                                                                  • CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBB8EBA05), ref: 00007FFBBB8FBCCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_cleanseO_freeX_free$D_free
                                                                  • String ID: ssl\quic\quic_record_rx.c
                                                                  • API String ID: 605114375-3047069087
                                                                  • Opcode ID: 16fe0e4dbf4aae1d5425485b8cf7adb74aec45e053169e44d698899bdbd40c0c
                                                                  • Instruction ID: 7ccb50fb79419332f652bfb63515862f99b2b47943b52361c4ee8c44af142abd
                                                                  • Opcode Fuzzy Hash: 16fe0e4dbf4aae1d5425485b8cf7adb74aec45e053169e44d698899bdbd40c0c
                                                                  • Instruction Fuzzy Hash: ED01A2A6B1864252FA44E77DD6912BD5311FF44780F409431EB4E43AB6DF6CE1528705
                                                                  Function 00007FFBBB8B1BE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_zalloc
                                                                  • String ID: crypto\packet.c
                                                                  • API String ID: 1208671065-224687097
                                                                  • Opcode ID: 345f99134737494993e9b607a0b7145cb7d727d02967e98820a42e582d3babb3
                                                                  • Instruction ID: 83e71cf703ddd517e2797a90ad66e27c86621e045d61442c9ffccecf4db9d613
                                                                  • Opcode Fuzzy Hash: 345f99134737494993e9b607a0b7145cb7d727d02967e98820a42e582d3babb3
                                                                  • Instruction Fuzzy Hash: F8F054F2A06B0181EB559B7DE49536822A0FB4CB58F648434DB4C4B3A1EF7ED9D2C354
                                                                  Function 00007FFBBB91BA90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\statem\extensions.c
                                                                  • API String ID: 2581946324-3728926295
                                                                  • Opcode ID: c91a7da5392af13b4a522c654a995c42ed2d7325d766e8b6aa9deae1ebef8452
                                                                  • Instruction ID: 30e3fff7eb46ac0afb78a770c7a85d91d00514b92d6b36446f5342f528a6e843
                                                                  • Opcode Fuzzy Hash: c91a7da5392af13b4a522c654a995c42ed2d7325d766e8b6aa9deae1ebef8452
                                                                  • Instruction Fuzzy Hash: 98E0C2E2B43A4345F7C09B78C8447A42294FF4C740F144130DF6CC7353EE1880918328
                                                                  Function 00007FFBBB91BA40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_free
                                                                  • String ID: ssl\statem\extensions.c
                                                                  • API String ID: 2581946324-3728926295
                                                                  • Opcode ID: 86dbd24353a763156df0f772541651b53b1ee754f80b3551e9b0a1d0862f39d5
                                                                  • Instruction ID: dc19148e638290317b5c54a2b16e7878c6798ff54539278c49d47b283c72451c
                                                                  • Opcode Fuzzy Hash: 86dbd24353a763156df0f772541651b53b1ee754f80b3551e9b0a1d0862f39d5
                                                                  • Instruction Fuzzy Hash: 1CD0A7D6F06A4241FB40ABB9D4497D86210EF4C758F148031DF4C8B393DE5DD2C28728
                                                                  Function 00007FFBBB8CABF0 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: D_unlockD_write_lock
                                                                  • String ID:
                                                                  • API String ID: 1724170673-0
                                                                  • Opcode ID: 08e68c043ecf28fdac3dbec212fa440aa0356f5ae018d8dcad2c09755ee9fbdb
                                                                  • Instruction ID: 43442ac4bd51895426415fd4a11c73b67e4eb1aa45a6ee8be15d32660b2247c1
                                                                  • Opcode Fuzzy Hash: 08e68c043ecf28fdac3dbec212fa440aa0356f5ae018d8dcad2c09755ee9fbdb
                                                                  • Instruction Fuzzy Hash: 430188A2B1C54242EB60C739E94013952B0FF44BC4F188131FB5D877BEDE6AD891C704
                                                                  Function 00007FFBBB7F8E6C Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93c97a5dc151f12730cc32e2f8e1071eba00def41d8be5067f72928a39d7d3c2
                                                                  • Instruction ID: 957e253582c2f299794c1d2ab0af594ddf10857c7ca29e300f941e831a95d700
                                                                  • Opcode Fuzzy Hash: 93c97a5dc151f12730cc32e2f8e1071eba00def41d8be5067f72928a39d7d3c2
                                                                  • Instruction Fuzzy Hash: 7151B3A2B086C289FB109B7BE8545AA7BA5FB407D4F148234EF5C27AB5DE3CD1418708
                                                                  Function 00007FFBBB7FD0AC Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7A5
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FD114
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 673564084-0
                                                                  • Opcode ID: 7ac0da891edaad3b64c73e8cdbfe7a303baa2ac48ea2659f2d1c8dbea756fbb7
                                                                  • Instruction ID: 5b40e55bd2ae9e28ef9ad2a05881c04a83f7439e02b200550f5ca23e563162a1
                                                                  • Opcode Fuzzy Hash: 7ac0da891edaad3b64c73e8cdbfe7a303baa2ac48ea2659f2d1c8dbea756fbb7
                                                                  • Instruction Fuzzy Hash: CD317FB2A186C286EB64CB3AE8417AA72A1FB49784F40C135DB4D836B5DE3CE5058748
                                                                  Function 00007FFBBB7FCCFC Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                  • EnumSystemLocalesW.KERNEL32 ref: 00007FFBBB7FCD9A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnumLocalesSystemValue
                                                                  • String ID:
                                                                  • API String ID: 3029459697-0
                                                                  • Opcode ID: 4156e60f6290601d50d5936f0adf6c4cbb164fdee686d87bbc8675f40d09db58
                                                                  • Instruction ID: a56dfc351c2827dd67e126436eb2377e3d82573d309792d6864a47a5b894171b
                                                                  • Opcode Fuzzy Hash: 4156e60f6290601d50d5936f0adf6c4cbb164fdee686d87bbc8675f40d09db58
                                                                  • Instruction Fuzzy Hash: 9B11D2A3A186858AEB148F3AD0442AC7BA0FB40FA0F44C135C769433F4DAA8DAD1D744
                                                                  Function 00007FFBBB7FD2B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FFBBB7FD2EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$InfoLocaleValue
                                                                  • String ID:
                                                                  • API String ID: 3796814847-0
                                                                  • Opcode ID: b1cdef0644c3fc8248cbf6ab2f03dc35dbfa50c6045591bc9037f116d448c500
                                                                  • Instruction ID: 31904f9e9b0452293a9386d1ecc37ce7acb02b247ba44330579620bf16d54103
                                                                  • Opcode Fuzzy Hash: b1cdef0644c3fc8248cbf6ab2f03dc35dbfa50c6045591bc9037f116d448c500
                                                                  • Instruction Fuzzy Hash: C6110172B185D3C3E7748A3AE440E7E62A1FF44764F548231D76D436E4EE2AE8818308
                                                                  Function 00007FFBBB7FCDCC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB7EE760: GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                    • Part of subcall function 00007FFBBB7EE760: FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                    • Part of subcall function 00007FFBBB7EE760: SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                  • EnumSystemLocalesW.KERNEL32 ref: 00007FFBBB7FCE4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$EnumLocalesSystemValue
                                                                  • String ID:
                                                                  • API String ID: 3029459697-0
                                                                  • Opcode ID: 8d0b3073c404681ea9fdb6f0c3392d8e5eff16846099c8035576cd61c0f56038
                                                                  • Instruction ID: cb67154a3687880f3264bcdf04555e4b6ac7451a7377481d2ea62418c7308efb
                                                                  • Opcode Fuzzy Hash: 8d0b3073c404681ea9fdb6f0c3392d8e5eff16846099c8035576cd61c0f56038
                                                                  • Instruction Fuzzy Hash: 6E01F9B2F081C18AE7104B3AE8447B97592FB40BA4F41C231C328436F4CFA898A1D708
                                                                  Function 00007FFBBB90DBD0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB90D3F0: ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBB90DC0C,?,00007FFBBB8EEDA9), ref: 00007FFBBB90D4E0
                                                                    • Part of subcall function 00007FFBBB90D3F0: ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBB90DC0C,?,00007FFBBB8EEDA9), ref: 00007FFBBB90D4F8
                                                                    • Part of subcall function 00007FFBBB90D3F0: ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBB90DC0C,?,00007FFBBB8EEDA9), ref: 00007FFBBB90D84F
                                                                    • Part of subcall function 00007FFBBB90D3F0: EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBB90DC0C,?,00007FFBBB8EEDA9), ref: 00007FFBBB90D856
                                                                    • Part of subcall function 00007FFBBB90D3F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBB90DC0C,?,00007FFBBB8EEDA9), ref: 00007FFBBB90D85D
                                                                  • CRYPTO_memcmp.LIBCRYPTO-3-X64(?,00007FFBBB8EEDA9), ref: 00007FFBBB90DC2A
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_memcmpR_freeR_newR_set_debugR_set_errorX_free
                                                                  • String ID:
                                                                  • API String ID: 3555451423-0
                                                                  • Opcode ID: 64b8251a64241b4f0d662e9ef06fee5b0e2d17004c0f8c24e3db273aec5e4e5b
                                                                  • Instruction ID: f75fb2487d78173de0f1acff9f5bf787d1bdd5212290e29962b2ff5292e77f4e
                                                                  • Opcode Fuzzy Hash: 64b8251a64241b4f0d662e9ef06fee5b0e2d17004c0f8c24e3db273aec5e4e5b
                                                                  • Instruction Fuzzy Hash: 6D0175A2B14A4246FE54973DE8513692291BFCAB54F804231EF9DC26E6DE2DD5408608
                                                                  Function 00007FFBBB7F18D0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: EnumLocalesSystem
                                                                  • String ID:
                                                                  • API String ID: 2099609381-0
                                                                  • Opcode ID: d35e07d249b3dd967e547ca608372acda4b9540414b930b3ba00ab9e4d01a5b6
                                                                  • Instruction ID: 3e70c0fcb011795be070f0f41ad44db16ed44ed7002c6d6817ccfeb5349d2550
                                                                  • Opcode Fuzzy Hash: d35e07d249b3dd967e547ca608372acda4b9540414b930b3ba00ab9e4d01a5b6
                                                                  • Instruction Fuzzy Hash: 93F019B2A18A4183E704DB2AEC901A933A5FB99B80F54C035DB4D93775DF3CD851C308
                                                                  Function 00007FFBBB88E008 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d17d36f2ceed14e077fea67d7f441fc005ddd5ad472787db4903d98e6d3269b6
                                                                  • Instruction ID: bfd7124ff65e7385cd79b1461a8f47c51688239555fad9eac1f13e21ec7140e0
                                                                  • Opcode Fuzzy Hash: d17d36f2ceed14e077fea67d7f441fc005ddd5ad472787db4903d98e6d3269b6
                                                                  • Instruction Fuzzy Hash: 7FF0F4C7D1D6D64BF396597C8C2A0241FD0FF65A43B0DC879D7884A2E3D94D64015259
                                                                  Function 00007FFBBB8029E0 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9cc7d3b587262bab1b128a428eb4c6883ca7ffa152cf15b81ba065e7c29dbb1e
                                                                  • Instruction ID: 7f5f30a77cd9417a1a02404bb80cf636f0e68228c92f5443d93c9d3f1a06baa6
                                                                  • Opcode Fuzzy Hash: 9cc7d3b587262bab1b128a428eb4c6883ca7ffa152cf15b81ba065e7c29dbb1e
                                                                  • Instruction Fuzzy Hash: 7CF044F16296558BDBA98F2CEC426297790F748380B908079D78D87B54D63C90508F18
                                                                  Function 00007FFBBB88EB90 Relevance: .0, Instructions: 11COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e5f667dfa605b2318e27919b1e8df45744e951bd86d11304b8bf822160f6297
                                                                  • Instruction ID: c1092ed25e58ecf3efe230c43af6a93a383d65879ad67a5369390c384d91f7be
                                                                  • Opcode Fuzzy Hash: 8e5f667dfa605b2318e27919b1e8df45744e951bd86d11304b8bf822160f6297
                                                                  • Instruction Fuzzy Hash: 6EC012CF91D5E10FF352553C7C556692F80AB96627F0E9065DFC1220E3B48C5C064105
                                                                  Function 00007FFBBB8CAAD0 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 184abfd5ff6d954e496365c833b55255643bb449f304c0a53976f824b81c7c3e
                                                                  • Instruction ID: 4e22b4ea98f6d3eb312b19840412340e5f5a122709fb6512b2cd5590f6e18031
                                                                  • Opcode Fuzzy Hash: 184abfd5ff6d954e496365c833b55255643bb449f304c0a53976f824b81c7c3e
                                                                  • Instruction Fuzzy Hash: 6FC092CBE6E903C6F214677CD41A27811D0BF91300F20C632E28E402B2DC2C62964A2A
                                                                  Function 00007FFBBB8D3A70 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21d1d8aff5675d6e98ea45a73e14fd1f76331978a2afb62a722922c54dff02bb
                                                                  • Instruction ID: e7432713e2df37b76c9a60b98ee4320d7bfb213a74c59cea5f3223d9f5eee326
                                                                  • Opcode Fuzzy Hash: 21d1d8aff5675d6e98ea45a73e14fd1f76331978a2afb62a722922c54dff02bb
                                                                  • Instruction Fuzzy Hash: 80C092C7E5FA03CBF694637CC4163780094EF91300F20C531E78E406B1DC2C62924B6A
                                                                  Function 00007FFBBB88E158 Relevance: .0, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9fdf1dfe28133a6113b6db5e9eb98d2c131e4d5249d9b17c019c093bb9b3d66b
                                                                  • Instruction ID: 8ebe7979ff6e3aba7336906f4ad36eeeba2eb9bf1321e679370c4753ce5a33c1
                                                                  • Opcode Fuzzy Hash: 9fdf1dfe28133a6113b6db5e9eb98d2c131e4d5249d9b17c019c093bb9b3d66b
                                                                  • Instruction Fuzzy Hash: B0B012D356D7F403D25346243C214191E54DAC96017DF4191A3C1061A3400CA8054245
                                                                  Function 00007FFBBB88EFB8 Relevance: .0, Instructions: 3COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
                                                                  • Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
                                                                  • Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 00007FFBBB88E518 Relevance: .0, Instructions: 3COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5456c1017e62d8a62d24bd00efd00e1bd566c7298f1a5c9df3ac67b34942d268
                                                                  • Instruction ID: 1e5fe235f4e7dce37c692c762f7cd0d9374d6e3f00cd63ce27c0307ae74c01e5
                                                                  • Opcode Fuzzy Hash: 5456c1017e62d8a62d24bd00efd00e1bd566c7298f1a5c9df3ac67b34942d268
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 00007FFBBB88F058 Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
                                                                  • Instruction ID: 92bca372c73bf05736e5418606bf4d9f339bc1d6ec97d0400b5c022073cefb92
                                                                  • Opcode Fuzzy Hash: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 00007FFBBB92FAD0 Relevance: 65.0, APIs: 34, Strings: 3, Instructions: 278COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FC36
                                                                  • BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FC51
                                                                  • BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FC63
                                                                  • OSSL_PARAM_BLD_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FC8B
                                                                  • OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FCAE
                                                                  • OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FCC8
                                                                  • OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FCE2
                                                                  • OSSL_PARAM_BLD_to_param.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FCF2
                                                                  • EVP_PKEY_CTX_new_from_name.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD14
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD21
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD39
                                                                  • EVP_PKEY_fromdata_init.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD4C
                                                                  • EVP_PKEY_fromdata.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD6D
                                                                  • EVP_PKEY_CTX_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD7D
                                                                  • EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FD94
                                                                  • EVP_PKEY_get_security_bits.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FDCF
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FDF8
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FE10
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FEB4
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FEC3
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FEDB
                                                                  • OSSL_PARAM_BLD_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FEF9
                                                                  • OSSL_PARAM_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF01
                                                                  • EVP_PKEY_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF0E
                                                                  • EVP_PKEY_CTX_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF16
                                                                  • BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF23
                                                                  • BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF2B
                                                                  • BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF33
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF50
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB92DFDF,?,?,?,?,?,?), ref: 00007FFBBB92FF68
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$D_push_N_bin2bnN_free$X_free$D_freeD_newD_to_paramM_freeX_new_from_nameX_new_from_pkeyY_freeY_fromdataY_fromdata_initY_get_security_bits
                                                                  • String ID: pub$ssl\statem\statem_clnt.c$tls_process_ske_dhe
                                                                  • API String ID: 1993445532-147979557
                                                                  • Opcode ID: 38c4661678a0ae7f8cbcc767900c5fd67292f438485ef4a5dd898bbb6d475dcd
                                                                  • Instruction ID: e9092fcc64bae6ddcbe1a4494980e3a417576d68de467ec3fe52645eec0ae8ad
                                                                  • Opcode Fuzzy Hash: 38c4661678a0ae7f8cbcc767900c5fd67292f438485ef4a5dd898bbb6d475dcd
                                                                  • Instruction Fuzzy Hash: 1FB19CE2E1CB8341EA619B39E4117BA6751BF85780F00C131EFCD16AA6EF3CE5918719
                                                                  Function 00007FFBBB91AA90 Relevance: 50.9, APIs: 22, Strings: 7, Instructions: 169stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: strncmp$R_newR_set_debug$R_vset_error
                                                                  • String ID: CONNE$GET $HEAD $POST $PUT $ssl\record\methods\tlsany_meth.c$tls_validate_record_header
                                                                  • API String ID: 1021621777-2841161646
                                                                  • Opcode ID: e08c3f34f9a65dc9c94824fa5ef1389573ab8a7e91b67e03e88ff45dc2a2bbae
                                                                  • Instruction ID: de7d7a3dad87e63ebc0f4eb733f7d38415bafc3b0bee40a7c26d37fcfd61c7fa
                                                                  • Opcode Fuzzy Hash: e08c3f34f9a65dc9c94824fa5ef1389573ab8a7e91b67e03e88ff45dc2a2bbae
                                                                  • Instruction Fuzzy Hash: 8A716DE1E18A4352FB68D739D851BB92291BF84781F80C032DB9D466F5DF2CE984C719
                                                                  Function 00007FFBBB8B6950 Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 190COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Digest$Update$R_new$Final_ex$Init_exR_set_debugX_freeX_new$D_fetchJ_nid2snL_cleanseR_pop_to_markR_set_markmemcpymemset
                                                                  • String ID: A$ssl3_generate_key_block$ssl\s3_enc.c
                                                                  • API String ID: 2557040286-359777381
                                                                  • Opcode ID: fcc7548bf6e35166f4bce554d9eb4ed84506a0d04c8b6cfd795aab83c67adb76
                                                                  • Instruction ID: 243d92e269903fc03ccd11e89a5f7073a75ca7ad5b8ed6f3fb04f72a0af7013e
                                                                  • Opcode Fuzzy Hash: fcc7548bf6e35166f4bce554d9eb4ed84506a0d04c8b6cfd795aab83c67adb76
                                                                  • Instruction Fuzzy Hash: 427195A2608A8341FA60EB79E8153BEA790FF84784F04D431EF8D476A6DF3DE5058718
                                                                  Function 00007FFBBB8D1B90 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_clear_errorX509_free$O_ctrlO_freeO_newO_s_fileR_set_errorX509_new_ex
                                                                  • String ID: ssl\ssl_rsa.c$use_certificate_chain_file
                                                                  • API String ID: 2790727340-2175753170
                                                                  • Opcode ID: a53f00850b1531de2570726849be251fc53473f5b1b54cc0155178b5c6ec9a07
                                                                  • Instruction ID: 449da88d00cac1a7050e00c0d5ed461ff3b313cdf65827f43d8701667830cb12
                                                                  • Opcode Fuzzy Hash: a53f00850b1531de2570726849be251fc53473f5b1b54cc0155178b5c6ec9a07
                                                                  • Instruction Fuzzy Hash: BC8176E2B08E4352FA24AB39D8116B95251FF84784F54C43AEF8D4B7B6DE2CE4418629
                                                                  Function 00007FFBBB8FFBE0 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 234COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EVP_MD_fetch.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFC4B
                                                                  • EVP_MD_get0_name.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFCA7
                                                                  • EVP_KDF_fetch.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFCC8
                                                                  • EVP_KDF_CTX_new.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFCDC
                                                                  • OSSL_PARAM_construct_int.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFCFF
                                                                  • OSSL_PARAM_construct_utf8_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFD32
                                                                  • OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFD71
                                                                  • OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFDAE
                                                                  • OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFDD9
                                                                  • EVP_KDF_derive.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFE16
                                                                  • EVP_KDF_CTX_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFE2C
                                                                  • EVP_KDF_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFE34
                                                                  • EVP_MD_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFECD
                                                                  • EVP_MD_up_ref.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBB8F0EED,?,00007FFBBB8F892B,?,00007FFBBB8F3562), ref: 00007FFBBB8FFFB8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: M_construct_octet_string$D_fetchD_freeD_get0_nameD_up_refF_deriveF_fetchF_freeM_construct_endM_construct_intM_construct_utf8_stringX_freeX_new
                                                                  • String ID: $ $HKDF$SHA256$client in$digest$key$mode$salt$server in
                                                                  • API String ID: 2228937716-352202359
                                                                  • Opcode ID: b3da57f89f33cbf212b3bfa10d3450a051eb288a08836f08ae95c69551cc5f35
                                                                  • Instruction ID: 3733923ed17cc9c92bbad40b613ead78ee6c1c31023eda40dd8d29c66e8e8fbd
                                                                  • Opcode Fuzzy Hash: b3da57f89f33cbf212b3bfa10d3450a051eb288a08836f08ae95c69551cc5f35
                                                                  • Instruction Fuzzy Hash: A0B16562A09B8685E761CF39E8403E967A0FF89788F448535EF8C47B65EF38D245C704
                                                                  Function 00007FFBBB8DE9A0 Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 224COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printf$O_puts$O_indent
                                                                  • String ID: Illegal Alert Length$ Level=%s(%d), description=%s(%d)$ change_cipher_spec (1)$ Content Type = %s (%d) Length = %d$ Inner Content Type = %s (%d)$ epoch=%d, sequence_number=%04x%04x%04x$ TLS RecordHeader: Version = %s (0x%x)$ too short message$Message length parse error!$Received$Sent$UNKNOWN$unknown value
                                                                  • API String ID: 3510058808-1353787293
                                                                  • Opcode ID: d525476707c1f920b43ce9caab1d2c05701a6bc85ffe24a0ad2d03e39bc10cfd
                                                                  • Instruction ID: 05c04ffdd4355fd0a8b4c264bee9126d490ffcfe5e1faa91746a6c27760d8a43
                                                                  • Opcode Fuzzy Hash: d525476707c1f920b43ce9caab1d2c05701a6bc85ffe24a0ad2d03e39bc10cfd
                                                                  • Instruction Fuzzy Hash: 0F91C7A2A0C69385EA649B3DE8506797B91FB85785F44C13ADFCE037B5DE2CE140C728
                                                                  Function 00007FFBBB914990 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • 666666666666666666666666666666666666666666666666\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ssl3_set_crypto_state, xrefs: 00007FFBBB914A5F, 00007FFBBB914B3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Digest$Update$X_get0_cipher$Final_exX_copy_exX_freememcpy$D_get_sizeD_is_aO_get_typeR_get_modeX_new
                                                                  • String ID: 666666666666666666666666666666666666666666666666\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ssl3_set_crypto_state
                                                                  • API String ID: 2225050219-1517534223
                                                                  • Opcode ID: 80752d6ddeb7fdce8e57f30f52af4f7d4f0ae80a49e2869efe757a4045f0f02f
                                                                  • Instruction ID: c2ecd751caae0853cf4583d8f66787879adb94cb560299ffebf1bebd6b0f0f0c
                                                                  • Opcode Fuzzy Hash: 80752d6ddeb7fdce8e57f30f52af4f7d4f0ae80a49e2869efe757a4045f0f02f
                                                                  • Instruction Fuzzy Hash: F97185A2708B8351EA549B7AE9552FA6794BF89BC4F048031EFCD877B6DE3CD0019718
                                                                  Function 00007FFBBB8DABB0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$O_get_typeR_vset_error
                                                                  • String ID: ssl\t1_lib.c$tls12_check_peer_sigalg
                                                                  • API String ID: 812865484-3755023935
                                                                  • Opcode ID: b3c0d4f34d2e8c8f1e74b4fa63eda2bf46e79ec77a19b478794c8000292d5e18
                                                                  • Instruction ID: efcfdf241f706249d6bec702cb8c4a6497c64fbdc951f586b4727a92d6313eaa
                                                                  • Opcode Fuzzy Hash: b3c0d4f34d2e8c8f1e74b4fa63eda2bf46e79ec77a19b478794c8000292d5e18
                                                                  • Instruction Fuzzy Hash: 43C151A2E0C64342FA649A3DD9403B96291BF80790F64C43ADB4D476F1DF3CE981C769
                                                                  Function 00007FFBBB8B6C60 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Digest$Update$Final_exInit_ex$L_cleanseR_newR_set_debugR_vset_errorX_freeX_new
                                                                  • String ID: ssl3_generate_master_secret$ssl\s3_enc.c
                                                                  • API String ID: 170064413-120754557
                                                                  • Opcode ID: e840427d042f91aa383478c0a75ed118fc414cfd648198a6f8c56952143c44ef
                                                                  • Instruction ID: e728c997e7eca66142da3d550ad03827a4cba67d52462ddcb394d9848d8f0083
                                                                  • Opcode Fuzzy Hash: e840427d042f91aa383478c0a75ed118fc414cfd648198a6f8c56952143c44ef
                                                                  • Instruction Fuzzy Hash: 0B51B7A2A1CA4342F664AB3AE9417BE6290FF85BC0F409031EF8D47B66DF3DE4018714
                                                                  Function 00007FFBBB8D1BB0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_errorX509_free
                                                                  • String ID: SSL_use_certificate_file$ssl\ssl_rsa.c
                                                                  • API String ID: 2680622528-2821204180
                                                                  • Opcode ID: d0b8fb939312130427aed05df8702e287d5e4e734cf82a59627edb3ab9c4d81e
                                                                  • Instruction ID: bd38dcf491814aeec674c8807587b3b09a0f881a2ecddcf40c9913447b35e546
                                                                  • Opcode Fuzzy Hash: d0b8fb939312130427aed05df8702e287d5e4e734cf82a59627edb3ab9c4d81e
                                                                  • Instruction Fuzzy Hash: 9F4156A6B18A4341F621B77DE8512BD2751BF85B80F50C036EB8D436BADF2CE8458729
                                                                  Function 00007FFBBB8BBC60 Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: X509_$E_freeL_sk_set_cmp_funcM_read_bio_X509$E_dupL_sk_findL_sk_pushO_ctrlO_freeO_newO_s_fileR_clear_errorR_newR_set_debugR_set_errorX509_freeX509_get_subject_name
                                                                  • String ID: SSL_add_file_cert_subjects_to_stack$ssl\ssl_cert.c
                                                                  • API String ID: 2223916698-1814255512
                                                                  • Opcode ID: 454d1a6612cd72e13770a035e2ab7f109885c298819a3b2d40ee806097bfae65
                                                                  • Instruction ID: c2b6ffd3cc5e9d08b63bb2d48dd29ea48b67f310511d7edfc95dc1a5303f96f5
                                                                  • Opcode Fuzzy Hash: 454d1a6612cd72e13770a035e2ab7f109885c298819a3b2d40ee806097bfae65
                                                                  • Instruction Fuzzy Hash: 9A318D92B09A4342F964A73ED9157BD6250BFC4B80F44C030EF8D07BB6EE2DE4018728
                                                                  Function 00007FFBBB927B40 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 274COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$ErrorLastM_freeR_clear_errorR_set_error
                                                                  • String ID: ssl\statem\statem.c$state_machine
                                                                  • API String ID: 2605663294-1334640251
                                                                  • Opcode ID: abd2362dc976df5a4c68c298f9b0152bee83919c7ea65e1a7cb2b84d6ad50e48
                                                                  • Instruction ID: 25cab29017eb989d82b4802ef0784308a5c7ac81e83933d757783f6a7e44babe
                                                                  • Opcode Fuzzy Hash: abd2362dc976df5a4c68c298f9b0152bee83919c7ea65e1a7cb2b84d6ad50e48
                                                                  • Instruction Fuzzy Hash: C9C17CF2E09A4386FB649B39C4917B93295FF40B84F18C535DB8D466B9EF3CE8408619
                                                                  Function 00007FFBBB90DA20 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DA61
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DA79
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DA8A
                                                                  • EVP_CIPHER_CTX_new.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DAAD
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DABB
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DAD3
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DAE4
                                                                  • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DAF7
                                                                  • EVP_CIPHER_get_key_length.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB08
                                                                  • EVP_CipherInit_ex.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB38
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB5C
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB71
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB82
                                                                  • EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB8B
                                                                  • EVP_CIPHER_free.LIBCRYPTO-3-X64(00000080,00007FFBBB8FE30E,?,?,?,?,?,00000000,?,00000000,00007FFBBB8FEA40,00007FFBBB8FFFEC,?,00000000), ref: 00007FFBBB90DB9C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$CipherInit_exR_fetchR_freeR_get_key_lengthX_freeX_new
                                                                  • String ID: AES-128-ECB$AES-256-ECB$ChaCha20$ossl_quic_hdr_protector_init$ssl\quic\quic_wire_pkt.c
                                                                  • API String ID: 728904839-2704997773
                                                                  • Opcode ID: c3f7a8e5b7809fd9d50b487b935ac8828a663004e02af7a043efe9d67136057d
                                                                  • Instruction ID: 301197662e29842244c83529368af02488c98876ed7e8554f72c7dc0f9b11b62
                                                                  • Opcode Fuzzy Hash: c3f7a8e5b7809fd9d50b487b935ac8828a663004e02af7a043efe9d67136057d
                                                                  • Instruction Fuzzy Hash: 91417DB2908B4386EB50EB39E8457A92761FF84B84F948031EB8C836B5CF7CE545C758
                                                                  Function 00007FFBBB8EBC30 Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 239COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BUF_MEM_free.LIBCRYPTO-3-X64(?,02000100,?,00007FFBBB8F0F0C), ref: 00007FFBBB8EC0A8
                                                                    • Part of subcall function 00007FFBBB90CC90: memcpy.VCRUNTIME140(00000000,00007FFBBB8EBCBB,?,02000100,?,00007FFBBB8F0F0C), ref: 00007FFBBB90CD0A
                                                                    • Part of subcall function 00007FFBBB90CD40: memcpy.VCRUNTIME140(00000000,00007FFBBB8EBCE3,?,02000100,?,00007FFBBB8F0F0C), ref: 00007FFBBB90CDC4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$M_free
                                                                  • String ID: active_connection_id_limit$disable_active_migration$initial_max_data$initial_max_stream_data_bidi_local$initial_max_stream_data_bidi_remote$initial_max_stream_data_uni$initial_max_streams_bidi$initial_max_streams_uni$initial_source_connection_id$local$max_ack_delay$max_idle_timeout$max_udp_payload_size$original_destination_connection_id$owner$parameters_set$transport$transport:parameters_set
                                                                  • API String ID: 1248561259-4172531249
                                                                  • Opcode ID: b32c0b8b04c25c4c87b0eef376af5ba9881d1595a53b63a95d6d00a72dd6e810
                                                                  • Instruction ID: 2b24eb791ec8fe97135f7ec1eeb61f39e3d53d71b85c5c71fd7bd17aa4e40d34
                                                                  • Opcode Fuzzy Hash: b32c0b8b04c25c4c87b0eef376af5ba9881d1595a53b63a95d6d00a72dd6e810
                                                                  • Instruction Fuzzy Hash: 87B16DA1A1868385EB509B39D9507FE2391FF81784F848032DF8D4B6A6EF6CE405C759
                                                                  Function 00007FFBBB8E1C80 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$D_get_sizeR_vset_error
                                                                  • String ID: derive_secret_key_and_iv$key$ssl\tls13_enc.c$tls13_hkdf_expand
                                                                  • API String ID: 773136946-1769045784
                                                                  • Opcode ID: 2753b581631ba8ac42c4b99f322f81c9f0d3889b698f25309be0f3996ca10f44
                                                                  • Instruction ID: 3e7036273fd63e496644dcef7db554c2e5215c95aee089430c5db79c73604c1a
                                                                  • Opcode Fuzzy Hash: 2753b581631ba8ac42c4b99f322f81c9f0d3889b698f25309be0f3996ca10f44
                                                                  • Instruction Fuzzy Hash: 2B913D72A08B8282E7609B29E8507AA77A4FB89B84F508135EF8D43B65DF3CD545C718
                                                                  Function 00007FFBBB914C90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$X_newmemcpy
                                                                  • String ID: ssl\record\methods\tls13_meth.c$tls13_set_crypto_state
                                                                  • API String ID: 3455081293-161958930
                                                                  • Opcode ID: 59911735c1bf63221ab460f1ad22598d7872e3edb6753f793bda7f09df78ed16
                                                                  • Instruction ID: 1dcb9137b61fdc1a61737527a5ec5c115b2934dacadcfe91b0f902ba9d1d298a
                                                                  • Opcode Fuzzy Hash: 59911735c1bf63221ab460f1ad22598d7872e3edb6753f793bda7f09df78ed16
                                                                  • Instruction Fuzzy Hash: 5C415EB2A08A4382F760DB39E5517AA6761FF84384F508131EBCC47AA6DF3CE5458B18
                                                                  Function 00007FFBBB8D0970 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_error
                                                                  • String ID: SSL_CTX_use_PrivateKey_file$ssl\ssl_rsa.c
                                                                  • API String ID: 1899708915-1288404938
                                                                  • Opcode ID: 7fe6c236f3d8b6099d413c405c65616eb0ed205400c0e77bf713af79af50cf95
                                                                  • Instruction ID: e439bb1ced5c5a461c9deccdce8ea810c81ab23f5c511490e2ea486b33bdacf1
                                                                  • Opcode Fuzzy Hash: 7fe6c236f3d8b6099d413c405c65616eb0ed205400c0e77bf713af79af50cf95
                                                                  • Instruction Fuzzy Hash: 3F4152A2A0CE4781F624AB79D8512BD2351FF84B80F54C036EB8D177B6DE3CE5068729
                                                                  Function 00007FFBBB762DB0 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 290windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateLongMessage$ObjectPostProcQuitSendStockText
                                                                  • String ID: 2$2$BUTTON$STATIC
                                                                  • API String ID: 2613234210-2439238762
                                                                  • Opcode ID: c233cb72f11721eb5615d417e29e1ee31604d0a6f309238a05cdc18adee09d8e
                                                                  • Instruction ID: 1a7f546b60f2d58b075ccaed189760f84958a9412f044af028567eadbdfb34dc
                                                                  • Opcode Fuzzy Hash: c233cb72f11721eb5615d417e29e1ee31604d0a6f309238a05cdc18adee09d8e
                                                                  • Instruction Fuzzy Hash: E4F129B6A18B4296EB10CF39EC901A973B4FB84748F50923ADB9D56A74DF3CE154C708
                                                                  Function 00007FFBBB925B20 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 212COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_key_share
                                                                  • API String ID: 193678381-3868297702
                                                                  • Opcode ID: fb4d91c0eb90de5c8e0dee8a15127f94d13c557bafd97e4d07a47d8d45e6c236
                                                                  • Instruction ID: 6727baa383cb83f135225255aac3da2f67b157ee85393b6943d5bd03917c963f
                                                                  • Opcode Fuzzy Hash: fb4d91c0eb90de5c8e0dee8a15127f94d13c557bafd97e4d07a47d8d45e6c236
                                                                  • Instruction Fuzzy Hash: D3918CE2E0CA9342E6509B39D4046BA3691BF80784F54C136EFDD476A6DF3CE941C768
                                                                  Function 00007FFBBB92AAD0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AAFF
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB17
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB5D
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB75
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: set_client_ciphersuite$ssl\statem\statem_clnt.c
                                                                  • API String ID: 4275876640-3316213183
                                                                  • Opcode ID: 99865a8d09b14ab70775f84d18142be470505e1896f382c16f73d43a3a64e092
                                                                  • Instruction ID: b1e4a2e960a3c8d9231da37353fe0c2c869d1fe9e45ddc29d87c153f9b90e842
                                                                  • Opcode Fuzzy Hash: 99865a8d09b14ab70775f84d18142be470505e1896f382c16f73d43a3a64e092
                                                                  • Instruction Fuzzy Hash: 30817FA2F09A4386E784DB39E8417B92751FB84B84F548131EF8D47AB6DF2CE881C754
                                                                  Function 00007FFBBB8EDB64 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_errormemcpy
                                                                  • String ID: ORIG_DCID was not sent but is required$PREFERRED_ADDR appears multiple times$PREFERRED_ADDR is malformed$PREFERRED_ADDR may not be sent by a client$PREFERRED_ADDR provided for zero-length CID$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c$zero-length CID in PREFERRED_ADDR
                                                                  • API String ID: 3458080559-3658441780
                                                                  • Opcode ID: 3badd4ee351ba77d0d9d6e7dc33ab5dfc99e88349d47c0c1ee403375d7349cee
                                                                  • Instruction ID: 5663bbf6fe861efe2a796d74a02a8b7463d5c7e1d8e5ed2cf89820aae9562762
                                                                  • Opcode Fuzzy Hash: 3badd4ee351ba77d0d9d6e7dc33ab5dfc99e88349d47c0c1ee403375d7349cee
                                                                  • Instruction Fuzzy Hash: F1518BA2A18B5395FB90CB78E8447BD23A5BB04344F948139EF8D16AB5DF3CE546C708
                                                                  Function 00007FFBBB8BEA30 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 101stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: strncmp$R_newR_set_debugR_set_error
                                                                  • String ID: ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192$check_suiteb_cipher_list$ssl\ssl_ciph.c
                                                                  • API String ID: 1930259724-2296690422
                                                                  • Opcode ID: 1fcd8cf30bfe752b58ddf886697c26fc2be97bb8260e7206d461c7133ebec25a
                                                                  • Instruction ID: 3f002a2704ff472a9c327d1cef7ea048f060e8a68a681baece015ec8932b9927
                                                                  • Opcode Fuzzy Hash: 1fcd8cf30bfe752b58ddf886697c26fc2be97bb8260e7206d461c7133ebec25a
                                                                  • Instruction Fuzzy Hash: 52417CB2A08A079AEB248B38EC9037C37A4FB44785F548835DB4E876A0DF2DE550C708
                                                                  Function 00007FFBBB8DDA00 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 299COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$D_get_sizeR_vset_errorY_get_size
                                                                  • String ID: gfffffff$gfffffff$ssl\t1_lib.c$tls_choose_sigalg
                                                                  • API String ID: 2874215595-2489718604
                                                                  • Opcode ID: 608ad0305c4f96916e9665f78ab8aa353c999931886cc8a9d68a33dec2a8ae1d
                                                                  • Instruction ID: 0e7cbb768591189831888a723902a38b7b2f0304716ac77ee7f8dc09fc7cbca3
                                                                  • Opcode Fuzzy Hash: 608ad0305c4f96916e9665f78ab8aa353c999931886cc8a9d68a33dec2a8ae1d
                                                                  • Instruction Fuzzy Hash: DAD191A2A0874782EA659B3ED8002792792FB84B98F18C13ADF4D477B5DF3CE441C725
                                                                  Function 00007FFBBB919B10 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 297COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$X_get0_cipher$D_get_sizeP_compress_blockR_vset_errormemset
                                                                  • String ID: ssl\record\methods\tls_common.c$tls_write_records_default
                                                                  • API String ID: 909859927-3970931601
                                                                  • Opcode ID: 2c5d3674a1e9203d786d1dd31fbc26b6bf40172cf4228be24755d5b77a1522ac
                                                                  • Instruction ID: fcbd1bc39722287cc52d1efff64216c75bd0c5667da43d50bdbacf44da010e90
                                                                  • Opcode Fuzzy Hash: 2c5d3674a1e9203d786d1dd31fbc26b6bf40172cf4228be24755d5b77a1522ac
                                                                  • Instruction Fuzzy Hash: EBD14DB2A08B8392EB10DB2AE4406E967A4FB84BC4F548132DF8D57B68DF3CD156D714
                                                                  Function 00007FFBBB917C40 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$ErrorLast$O_ctrlO_freeO_readO_test_flagsmemcpy
                                                                  • String ID: ssl\record\methods\tls_common.c$tls_default_read_n
                                                                  • API String ID: 122450645-158468358
                                                                  • Opcode ID: 5ca1844759f6b7795a847ff27d359e7cbbf1ad83207e0c50be098a6509cbfd06
                                                                  • Instruction ID: cdde9c6e865188ea8cfc9474c87a8d35f7032d3b15a2c4870404b698436301b8
                                                                  • Opcode Fuzzy Hash: 5ca1844759f6b7795a847ff27d359e7cbbf1ad83207e0c50be098a6509cbfd06
                                                                  • Instruction Fuzzy Hash: 8D91BFF6A09A8396EB609F39D5007B92695FF80B88F548131DF8D87BB4DF2CD4419314
                                                                  Function 00007FFBBB8EDAF5 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveH_retrieveO_freeO_zallocR_newR_set_error
                                                                  • String ID: ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$STATELESS_RESET_TOKEN appears multiple times$STATELESS_RESET_TOKEN encountered internal error$STATELESS_RESET_TOKEN is malformed$STATELESS_RESET_TOKEN may not be sent by a client$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 1846773780-3045332596
                                                                  • Opcode ID: c10783c2173d7a9d1a7ca153713bc9170e0ac0734e76a19f8ae34b1636d7f679
                                                                  • Instruction ID: d9b78f308dae5e1532e04d35a62371476fd166840d993b98b81a10a0d9c55035
                                                                  • Opcode Fuzzy Hash: c10783c2173d7a9d1a7ca153713bc9170e0ac0734e76a19f8ae34b1636d7f679
                                                                  • Instruction Fuzzy Hash: AD515BA2A18B5396FB90CB78E8447BD27A5BB44344F848136EF8D17AA5DF3CE545C308
                                                                  Function 00007FFBBB8B5930 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 154stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$L_sk_freeL_sk_new_nullstrchrstrncmp
                                                                  • String ID: ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                  • API String ID: 4085728402-797804856
                                                                  • Opcode ID: 9a578a96a6a2ac7ecf7567e77b991cfb5d273bb8e65fee3d427bd41bf0b153f2
                                                                  • Instruction ID: d14d95d4bf0802b033bfdf129dca80b270ccd663b5aa9e3a7fcfc89914e2ae75
                                                                  • Opcode Fuzzy Hash: 9a578a96a6a2ac7ecf7567e77b991cfb5d273bb8e65fee3d427bd41bf0b153f2
                                                                  • Instruction Fuzzy Hash: E551C2A2A0D64346FA219B39E8603FD6690FF84794F58C431EB4D477A6DF3DE4428318
                                                                  Function 00007FFBBB8F09E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OSSL_ERR_STATE_restore.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0A99
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0ABC
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0AD4
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0B4C
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0B53
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0B6B
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0BA6
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0BD7
                                                                  • OSSL_ERR_STATE_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0BE8
                                                                  • OSSL_ERR_STATE_save.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBB8EF53D,?,00007FFBBB8F0F50), ref: 00007FFBBB8F0BFC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$R_newR_set_error$E_newE_restoreE_save
                                                                  • String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 4176084029-936738589
                                                                  • Opcode ID: aa52d62a7a3aecb7fa2dca80785d2fa49dc7f5746cce2779be058948f90cd162
                                                                  • Instruction ID: f171c430a8296a85f7c579fdd0ec4f9b11fbf22de593af4075e3bb0cc6843f7a
                                                                  • Opcode Fuzzy Hash: aa52d62a7a3aecb7fa2dca80785d2fa49dc7f5746cce2779be058948f90cd162
                                                                  • Instruction Fuzzy Hash: B9517FB6A0DB8685EA60DB69F9407AA73A4FB84784F448535EFCD03B69DF3CD0458708
                                                                  Function 00007FFBBB921AC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_use_srtp
                                                                  • API String ID: 4275876640-3691485550
                                                                  • Opcode ID: 3e8727127fe6c0fcfbea0dfb49094d3283f075d4d382af14314a0e9c7a0a92ad
                                                                  • Instruction ID: 99749f698044bc8cf6e313294851ea867172e688c16f60abdbe1acbce65f918f
                                                                  • Opcode Fuzzy Hash: 3e8727127fe6c0fcfbea0dfb49094d3283f075d4d382af14314a0e9c7a0a92ad
                                                                  • Instruction Fuzzy Hash: AC51B5A2E08E9382E754EB39E8516F93751FB84B90F459131DB9D43BB2DE2CD4A1C708
                                                                  Function 00007FFBBB8ED9F1 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: MAX_IDLE_TIMEOUT appears multiple times$MAX_IDLE_TIMEOUT is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-1069301341
                                                                  • Opcode ID: 7b32abd198ed567e7fd5aabd7cb2b134eb7d76673e50838616ca72e168881d86
                                                                  • Instruction ID: 5764895ee3e2b6c9bf2dbf33a943079fd04b0f90ec05a9e5b6dcda2f67dbca9b
                                                                  • Opcode Fuzzy Hash: 7b32abd198ed567e7fd5aabd7cb2b134eb7d76673e50838616ca72e168881d86
                                                                  • Instruction Fuzzy Hash: 0C516BA2A19B9396FB90CB78E8447BD23A5BB44344F448039EF8D17AA5DF3CE545C308
                                                                  Function 00007FFBBB8ED99F Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: INITIAL_MAX_STREAMS_UNI appears multiple times$INITIAL_MAX_STREAMS_UNI is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-1123866485
                                                                  • Opcode ID: 9c68093b83d02c027c0a7608d24363ca6ffddc5083156bcba53460a4b998f334
                                                                  • Instruction ID: 199a37423fa40bb2d33024dddb70d134b1e4366ab321bae0d13a173d1268b196
                                                                  • Opcode Fuzzy Hash: 9c68093b83d02c027c0a7608d24363ca6ffddc5083156bcba53460a4b998f334
                                                                  • Instruction Fuzzy Hash: D8415DA2A18B5396FB50CB78E8447A933A5FB44344F448136EF8D17AA5DF3CE545C708
                                                                  Function 00007FFBBB8ED94D Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: INITIAL_MAX_STREAMS_BIDI appears multiple times$INITIAL_MAX_STREAMS_BIDI is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-4016402075
                                                                  • Opcode ID: 64d32173ea554d3a81932990d8084d242f29bb408550ea2e0413c288dea4867b
                                                                  • Instruction ID: e3f0d612f8ce213aa4bc2c163d201c5c9fc086fced574b03b3785281867732f7
                                                                  • Opcode Fuzzy Hash: 64d32173ea554d3a81932990d8084d242f29bb408550ea2e0413c288dea4867b
                                                                  • Instruction Fuzzy Hash: CD415AA2A18B5396FA90CB68E8447A923A5BB44344F848136EF8D17AB5DF3CE545C708
                                                                  Function 00007FFBBB8EDAAE Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: ACTIVE_CONN_ID_LIMIT appears multiple times$ACTIVE_CONN_ID_LIMIT is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-2406644886
                                                                  • Opcode ID: fd2a9ae23cacd3e8d521f75651d18f5edb11395d2091f90908ccc8905aa11cc0
                                                                  • Instruction ID: 33eb4f341826c884c828182a2ab8b104dd260e09d143f27acac511d0b101781b
                                                                  • Opcode Fuzzy Hash: fd2a9ae23cacd3e8d521f75651d18f5edb11395d2091f90908ccc8905aa11cc0
                                                                  • Instruction Fuzzy Hash: FA416AA2A18B5396FB90CB78E8447AD23A5BB44344F848036DF8D17AA5DF3CE446C708
                                                                  Function 00007FFBBB8EDA63 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: MAX_UDP_PAYLOAD_SIZE appears multiple times$MAX_UDP_PAYLOAD_SIZE is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-1029980837
                                                                  • Opcode ID: b040f2705d351fd098e017629d7c45c8aeb47d6b4db78d897b20f1fd23d9d20d
                                                                  • Instruction ID: 6beaaf40bb9d6f8fbea31e0dfc4d088a7fb151b2c7f6efa3c36a0c1037c3f6f0
                                                                  • Opcode Fuzzy Hash: b040f2705d351fd098e017629d7c45c8aeb47d6b4db78d897b20f1fd23d9d20d
                                                                  • Instruction Fuzzy Hash: 74415AA2A18B5396FA90DB78E8447A923A5BB44344F848036EF8D16AA5DF3CE545C708
                                                                  Function 00007FFBBB8EDBB4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debug$E_newE_saveR_newR_set_error
                                                                  • String ID: DISABLE_ACTIVE_MIGRATION appears multiple times$DISABLE_ACTIVE_MIGRATION is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
                                                                  • API String ID: 2363558997-1192419531
                                                                  • Opcode ID: 93ac85ec090bfbf13fd9644ec7d30fafabb9004c6e60aad5d18b68797216d0b2
                                                                  • Instruction ID: 05f09b65babb4af51ff786241f09a051af442030bb7c4c23496d40723ff77579
                                                                  • Opcode Fuzzy Hash: 93ac85ec090bfbf13fd9644ec7d30fafabb9004c6e60aad5d18b68797216d0b2
                                                                  • Instruction Fuzzy Hash: 73418AA2A18B5385FB90CB78E8447AD23A5BB44344F84813ADF8D16AA5DF3CE546C308
                                                                  Function 00007FFBBB8D0B40 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3,?,-0000001F,00000000,?), ref: 00007FFBBB8D0B5E
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3,?,-0000001F,00000000,?), ref: 00007FFBBB8D0B76
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3,?,-0000001F,00000000,?), ref: 00007FFBBB8D0B86
                                                                  • ERR_new.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3), ref: 00007FFBBB8D0BBC
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3), ref: 00007FFBBB8D0BD4
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFBBB8D29E3), ref: 00007FFBBB8D0BE2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: SSL_CTX_use_certificate$ssl\ssl_rsa.c$ssl_set_cert
                                                                  • API String ID: 1552677711-3127846650
                                                                  • Opcode ID: 7e539d0f6bb5de28bb08d6a1850c9782515defe0ff152b8728dfce46cf9d0e4c
                                                                  • Instruction ID: ca6696870ec098a0f24af41743d7015eaafcc3dcc230552edaa1028946c65af8
                                                                  • Opcode Fuzzy Hash: 7e539d0f6bb5de28bb08d6a1850c9782515defe0ff152b8728dfce46cf9d0e4c
                                                                  • Instruction Fuzzy Hash: CE31B6A6B1CA4383E654DB39E9013AA5361FF847C4F548435EF8C43BAADE2CE5518B24
                                                                  Function 00007FFBBB8FDB50 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDB9F
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDBB7
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDBC8
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDD31
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDD49
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,?,00007FFBBB8FCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBB8FC74E,?,?,00000000,?,00000000), ref: 00007FFBBB8FDD5A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: ossl_qrl_enc_level_set_key_update$quic ku$ssl\quic\quic_record_shared.c
                                                                  • API String ID: 1552677711-2650046233
                                                                  • Opcode ID: 252feda6ae8caec3962ed241ea4716e1c42d0ae396c7feca57c49baa62213ccd
                                                                  • Instruction ID: 3c986242c54c36467616c09b45bf04e3ea9f984ea87c186c7788612c974c1b1e
                                                                  • Opcode Fuzzy Hash: 252feda6ae8caec3962ed241ea4716e1c42d0ae396c7feca57c49baa62213ccd
                                                                  • Instruction Fuzzy Hash: 935181B2A08AC386F7649B38E8503B96366FB84744F548536DB8D43BA5DF3CE444C718
                                                                  Function 00007FFBBB8CFBE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: C_start_jobR_newR_set_debugR_set_errorX_newX_set_callback
                                                                  • String ID: ($ssl\ssl_lib.c$ssl_start_async_job
                                                                  • API String ID: 3907389051-658281695
                                                                  • Opcode ID: b34f5513e2c862d987de34e9546b3f77fbaffa3fb1b1e4afd8443d1a78f8fbd3
                                                                  • Instruction ID: fb02286be5c6d4ba16f6c0e76e35f7fa889784fd13fd5b62cd54bdf40e018aed
                                                                  • Opcode Fuzzy Hash: b34f5513e2c862d987de34e9546b3f77fbaffa3fb1b1e4afd8443d1a78f8fbd3
                                                                  • Instruction Fuzzy Hash: DD4161F2A0DA4282F7609F38D8403A92250FF45758F548235EB9C466F9DFBCE8498719
                                                                  Function 00007FFBBB8D1A90 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$X509X509_freeX509_new_exd2i_
                                                                  • String ID: SSL_use_certificate_ASN1$ssl\ssl_rsa.c
                                                                  • API String ID: 4137050946-2346987793
                                                                  • Opcode ID: cf50e30d57a8b77ae6395a30f9a451d2a0ee09d17714d2d248f4f591e269cf32
                                                                  • Instruction ID: 070fe36f514994b11ba178707bce1ee5b170fe39e700abc14092ac77483a5e4c
                                                                  • Opcode Fuzzy Hash: cf50e30d57a8b77ae6395a30f9a451d2a0ee09d17714d2d248f4f591e269cf32
                                                                  • Instruction Fuzzy Hash: 4D2162A6B2894343EA90E73DE4512AD5350FFC4B80F949036FB8D436AADE2CD845CB19
                                                                  Function 00007FFBBB8D0C20 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$X509X509_freeX509_new_exd2i_
                                                                  • String ID: SSL_CTX_use_certificate_ASN1$ssl\ssl_rsa.c
                                                                  • API String ID: 4137050946-3637493151
                                                                  • Opcode ID: 27615af4d4d95ba972a3828194820f15e0ed87785cf5dc0d89814da72c5a6e3d
                                                                  • Instruction ID: f64e5ce4ccfd18715aa10c55e842700a7913721ffdcc5de51ae7efd430241482
                                                                  • Opcode Fuzzy Hash: 27615af4d4d95ba972a3828194820f15e0ed87785cf5dc0d89814da72c5a6e3d
                                                                  • Instruction Fuzzy Hash: E52174A6B28D4282EA90E73DF4512AD5351FFC8784F909032FB8D436AADE2CD5458B15
                                                                  Function 00007FFBBB8D9AE0 Relevance: 19.6, APIs: 13, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: D_freeD_newD_push_D_push_uintD_to_paramM_freeN_freeN_get_rfc3526_prime_8192X_freeX_new_from_nameY_fromdataY_fromdata_init
                                                                  • String ID:
                                                                  • API String ID: 2253699700-0
                                                                  • Opcode ID: e256c5e7799392e76bf1dc25129f73f9e45a8b801259696df418aad3307062f8
                                                                  • Instruction ID: 0ac16e68c7c257a96db64867bdf71b0e70993d37f700c00f3661aa02a92e769b
                                                                  • Opcode Fuzzy Hash: e256c5e7799392e76bf1dc25129f73f9e45a8b801259696df418aad3307062f8
                                                                  • Instruction Fuzzy Hash: 52419792A0CA5341FA54DA7ED4412BD1290BF85B84F15C13AEF4E473F6DE2DE442836C
                                                                  Function 00007FFBBB91BBF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug
                                                                  • String ID: final_key_share$ssl\statem\extensions.c
                                                                  • API String ID: 476316267-2857491001
                                                                  • Opcode ID: 80d6ef5df19a6f218cf8f6e95bcae8ae4e12eb8759c6b88a2a1d2e88cde73c01
                                                                  • Instruction ID: c96fd7659df688b6335c6ee8534b994a2197577223cf7ff6e5d734e587c201cc
                                                                  • Opcode Fuzzy Hash: 80d6ef5df19a6f218cf8f6e95bcae8ae4e12eb8759c6b88a2a1d2e88cde73c01
                                                                  • Instruction Fuzzy Hash: 6771B2A2A08683D2F7A48A3DD4457BD2692FB80B48F188036DF8C465F5DF3CE585D768
                                                                  Function 00007FFBBB8E1A10 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_indent$O_printf$O_puts
                                                                  • String ID: No Ticket$ticket$ticket_age_add=%u$ticket_lifetime_hint=%u$ticket_nonce
                                                                  • API String ID: 1353156648-4248733311
                                                                  • Opcode ID: f1b4e84834f7dc2aabc6c8635df91bf0fca04656bcc68d786b1ad1d1bf19783d
                                                                  • Instruction ID: 4ed1f5f88b8d331a2becf6ca81f55316880ff918277f02ab38dc08c6546663c5
                                                                  • Opcode Fuzzy Hash: f1b4e84834f7dc2aabc6c8635df91bf0fca04656bcc68d786b1ad1d1bf19783d
                                                                  • Instruction Fuzzy Hash: 3A51E3A2B087E146E751DB3ED8442A97791FB817A0F448231DBAC87BE9DF3CD2458718
                                                                  Function 00007FFBBB8D2B50 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$Y_new
                                                                  • String ID: SSL_CTX_use_RSAPrivateKey$ssl\ssl_rsa_legacy.c
                                                                  • API String ID: 2166683265-1409161961
                                                                  • Opcode ID: 57dc451503d5aae5d1e808679583b4c58ceb9d054cb09bdbd29d2727c373e632
                                                                  • Instruction ID: b8422f4b92a2008da935b40ffb94b57f3e7daf72e98250a9d3285b4928186895
                                                                  • Opcode Fuzzy Hash: 57dc451503d5aae5d1e808679583b4c58ceb9d054cb09bdbd29d2727c373e632
                                                                  • Instruction Fuzzy Hash: B821A2A2A2894382EA44EB3DE5412F92351FF88784F489031FB8D47AA7DE2CE5418718
                                                                  Function 00007FFBBB906C3F Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Len: <implicit length>$ Offset: %llu$ Stream id: %llu
                                                                  • API String ID: 3964688267-1947365733
                                                                  • Opcode ID: 4d1f37fc0091069070ec5b678bee404d654eead110a06625f73f895e58ae2144
                                                                  • Instruction ID: 6da110354e48dc998d1303b371e5e314d352def3526a90c8fd28039b1a865fa8
                                                                  • Opcode Fuzzy Hash: 4d1f37fc0091069070ec5b678bee404d654eead110a06625f73f895e58ae2144
                                                                  • Instruction Fuzzy Hash: 50114CD2A0864384FE50DB7DE8513F81361BF81798F84D032CF8E861B6DE6CE5828358
                                                                  Function 00007FFBBB8F1C30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_err_is_non_fatalO_recvmmsgR_clearR_clear_last_markR_peek_last_errorR_pop_to_markR_set_mark
                                                                  • String ID:
                                                                  • API String ID: 1430013108-3916222277
                                                                  • Opcode ID: f6f06973e9b30f7dbe2705f10a8c95b607cbc2453fd24866afb3a1f6e7e7d61e
                                                                  • Instruction ID: 105de276de5d5c94cce227face475e0e78c1bc32a878dbda16f81a1f94a7de7f
                                                                  • Opcode Fuzzy Hash: f6f06973e9b30f7dbe2705f10a8c95b607cbc2453fd24866afb3a1f6e7e7d61e
                                                                  • Instruction Fuzzy Hash: D6618BB2A09F8281EB25AF39E85027973A5FB84B84F148535DB8D577A8DF38D4A0C704
                                                                  Function 00007FFBBB762C30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 77windowregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Message$CreateWindow$BrushClassDispatchRegisterShowSolidTranslate
                                                                  • String ID: ---$gHWSGbdFKbOGelbftkwDZI
                                                                  • API String ID: 1950154865-3763894484
                                                                  • Opcode ID: abe3503860363b57a122ab21f685600e6227f8984758952b4811fbc6fda09e3d
                                                                  • Instruction ID: a2ff519533eddc5e673064f00b433efe47ecdad553e44f8d059016cfb2f7f3f2
                                                                  • Opcode Fuzzy Hash: abe3503860363b57a122ab21f685600e6227f8984758952b4811fbc6fda09e3d
                                                                  • Instruction Fuzzy Hash: CE418172A18BC682E760CB25FC443AA73A4FB99744F51D239EB9D42A24DF3CD499C704
                                                                  Function 00007FFBBB8D6B90 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_puts$O_printf
                                                                  • String ID: Master-Key:$%02X$RSA $Session-ID:
                                                                  • API String ID: 4098839300-1878088908
                                                                  • Opcode ID: 94c10f9fa99810933cf99afc9ba49c45b410cd3485a5502bd15f3f0ce384215d
                                                                  • Instruction ID: 8548302e2260726f7bf4f352763f0d0bb4d9e285fbe7bba5bec0b0638222ac71
                                                                  • Opcode Fuzzy Hash: 94c10f9fa99810933cf99afc9ba49c45b410cd3485a5502bd15f3f0ce384215d
                                                                  • Instruction Fuzzy Hash: A131C0A1A08A4BD1F6649B39D944379A390FF85781F84C036EB8D826B5DF2CF151822C
                                                                  Function 00007FFBBB906B96 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Token: $<zero length token>$New token
                                                                  • API String ID: 1322637139-1505068329
                                                                  • Opcode ID: f629072dc854f396e2766721875dc7bf0c5d92923e5eb6de51065a59695edfa0
                                                                  • Instruction ID: e5c6442ca321a2565c31fb7756c027b9333b6f96c3b1d3341381ece4d1584154
                                                                  • Opcode Fuzzy Hash: f629072dc854f396e2766721875dc7bf0c5d92923e5eb6de51065a59695edfa0
                                                                  • Instruction Fuzzy Hash: 48112BD2A08B0394FE54EB7DE8512F81311BF81790F81D032DF8D866B6DE7CE6818218
                                                                  Function 00007FFBBB8E59D0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: M_locate_const
                                                                  • String ID: bytes_in_flight$cur_cwnd_size$cur_state$max_dgram_payload_len$min_cwnd_size
                                                                  • API String ID: 907452466-1387113187
                                                                  • Opcode ID: 0eafc8edb4d05b4f8f6a6bb6a62aa2d77bfde9494fedf44fcdfff33ab2226a6a
                                                                  • Instruction ID: da95aeb6d0ba38b73668ff4564d5c6b02be2ed5d0cb23e0508185beec5496979
                                                                  • Opcode Fuzzy Hash: 0eafc8edb4d05b4f8f6a6bb6a62aa2d77bfde9494fedf44fcdfff33ab2226a6a
                                                                  • Instruction Fuzzy Hash: 911116A1A09753C1FA549739F9413B91355FF84BC0F499035EE8C46BAADE7CE442C354
                                                                  Function 00007FFBBB906C5A Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Len, Fin)
                                                                  • API String ID: 3964688267-755667354
                                                                  • Opcode ID: 16f367ae4240672a98a7767e96b65c10421c0f51fc6e25ba0124f9bf0e2256de
                                                                  • Instruction ID: 736ae1a830c9da189da0948a0477119d48d50427c820a176cc9d0bb3e00219c3
                                                                  • Opcode Fuzzy Hash: 16f367ae4240672a98a7767e96b65c10421c0f51fc6e25ba0124f9bf0e2256de
                                                                  • Instruction Fuzzy Hash: 4D115ED2A0865384FE10DB79E8513F81321BF81798F84D032DF8E465B6DE6CE5828358
                                                                  Function 00007FFBBB906C51 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Len)
                                                                  • API String ID: 3964688267-4170081695
                                                                  • Opcode ID: 3e5d25003a41a1a08332bc41648cc5491869bf3d0df454954bbc796e0a13d07d
                                                                  • Instruction ID: af25e6e0cf19c5e89bf7150d5d6650e7261dd2bcf6868d9e37789623572aba63
                                                                  • Opcode Fuzzy Hash: 3e5d25003a41a1a08332bc41648cc5491869bf3d0df454954bbc796e0a13d07d
                                                                  • Instruction Fuzzy Hash: 8F112ED2A4865384FE10DB79E8513F91361BF81798F84D032DF8E465B6DE7CE5828358
                                                                  Function 00007FFBBB906C48 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Fin)
                                                                  • API String ID: 3964688267-4176003718
                                                                  • Opcode ID: 1d0255ae5694ebb7fefd3947088e5538734a5d05914d500ef8c1d1efe3d62715
                                                                  • Instruction ID: d116bad2b6c0679e7a9fe9eafc084f6d58968e3f5832ec71ad36cdd3bc32926f
                                                                  • Opcode Fuzzy Hash: 1d0255ae5694ebb7fefd3947088e5538734a5d05914d500ef8c1d1efe3d62715
                                                                  • Instruction Fuzzy Hash: 34115ED2A0865384FE10DB79E8513F81321BF81798F84D032DF8E465B6DE6CE5828358
                                                                  Function 00007FFBBB906C75 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Len)
                                                                  • API String ID: 3964688267-741583600
                                                                  • Opcode ID: 39460471fefb9bfff53518c31bbd2de831574e91a9b0d0b91c4677c2e442af46
                                                                  • Instruction ID: 6c0ed3f2e77ba88d73a4edce294767701f0c918f8f2bd720abd550170377e8fa
                                                                  • Opcode Fuzzy Hash: 39460471fefb9bfff53518c31bbd2de831574e91a9b0d0b91c4677c2e442af46
                                                                  • Instruction Fuzzy Hash: 10115ED2A0865384FE10DB79E8513F81321BF81798F84D032CF8E465B6DE7CE5828358
                                                                  Function 00007FFBBB906C6C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Fin)
                                                                  • API String ID: 3964688267-743771625
                                                                  • Opcode ID: caf7e5fee4717f8ab89a7dfe5713e7152aefe660eaf53023dd7a75dc91576464
                                                                  • Instruction ID: 8b94e0bf89c01c152dcb0d780bd276981fe0466aa1235435a8d31e4c358073f0
                                                                  • Opcode Fuzzy Hash: caf7e5fee4717f8ab89a7dfe5713e7152aefe660eaf53023dd7a75dc91576464
                                                                  • Instruction Fuzzy Hash: A4114CD2A0865384FE10DB79E8513F81321BB81798F84D032CF8E465B6DE7CE5828358
                                                                  Function 00007FFBBB906C63 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off)
                                                                  • API String ID: 3964688267-2743656729
                                                                  • Opcode ID: fc1ecabf71f8efac3d7d06e3fcbc10635bf91dff0d3aa26663b7f0b43a33f7da
                                                                  • Instruction ID: 0e585b1b11ebff4f486e6a4bb0abdd0c4b2478d2c045784ab2cfa32ce7649ce0
                                                                  • Opcode Fuzzy Hash: fc1ecabf71f8efac3d7d06e3fcbc10635bf91dff0d3aa26663b7f0b43a33f7da
                                                                  • Instruction Fuzzy Hash: 8B114CD2A0865384FE10DB79E8513F81321BB81798F84D032DF8E465B6DE6CE5828358
                                                                  Function 00007FFBBB906C7E Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Len, Fin)
                                                                  • API String ID: 3964688267-815063566
                                                                  • Opcode ID: 6c77a1279eeafa0140710d5f0e3d2048da4a8ca5a3994186b9b30239429524b5
                                                                  • Instruction ID: c75f4f9eeee5c89e3baf6ececdc823981af69cc02dae643526f515ebc66ced85
                                                                  • Opcode Fuzzy Hash: 6c77a1279eeafa0140710d5f0e3d2048da4a8ca5a3994186b9b30239429524b5
                                                                  • Instruction Fuzzy Hash: D9115AE2A0874384FE10DB79E8513F91321BB81798F84D032CF8E466B6DE3CE1828358
                                                                  Function 00007FFBBB906A94 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printf$O_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ App Protocol Error Code: %llu$ Final size: %llu$ Stream id: %llu$Reset stream
                                                                  • API String ID: 3508759399-1770620147
                                                                  • Opcode ID: 368b8a64a2f93e8f94735467b9df1da0ba81a941d62fb9377bcdf9f21de2b6ac
                                                                  • Instruction ID: a37c7f4fdbdd8ed79aae7913eb015f20e93c1ea815abb9b338ef5d3b0e2c2201
                                                                  • Opcode Fuzzy Hash: 368b8a64a2f93e8f94735467b9df1da0ba81a941d62fb9377bcdf9f21de2b6ac
                                                                  • Instruction Fuzzy Hash: 1E0109D2A48B4384FE50DB7DE8512F91321BB85794F84D032DF8E862B5DE6CE1828318
                                                                  Function 00007FFBBB76DBA0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 459529453-1866435925
                                                                  • Opcode ID: 01d286874095d0767bbd911ca2eefb3cedf12308353c7fe702e0f479e8242f7f
                                                                  • Instruction ID: 62481612fadb198975ec38d21ceaadea47dc3abd8d285ecc65a962328779d837
                                                                  • Opcode Fuzzy Hash: 01d286874095d0767bbd911ca2eefb3cedf12308353c7fe702e0f479e8242f7f
                                                                  • Instruction Fuzzy Hash: 8E919BB2619A8686EB10DB2AE4447B977A0FB84B84F15C13ADB5E037B5DF3CD845D304
                                                                  Function 00007FFBBB8DB9F8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 717d86520b9bdeb9a77892f14711cd35d792b643f31ec7205563042f6de224f9
                                                                  • Instruction ID: 2a61906ff20c842a3462255b107b4b89b28641b6c0af8ba85b95b2c2d7b41467
                                                                  • Opcode Fuzzy Hash: 717d86520b9bdeb9a77892f14711cd35d792b643f31ec7205563042f6de224f9
                                                                  • Instruction Fuzzy Hash: AC7180A2A0C64385EA658A3EC9503BD1291BF44BD4F54C03BDF4E877F5DE2CE8418629
                                                                  Function 00007FFBBB8DFAA0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBB8DFAEC
                                                                  • BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBB8DFB00
                                                                    • Part of subcall function 00007FFBBB8E10A0: BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBB8E10CA
                                                                    • Part of subcall function 00007FFBBB8E10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBB8DECED), ref: 00007FFBBB8E10E4
                                                                    • Part of subcall function 00007FFBBB8E10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBB8DECED), ref: 00007FFBBB8E10FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printf$O_indent
                                                                  • String ID: EncryptedPreMasterSecret$GOST-wrapped PreMasterSecret$GostKeyTransportBlob$KeyExchangeAlgorithm=%s$dh_Yc$ecdh_Yc$psk_identity
                                                                  • API String ID: 1715996925-113291103
                                                                  • Opcode ID: e1d373ff8444aa670017d42d00470ec7122ba3e86ccfd9a924da0431a144429c
                                                                  • Instruction ID: e5cfabb856b3f373b45a6630102e9f8538f89f86a3a5822d92d3d8cbf8ffea23
                                                                  • Opcode Fuzzy Hash: e1d373ff8444aa670017d42d00470ec7122ba3e86ccfd9a924da0431a144429c
                                                                  • Instruction Fuzzy Hash: 9961F6B2B096C642EA648B39E8451F97251FF84790F48C236EF9D4B7A5DF3CE204D218
                                                                  Function 00007FFBBB8CAAF0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$O_new
                                                                  • String ID: SSL_set_fd$ssl\ssl_lib.c
                                                                  • API String ID: 1854182563-2027645073
                                                                  • Opcode ID: 3bf4d22b594411760d0cf080eda92fcbbef96b9ee5f432d2a843eeba7922970c
                                                                  • Instruction ID: c569ee1b14f6b9838afc7a4bb8b168e87d364f5e32b1558bacc78abfd7a72f5d
                                                                  • Opcode Fuzzy Hash: 3bf4d22b594411760d0cf080eda92fcbbef96b9ee5f432d2a843eeba7922970c
                                                                  • Instruction Fuzzy Hash: C421B3A6F2C95342F654A73DE4416A92351FFC8B84F449031FB8D03BBADE2DE8458B19
                                                                  Function 00007FFBBB8C39A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: SSL_CTX_enable_ct$SSL_CTX_set_ct_validation_callback$ssl\ssl_lib.c
                                                                  • API String ID: 1552677711-1919550876
                                                                  • Opcode ID: f8b0ad7b6c9594f56b14bf841d5992cd98a40ee443a96b7ad4c4afdc8ab1cd4b
                                                                  • Instruction ID: 4ad1e1e703d4b209af389f41cc1a36acd97c9ae16ca16e0a15bdb4a3bd92305e
                                                                  • Opcode Fuzzy Hash: f8b0ad7b6c9594f56b14bf841d5992cd98a40ee443a96b7ad4c4afdc8ab1cd4b
                                                                  • Instruction Fuzzy Hash: 881133E6E1C94343F7549778D9413F92251BF84340F94C031EA4C826F6EE7CE9958629
                                                                  Function 00007FFBBB8E3B70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$E_finish
                                                                  • String ID: SSL_CTX_set_client_cert_engine$ssl\tls_depr.c
                                                                  • API String ID: 1317562915-507132928
                                                                  • Opcode ID: b0ddad6b2bc8f66e70613e907a26b3073a1a944dbe9535fbe2a09b4fac1cdcb7
                                                                  • Instruction ID: ecb1523249e435124a8ff6506f971d229bb358dff7103c9c0858a617a979fb51
                                                                  • Opcode Fuzzy Hash: b0ddad6b2bc8f66e70613e907a26b3073a1a944dbe9535fbe2a09b4fac1cdcb7
                                                                  • Instruction Fuzzy Hash: E51151A2B18A4343E684E739E9527BD1251BF88780F94D031EB8D426B7DE2CE8944A19
                                                                  Function 00007FFBBB8D6AE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_ctrlO_freeO_newO_s_fileR_newR_set_debugR_set_error
                                                                  • String ID: SSL_SESSION_print_fp$ssl\ssl_txt.c
                                                                  • API String ID: 1031916422-4183950648
                                                                  • Opcode ID: ecb04d8e07290a75cb03d5c9985cd22a311452324e3c8a4c3d3adef4364be37a
                                                                  • Instruction ID: 4bfe2162539e3b35764ff0992cc0372f58fdbe687d9c5ec31063922a92989d14
                                                                  • Opcode Fuzzy Hash: ecb04d8e07290a75cb03d5c9985cd22a311452324e3c8a4c3d3adef4364be37a
                                                                  • Instruction Fuzzy Hash: FF01A1A2B18A4342EA44E77AE6416A95350FF887C0F449431FF8D43BAADE2CE5518B18
                                                                  Function 00007FFBBB7DFEF8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID: f$f$p$p$f
                                                                  • API String ID: 3215553584-1325933183
                                                                  • Opcode ID: bd88f8beba8490965af4e5e6ef91090dde9fa4eb1c224f68e899d4b857dae106
                                                                  • Instruction ID: 303541f05cd34d6eb9e19ad32c96da05268e27d681974cbc057e51141fec2267
                                                                  • Opcode Fuzzy Hash: bd88f8beba8490965af4e5e6ef91090dde9fa4eb1c224f68e899d4b857dae106
                                                                  • Instruction Fuzzy Hash: FB12A5E1E0C1438EFB205A3ED0556B976A9FF81754F88C035E78A466F4DB3CE5908B1A
                                                                  Function 00007FFBBB8C6950 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB90627C,?,00007FFBBB8EF4E2,?,00007FFBBB8F0F50), ref: 00007FFBBB8C699C
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB90627C,?,00007FFBBB8EF4E2,?,00007FFBBB8F0F50), ref: 00007FFBBB8C69B4
                                                                  • ERR_set_error.LIBCRYPTO-3-X64(?,00007FFBBB90627C,?,00007FFBBB8EF4E2,?,00007FFBBB8F0F50), ref: 00007FFBBB8C69C4
                                                                  • ASYNC_get_current_job.LIBCRYPTO-3-X64 ref: 00007FFBBB8C6A1B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: C_get_current_jobR_newR_set_debugR_set_error
                                                                  • String ID: SSL_do_handshake$expect_quic$ssl\quic\quic_impl.c$ssl\ssl_lib.c
                                                                  • API String ID: 2134390360-1983154402
                                                                  • Opcode ID: 5ca185094c5566ff7bdc367eb4457ce37965d4e817f97dabdd7d538c91d16f72
                                                                  • Instruction ID: 2fb7eafeb2c0e8a05124d48aa325bebc978199392e97dda6a00e320656d6a1df
                                                                  • Opcode Fuzzy Hash: 5ca185094c5566ff7bdc367eb4457ce37965d4e817f97dabdd7d538c91d16f72
                                                                  • Instruction Fuzzy Hash: 5961A5B2E08B4282E7509F39E84026E7761FB88B84F148131EB8D577A5DF7CE551CB44
                                                                  Function 00007FFBBB77A5B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Concurrency::cancel_current_taskLockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                  • String ID: bad locale name$false$true
                                                                  • API String ID: 461674175-1062449267
                                                                  • Opcode ID: dc7332cbaf0ac065957e56581a37498bc3ef749bca419461d72de04698deaf4c
                                                                  • Instruction ID: 653b1ad24e250e32bc8046c5a513cdf1b776ddf3a26868138482029380dc8cfb
                                                                  • Opcode Fuzzy Hash: dc7332cbaf0ac065957e56581a37498bc3ef749bca419461d72de04698deaf4c
                                                                  • Instruction Fuzzy Hash: 42512DA2B0A74189FB55DBBAD8503BC22B5BF44748F048435DF4D27AB9DE38A416D388
                                                                  Function 00007FFBBB769160 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137windowregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
                                                                  • String ID: Tic-Tac-Toe
                                                                  • API String ID: 4062082325-2776626656
                                                                  • Opcode ID: ad380d01a672e75ae00ce4b62673a0109cb025d67c861b8e24bdecd915d63931
                                                                  • Instruction ID: 5d5489e6f923b1d1160c0432dd727fff482ba4f8402ed101fdb3cdc9f4f6b4e5
                                                                  • Opcode Fuzzy Hash: ad380d01a672e75ae00ce4b62673a0109cb025d67c861b8e24bdecd915d63931
                                                                  • Instruction Fuzzy Hash: 7B51A0B2A18B8182EB10CF39E84436E73A0FB88B94F658235DB9D47764DF38D485C744
                                                                  Function 00007FFBBB8E29B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBB8E29FB
                                                                  • EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2A30
                                                                  • EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2A56
                                                                  • EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2A73
                                                                  • EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2A89
                                                                  • EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2AA3
                                                                    • Part of subcall function 00007FFBBB8E3530: EVP_MD_get0_name.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E35B0
                                                                    • Part of subcall function 00007FFBBB8E3530: EVP_KDF_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E35C8
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_new.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E35E4
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E35FC
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_set_error.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E360D
                                                                    • Part of subcall function 00007FFBBB8E3530: EVP_KDF_CTX_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E3615
                                                                    • Part of subcall function 00007FFBBB8E3530: EVP_KDF_CTX_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E3651
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_new.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E365F
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E3677
                                                                    • Part of subcall function 00007FFBBB8E3530: ERR_set_error.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E3688
                                                                    • Part of subcall function 00007FFBBB8E3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E373C
                                                                    • Part of subcall function 00007FFBBB8E3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E376E
                                                                    • Part of subcall function 00007FFBBB8E3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E37A7
                                                                    • Part of subcall function 00007FFBBB8E3530: OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBB8FE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBB8E37CE
                                                                  • EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8E2B78
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Digest$M_construct_octet_stringX_free$Final_exInit_exR_newR_set_debugR_set_error$D_get0_nameF_freeM_construct_endUpdateX_new
                                                                  • String ID: exporter
                                                                  • API String ID: 4114161048-111224270
                                                                  • Opcode ID: 312edda8fc2ab446362c746ef5930450896386ba04ed175f41cf3f51961baa99
                                                                  • Instruction ID: 8b8b3ddaef8000552d2f500dde4f1a5f1cee690faf17f045fc0d4ff1da522ad3
                                                                  • Opcode Fuzzy Hash: 312edda8fc2ab446362c746ef5930450896386ba04ed175f41cf3f51961baa99
                                                                  • Instruction Fuzzy Hash: 7E414472618B8295EA609F2AE9442ABB394FB8D7C4F004135EF8D47B69EF3CD501CB44
                                                                  Function 00007FFBBB934A80 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newmemcpy$R_set_debug
                                                                  • String ID: CLIENT_RANDOM$ssl\statem\statem_lib.c$tls_construct_finished
                                                                  • API String ID: 3909032045-44254327
                                                                  • Opcode ID: 9b060bf268641b092a8a4ef99d590320add54252ce0399b64471ac612fb967e3
                                                                  • Instruction ID: 12f3342ad3a18be136bad2f0d1602781cf4ca2c3074ad0edc53e683a1dbff9b6
                                                                  • Opcode Fuzzy Hash: 9b060bf268641b092a8a4ef99d590320add54252ce0399b64471ac612fb967e3
                                                                  • Instruction Fuzzy Hash: 91512AB2A0868382EB908E39D4547AC23A4FB84B88F158036DF8D477A5DF3DE885C355
                                                                  Function 00007FFBBB9399B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: ssl\statem\statem_srvr.c$tls_construct_server_certificate
                                                                  • API String ID: 4275876640-3519723934
                                                                  • Opcode ID: 5cfa0e92c3f7beec7cbdf2390d41e24ddaea7d5e5689eef370432dbd7b18577c
                                                                  • Instruction ID: 18b753367b8416c05bfae39680abecbb7b156f96870a064e9ff87270add887d0
                                                                  • Opcode Fuzzy Hash: 5cfa0e92c3f7beec7cbdf2390d41e24ddaea7d5e5689eef370432dbd7b18577c
                                                                  • Instruction Fuzzy Hash: 4F418562F1868342EB50DB3AE8417AD5751FB84BC4F489031EF8D93BAADE2CD5818718
                                                                  Function 00007FFBBB9059E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flagsR_newR_set_debugR_set_error
                                                                  • String ID: P$quic_read_record$ssl\quic\quic_tls.c
                                                                  • API String ID: 3317891849-273162510
                                                                  • Opcode ID: 5102e852573367bdd73e41e4551ebffe2e5e95fe4a8afb0ad7a7b26e73f9f9d2
                                                                  • Instruction ID: 9029a15953091c30aaa8a3654a64a38ef095115929b5e6d8975f81917e3dba42
                                                                  • Opcode Fuzzy Hash: 5102e852573367bdd73e41e4551ebffe2e5e95fe4a8afb0ad7a7b26e73f9f9d2
                                                                  • Instruction Fuzzy Hash: 40417163609B828AEB509F29D88136D77A1FB84B84F548036EF8D437A5DF3CD545C714
                                                                  Function 00007FFBBB932930 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_ctrlR_newR_set_debugmemcpy
                                                                  • String ID: TLS 1.3, client CertificateVerify$TLS 1.3, server CertificateVerify$get_cert_verify_tbs_data$ssl\statem\statem_lib.c
                                                                  • API String ID: 152836652-1642080044
                                                                  • Opcode ID: bb8b31b41258e1a5f9e32224b2a856727d5ae6947d3b98a53fef1ad056b79bc2
                                                                  • Instruction ID: 01229c671e4c3d94d8111bfa181a49b3782da810545de2f846841a87968d9817
                                                                  • Opcode Fuzzy Hash: bb8b31b41258e1a5f9e32224b2a856727d5ae6947d3b98a53fef1ad056b79bc2
                                                                  • Instruction Fuzzy Hash: B941AFA3A08A8382E760CF39D5406BD7760FB95B84F10D132EBCC876A2DF29E5958304
                                                                  Function 00007FFBBB91FB40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_vset_error
                                                                  • String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_supported_versions
                                                                  • API String ID: 1390262125-1702352982
                                                                  • Opcode ID: 928fef23d7497f89953d9ca9cd67dd739b978b09f51a2bb39a747053c925bbe6
                                                                  • Instruction ID: e6811226e52524b918a4cb17ffe12a5f3983e40ea495deafe516db2b56e316ad
                                                                  • Opcode Fuzzy Hash: 928fef23d7497f89953d9ca9cd67dd739b978b09f51a2bb39a747053c925bbe6
                                                                  • Instruction Fuzzy Hash: 7D31B1A2B0C94352F620A739E5913BE1351BF847C4F508031EF8C47AE6DE2DE942D718
                                                                  Function 00007FFBBB7673E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77windowregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
                                                                  • String ID: BMP Slideshow
                                                                  • API String ID: 4062082325-1220704405
                                                                  • Opcode ID: f68ee566886fe39ff741a0053394111fff8ced38665f08256212f8825413975a
                                                                  • Instruction ID: 16cabc08f7ec18458db7bae96e4b455f2b7ad4e28a445460089619a2fb600973
                                                                  • Opcode Fuzzy Hash: f68ee566886fe39ff741a0053394111fff8ced38665f08256212f8825413975a
                                                                  • Instruction Fuzzy Hash: 0841C272A2CB9182E710CF25FC4436E73A4FB98744F519239EB9D46A24EF79D584C704
                                                                  Function 00007FFBBB7651F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74windowregistryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
                                                                  • String ID: fGZookimaDtJdEOZPT
                                                                  • API String ID: 4062082325-3326196812
                                                                  • Opcode ID: eb8952e36d4353818202bd7d7422031532255ae12781cdb7221359b5f78f58ac
                                                                  • Instruction ID: c954a75feddf449b60e76c9385afa5ec02f74e02b3967eea98ac7e62342d5099
                                                                  • Opcode Fuzzy Hash: eb8952e36d4353818202bd7d7422031532255ae12781cdb7221359b5f78f58ac
                                                                  • Instruction Fuzzy Hash: 6E31BE72A28B9582E710CF25FC4436E73A4FB98744F619239EB9D42A24EF79D585CB00
                                                                  Function 00007FFBBB921990 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_supported_versions
                                                                  • API String ID: 4275876640-1605414176
                                                                  • Opcode ID: 47e715d0d3033352a1707b983331c398c3cb80717831acfe8eb8552b28de7579
                                                                  • Instruction ID: 05497686d482dc39476df05676a3ded5d08101b238c07b1d46bcbbc18b410125
                                                                  • Opcode Fuzzy Hash: 47e715d0d3033352a1707b983331c398c3cb80717831acfe8eb8552b28de7579
                                                                  • Instruction Fuzzy Hash: 2C21B1E1F08A4343F7559779D552AB92641FF84340F84D032DB8D426B2DE2CDAA2C718
                                                                  Function 00007FFBBB8BEBD0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_pushR_newR_set_debugR_set_errormemcpy
                                                                  • String ID: P$ciphersuite_cb$ssl\ssl_ciph.c
                                                                  • API String ID: 69574139-1019853614
                                                                  • Opcode ID: 8de701af3bd75debb2c76ece76973293a78a9b8b4573dc1533d62060c179c514
                                                                  • Instruction ID: abe34e8733c1ad79e81ff8849d2bfffb8340ccd42f5c8ac3bca3ed325839a801
                                                                  • Opcode Fuzzy Hash: 8de701af3bd75debb2c76ece76973293a78a9b8b4573dc1533d62060c179c514
                                                                  • Instruction Fuzzy Hash: 7E11A292B1C9434AF660AB3CE9913BE5291BF88784F50C531EB8C426F6EE1CE1048B1D
                                                                  Function 00007FFBBB9269E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug$memcmp
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_renegotiate
                                                                  • API String ID: 4071200903-75546675
                                                                  • Opcode ID: bb85a8421b4fead51e7594099f54c8f221dcd85dcb336fa1356f195709cf5093
                                                                  • Instruction ID: efd187943d1a0010e3735cf13bc00c58ce0e6932df9aa32a5310ca9f35354fc5
                                                                  • Opcode Fuzzy Hash: bb85a8421b4fead51e7594099f54c8f221dcd85dcb336fa1356f195709cf5093
                                                                  • Instruction Fuzzy Hash: 49218EE2F09A8342FB459B79D8517B82351FB80B40F54D432EB8D47BA2DE2CE991C318
                                                                  Function 00007FFBBB8BC9E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_new_nullL_sk_pushR_newR_set_debugR_set_errorX509_up_ref
                                                                  • String ID: ssl\ssl_cert.c$ssl_cert_add0_chain_cert
                                                                  • API String ID: 3689422639-2634322016
                                                                  • Opcode ID: 1e7a881c92af8f3abde9f7b5f072c161cd90d143ed16886d35a2f35a9e589d46
                                                                  • Instruction ID: a3141533f3b7d9c55b9441b80211784c805e6c0092bac9fc09dbeef8d9a6b254
                                                                  • Opcode Fuzzy Hash: 1e7a881c92af8f3abde9f7b5f072c161cd90d143ed16886d35a2f35a9e589d46
                                                                  • Instruction Fuzzy Hash: 641166A2B09A4342EA54DB3DE9112BD6291FF84B84F189431DF4D477B6DF2DE8418614
                                                                  Function 00007FFBBB8B7AE1 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_set_error$Y_freeY_get_security_bits
                                                                  • String ID: ssl3_ctrl$ssl\s3_lib.c
                                                                  • API String ID: 3247900180-3530330221
                                                                  • Opcode ID: 45c353e25d21d6f4c8c3fd7b4375d0a254dcf3d7912affc0b395e4f61d9e8e64
                                                                  • Instruction ID: ad7369f62bcfb60838ab6f5f68a63359e5d8483e5bb2b340764fdb4839a1ffa8
                                                                  • Opcode Fuzzy Hash: 45c353e25d21d6f4c8c3fd7b4375d0a254dcf3d7912affc0b395e4f61d9e8e64
                                                                  • Instruction Fuzzy Hash: 300196E5A1CA0342F665E77CD8012BE1651BF84740F90C432EB8D437F6DE2DE5428619
                                                                  Function 00007FFBBB906B43 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$Crypto
                                                                  • API String ID: 3964688267-430340682
                                                                  • Opcode ID: 8a63c5f8c401c0dfba093aa743dfda9597321817ddcaaddea12e6c6481f277cc
                                                                  • Instruction ID: b8e0661307ee8cd9ba34512075807d5e84c0813aaecebd8000c46fe5a755ab92
                                                                  • Opcode Fuzzy Hash: 8a63c5f8c401c0dfba093aa743dfda9597321817ddcaaddea12e6c6481f277cc
                                                                  • Instruction Fuzzy Hash: C90108D2A4864384FA509B79E8513F91361BB85794F94D032DF8E866B6DE7CE1828318
                                                                  Function 00007FFBBB906AF5 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_printfO_puts
                                                                  • String ID: <unexpected trailing frame data skipped>$ App Protocol Error Code: %llu$ Stream id: %llu$Stop sending
                                                                  • API String ID: 3964688267-1785104151
                                                                  • Opcode ID: 9f1cd5c1f00599a0fdb8453dddf303157e9adee7d9a09485c25566836dd8f4cf
                                                                  • Instruction ID: 7fc0f475b5d194600e575bd987eeab16a7cc40fb5e806905215b19f7ff89d7db
                                                                  • Opcode Fuzzy Hash: 9f1cd5c1f00599a0fdb8453dddf303157e9adee7d9a09485c25566836dd8f4cf
                                                                  • Instruction Fuzzy Hash: AF011AD2A4870384FE50DB7DE8513F91361BB857A4F84D032DF8E862B6DE6CE1828318
                                                                  Function 00007FFBBB7D820C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                  • API String ID: 667068680-1247241052
                                                                  • Opcode ID: 5b3d8a8124bd7151014593c581555d17c54507f4b927efc553396011554c3583
                                                                  • Instruction ID: aa60a1cd469217ccf0d4026439b36775d8500a861c01f1ff137b9fd87f3db003
                                                                  • Opcode Fuzzy Hash: 5b3d8a8124bd7151014593c581555d17c54507f4b927efc553396011554c3583
                                                                  • Instruction Fuzzy Hash: DFF0D4A4E29B03DAEE448B79FC8406423A1FF59B51F44A531CA8E86330EF3CA059C708
                                                                  Function 00007FFBBB7DB814 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 849930591-393685449
                                                                  • Opcode ID: fd0d93f8a4efe9c8157fc15cab882f7195ada27e2e67ad0e38d771451537e3b2
                                                                  • Instruction ID: eb975081db70c22ee06adf83e350c735594837656206caf25d0dd9fbcfa9cac6
                                                                  • Opcode Fuzzy Hash: fd0d93f8a4efe9c8157fc15cab882f7195ada27e2e67ad0e38d771451537e3b2
                                                                  • Instruction Fuzzy Hash: B7D16FE2A097458AEB209B7AD4803AD77A0FB457D8F508235EB8D57BB9DF38E441C704
                                                                  Function 00007FFBBB77A950 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_$Lockit::~_
                                                                  • String ID: bad locale name
                                                                  • API String ID: 297799400-1405518554
                                                                  • Opcode ID: daf00f2ef7982a446ca298dfa364d7263b054506eab4afc7fab304dcaf25dfa6
                                                                  • Instruction ID: 2d1c17342debb9bcf17c48cdfbc86dad2f78fbd5b91126ef14be67fd6e8f9d82
                                                                  • Opcode Fuzzy Hash: daf00f2ef7982a446ca298dfa364d7263b054506eab4afc7fab304dcaf25dfa6
                                                                  • Instruction Fuzzy Hash: 18913B62B0AB8199FB54DFBAD4903AC23A4FF44748F048435DF4D26AB9CE38D526D348
                                                                  Function 00007FFBBB7F194C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: api-ms-$ext-ms-
                                                                  • API String ID: 3013587201-537541572
                                                                  • Opcode ID: b25fc0cd47019a7477e215eefe7c7526f9ef6ce301dd30fa812ed11ec5bd3616
                                                                  • Instruction ID: c50cb41f33ca6cc7679a2e6c2f389ccd9431bf1bcfa08bb1a9fe7939b44cf5e9
                                                                  • Opcode Fuzzy Hash: b25fc0cd47019a7477e215eefe7c7526f9ef6ce301dd30fa812ed11ec5bd3616
                                                                  • Instruction Fuzzy Hash: 0E41C2A2B2D68285EA26DB3BDC045752291BF45BE0F498535DF1D47BB4EE3CE444834C
                                                                  Function 00007FFBBB926AE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_server_cert_type
                                                                  • API String ID: 193678381-2874584118
                                                                  • Opcode ID: 6d8631077a1984b73a53912ccfce7917677c6bb252745496a2f40c71b3a5a292
                                                                  • Instruction ID: de03cc11e7ce002b2573956b727f81a341e61fef180fc45ff3101f38a898047d
                                                                  • Opcode Fuzzy Hash: 6d8631077a1984b73a53912ccfce7917677c6bb252745496a2f40c71b3a5a292
                                                                  • Instruction Fuzzy Hash: F9218CE2E1DA8382EA009B78D4107B92351FF94784F04D431EBCD46AA6EF2CD685C319
                                                                  Function 00007FFBBB929A46 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$memcpy
                                                                  • String ID: dtls_process_hello_verify$ssl\statem\statem_clnt.c
                                                                  • API String ID: 31086664-3697452390
                                                                  • Opcode ID: c7d824e819e8ab3bfa2856d94e1a2ee021394daca7d851e7b5322861d86fd274
                                                                  • Instruction ID: d0e96105c60223cdb441a698c70aa731590830e51d72d8be7c8b589dcc056ae8
                                                                  • Opcode Fuzzy Hash: c7d824e819e8ab3bfa2856d94e1a2ee021394daca7d851e7b5322861d86fd274
                                                                  • Instruction Fuzzy Hash: AB2182F2F08A8682E7009B39E9452B9A352FB94790F44D231EB9D077B6DF3CD5918704
                                                                  Function 00007FFBBB938AAF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flagsR_newR_set_debugR_vset_error
                                                                  • String ID: $ossl_statem_server_read_transition$ssl\statem\statem_srvr.c
                                                                  • API String ID: 3455785776-558299289
                                                                  • Opcode ID: 8cf5daad4b3786bdbf230bd70d87b9ae8d226cc96fe09fbd800354ea9b8bf0ac
                                                                  • Instruction ID: f6fdaf80a7b97121f6cb1927683bcde1803e1d917e8d73a636002b98f4ca7ff9
                                                                  • Opcode Fuzzy Hash: 8cf5daad4b3786bdbf230bd70d87b9ae8d226cc96fe09fbd800354ea9b8bf0ac
                                                                  • Instruction Fuzzy Hash: A3219DA2F0924386FB909B79D4953BD2291FBC4744F488030DB8C4A6E6CF7C99D58729
                                                                  Function 00007FFBBB920C10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug
                                                                  • String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_maxfragmentlen
                                                                  • API String ID: 476316267-3788999166
                                                                  • Opcode ID: 65d4d03e7a566a0d90403e4520b0f16ec32eeb22bf4ef4904a962091549d036e
                                                                  • Instruction ID: db00d6fee8bb2787f28a027aa4a8ffd1e96dde8e6656ffc50d8a22c954f6d581
                                                                  • Opcode Fuzzy Hash: 65d4d03e7a566a0d90403e4520b0f16ec32eeb22bf4ef4904a962091549d036e
                                                                  • Instruction Fuzzy Hash: 58116DE2E08A8786F7519B78D8517F93B51FB80740F94D432DA8C437A2DE2C9996C728
                                                                  Function 00007FFBBB8BC920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_new_nullL_sk_pushR_newR_set_debugR_set_error
                                                                  • String ID: ssl\ssl_cert.c$ssl_cert_add0_chain_cert
                                                                  • API String ID: 378185551-2634322016
                                                                  • Opcode ID: e5f83e0da719cfb2e4ee9e9173f8a91fe72f62dc3e9f961750c61f40fb88d715
                                                                  • Instruction ID: a5fcf426145e602cd5407ce233bbfb5032659545b7fbb0dace3bdc50e0fedd5e
                                                                  • Opcode Fuzzy Hash: e5f83e0da719cfb2e4ee9e9173f8a91fe72f62dc3e9f961750c61f40fb88d715
                                                                  • Instruction Fuzzy Hash: C01189A2A19A4386FB649B3DD8502BD6390FF84B80F188435DF8D437A6DF7DE4518618
                                                                  Function 00007FFBBB905B70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debugR_set_error
                                                                  • String ID: P$quic_release_record$ssl\quic\quic_tls.c
                                                                  • API String ID: 1911843320-2784669786
                                                                  • Opcode ID: 61e25446c6bd95800c753039f2c538c45abd5ab38b71fce05297fe64c514133b
                                                                  • Instruction ID: cf3341bcea4751a607199e04e38d820c0cac717761c0004d927f06cc9f65c549
                                                                  • Opcode Fuzzy Hash: 61e25446c6bd95800c753039f2c538c45abd5ab38b71fce05297fe64c514133b
                                                                  • Instruction Fuzzy Hash: 33114FA2A05A0386FF509B38C8C176D2651FF44B44FA48431D78D467A5EF6CE8858719
                                                                  Function 00007FFBBB8B89FE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$L_sk_new_nullL_sk_pushR_set_debug
                                                                  • String ID: ssl3_ctx_ctrl$ssl\s3_lib.c
                                                                  • API String ID: 2439357478-173183182
                                                                  • Opcode ID: a68a812b756baef72e22539a4a33662ccc53d274c8b61bc537825acf1c9fe3fa
                                                                  • Instruction ID: 3f18674f6fb1c6bc04f06d8a39f225b444a72beb558ff6f533e39069e6a75ee8
                                                                  • Opcode Fuzzy Hash: a68a812b756baef72e22539a4a33662ccc53d274c8b61bc537825acf1c9fe3fa
                                                                  • Instruction Fuzzy Hash: AEF09AA1A18A0342FE64AB7DE8013BD1241BF88744F04C435EB8C0A6E6EE2DE880421A
                                                                  Function 00007FFBBB8C8A70 Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_findL_sk_valueL_strnlenmemcpy
                                                                  • String ID:
                                                                  • API String ID: 2509952571-0
                                                                  • Opcode ID: d576affcf74c1c02e287bc690aa69cb2a953c288911995f3c86bc71865bdfac3
                                                                  • Instruction ID: d25ab63a1bc25aab52e0fc312b5f6ba97b3e4b7df03c54a1eb0ee42bbac24d2d
                                                                  • Opcode Fuzzy Hash: d576affcf74c1c02e287bc690aa69cb2a953c288911995f3c86bc71865bdfac3
                                                                  • Instruction Fuzzy Hash: 0041BEE2B4A65351EA959A2AF94423A6780BF41BD0F44C435EF8D973E2DFBCE441C308
                                                                  Function 00007FFBBB8BFA30 Relevance: 12.1, APIs: 8, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OBJ_nid2sn.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFADA
                                                                  • EVP_get_digestbyname.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFAE2
                                                                  • EVP_MD_get_size.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFAF3
                                                                  • OBJ_nid2sn.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFB31
                                                                  • EVP_get_cipherbyname.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFB39
                                                                  • EVP_CIPHER_get_mode.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFB49
                                                                  • EVP_CIPHER_get_iv_length.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFB59
                                                                  • EVP_CIPHER_get_block_size.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB8B3B9A), ref: 00007FFBBB8BFB64
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: J_nid2sn$D_get_sizeP_get_cipherbynameP_get_digestbynameR_get_block_sizeR_get_iv_lengthR_get_mode
                                                                  • String ID:
                                                                  • API String ID: 1749907837-0
                                                                  • Opcode ID: e5c82b9fa8379f89a426edff4a90c2308afcf7c1ca8c355a158d7b45794f1bf3
                                                                  • Instruction ID: 407158bc1a76659f7fa8b19cb65ce99c2140fdcc16c7f0d0136ca6351d306a15
                                                                  • Opcode Fuzzy Hash: e5c82b9fa8379f89a426edff4a90c2308afcf7c1ca8c355a158d7b45794f1bf3
                                                                  • Instruction Fuzzy Hash: 15418FA2E0960746EA749A3DD86427D6394BF98B94F14C531EF4D433F2DE3EE8428748
                                                                  Function 00007FFBBB7ED834 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID: f$p$p
                                                                  • API String ID: 3215553584-1995029353
                                                                  • Opcode ID: f700c26392ed159dd1e688922b48ff9606fb20e8ccb41c411375879c8e83c523
                                                                  • Instruction ID: 5f60227c9c556fc879fdce256f240a97d46d14d1e9d9ec37eae3abf545aaa140
                                                                  • Opcode Fuzzy Hash: f700c26392ed159dd1e688922b48ff9606fb20e8ccb41c411375879c8e83c523
                                                                  • Instruction Fuzzy Hash: EB1284A1A0C14386FB249A2AD054AB9766AFF50754F84C035E79D476F4DF3CE590CB0A
                                                                  Function 00007FFBBB7F64CC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 3215553584-0
                                                                  • Opcode ID: d6040c6d8456f3371ee7578893d0468f69edbedc6b27cd2e1af0b893f6be8adc
                                                                  • Instruction ID: 5ebc6cd254a6042cf8d1bbcf91a51c32b8960360432afcc77f2f7013bff26520
                                                                  • Opcode Fuzzy Hash: d6040c6d8456f3371ee7578893d0468f69edbedc6b27cd2e1af0b893f6be8adc
                                                                  • Instruction Fuzzy Hash: D0C1DFA2A186C692EA61DB7AD4002BD37A4FF80B80F558135DB4E037B5DE7CE845C71D
                                                                  Function 00007FFBBB765350 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: LineMovePixelText
                                                                  • String ID: Select item!$VUUU
                                                                  • API String ID: 535896401-3701233967
                                                                  • Opcode ID: aee0e0285f740b06590434f7808ad074d99240b39ce0de0f288523be78e2d643
                                                                  • Instruction ID: c53ef63550f78f6a5724b79712b30758aa4c2ac2ee6473f0cb759f57bbd0405a
                                                                  • Opcode Fuzzy Hash: aee0e0285f740b06590434f7808ad074d99240b39ce0de0f288523be78e2d643
                                                                  • Instruction Fuzzy Hash: 08514AF2A256028BE310CF3DEC5556877A2FB84751B08C239DA4D877B4EE3CE5559B08
                                                                  Function 00007FFBBB939B80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$R_set_debug
                                                                  • String ID: ssl\statem\statem_srvr.c$tls_construct_server_hello
                                                                  • API String ID: 476316267-2897734461
                                                                  • Opcode ID: fcccec5a388e96a64d1970221dcf536f6059a48408583103926adf335c035ff8
                                                                  • Instruction ID: 04545e760bc3e27f03aca921f70fcbf0a7b57288f41a2048c444b7d1efb698c1
                                                                  • Opcode Fuzzy Hash: fcccec5a388e96a64d1970221dcf536f6059a48408583103926adf335c035ff8
                                                                  • Instruction Fuzzy Hash: B86162A3A0868381FB609A3ED4417B927D1FB80B84F18C035DF8E4B6A5DF7DD9418764
                                                                  Function 00007FFBBB8DBA28 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 51bf7d3d6f90bb5ac7d668bfbadced8742e697bd835423ea702be42678ae9d80
                                                                  • Instruction ID: 1e0b5bb0bfadfb80614ab6bb2091b4a32e885cf991d2bcb42d5458f76a87180c
                                                                  • Opcode Fuzzy Hash: 51bf7d3d6f90bb5ac7d668bfbadced8742e697bd835423ea702be42678ae9d80
                                                                  • Instruction Fuzzy Hash: 9C5193A2A0C64385FA658B3EDD502BD1291BF44BD4F54C03BDF4E876F5EE2CE8418229
                                                                  Function 00007FFBBB8DBA1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 32826683a858bf7f76f882db36fb32b974330367a409623c5370e240c4990760
                                                                  • Instruction ID: 25a7e4b75bf57cde30537100d070bd6b519a8873e87199e9eb5f9e6d5d62319a
                                                                  • Opcode Fuzzy Hash: 32826683a858bf7f76f882db36fb32b974330367a409623c5370e240c4990760
                                                                  • Instruction Fuzzy Hash: D85182A2A0C64385FA658B3EDD502BD1291BF44BD4F54C03BDF4E876F5EE2CE9418229
                                                                  Function 00007FFBBB8DBA10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 4ce3b46b249390b95e23fc740592feb92f0f988a80d16ba7089ad27b6c5be282
                                                                  • Instruction ID: f428cdd0e2097d7a25d31377230c8a8398c049dacb143577c5fb564bc135c45f
                                                                  • Opcode Fuzzy Hash: 4ce3b46b249390b95e23fc740592feb92f0f988a80d16ba7089ad27b6c5be282
                                                                  • Instruction Fuzzy Hash: D65183A2A0C64385FA658B3EDD502BD1291BF45BD4F54C03BDF4E876F5EE2CE8418229
                                                                  Function 00007FFBBB8DBA04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 0ca79a7e7ef14ec7464fa19e28766dec987ff94601dcf16621220e8d7278537b
                                                                  • Instruction ID: 41eee99d1698e72e1df8c3c9f6fbf49b4433460b852cf7b303c389040fa56b0b
                                                                  • Opcode Fuzzy Hash: 0ca79a7e7ef14ec7464fa19e28766dec987ff94601dcf16621220e8d7278537b
                                                                  • Instruction Fuzzy Hash: FE5171A2A0C64385FA658B3AD9502BD1291BF44BD4F54C03BDF4E876F5EE2CE8418229
                                                                  Function 00007FFBBB8DBA34 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBB6
                                                                  • OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBC5
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBBE1
                                                                  • EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD03
                                                                  • OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBB8DCAC7,?,00007FFBBB8B7658), ref: 00007FFBBB8DBD9D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_valueY_is_a
                                                                  • String ID: RSA
                                                                  • API String ID: 205993254-3431517
                                                                  • Opcode ID: 7e7d3cf7d451e15bef963765e7ce2e6ff40a07bf6c325c895e3492acbe85c95d
                                                                  • Instruction ID: e9a959b498dfbcaa149c76c3853d29180bec8d49026aa6b69fa89f64db96e3d0
                                                                  • Opcode Fuzzy Hash: 7e7d3cf7d451e15bef963765e7ce2e6ff40a07bf6c325c895e3492acbe85c95d
                                                                  • Instruction Fuzzy Hash: 155193A2A0C64345FA658B3AD9402BD1291BF44BD4F54C03BDF4E876F5DE2CE8418229
                                                                  Function 00007FFBBB761D60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                  • String ID: bad locale name
                                                                  • API String ID: 1386471777-1405518554
                                                                  • Opcode ID: 0aae9b4a89b19ab3668d558943777c3a6e5ede26d416c9fd7f446ac1f3903934
                                                                  • Instruction ID: f205eb226609f83fff2d0168023c29fd38660c0d599e63766de6c800cd86f851
                                                                  • Opcode Fuzzy Hash: 0aae9b4a89b19ab3668d558943777c3a6e5ede26d416c9fd7f446ac1f3903934
                                                                  • Instruction Fuzzy Hash: E4513A62B0AB818AEB14DBBAD4902BC3374BF54748F049139DF4E26A76DF38D556D308
                                                                  Function 00007FFBBB7DE13C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: 21d04ff64a41e1c84dd764bdb0a9b3321ffafa7fa00dae4e1535fb2032722dbd
                                                                  • Instruction ID: 80cf60092c94470d67e4df0dde88ef68d98e6e7f8ae48e4e081d5244b17a51a8
                                                                  • Opcode Fuzzy Hash: 21d04ff64a41e1c84dd764bdb0a9b3321ffafa7fa00dae4e1535fb2032722dbd
                                                                  • Instruction Fuzzy Hash: 553194A1B1BA4191EE12DB6BE8005752294BF59BE1F498535DE1E467B0EE3CF5408708
                                                                  Function 00007FFBBB918BF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB8B1740: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBB8B20F6
                                                                    • Part of subcall function 00007FFBBB8B1740: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8B2138
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB915844), ref: 00007FFBBB918CD4
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB915844), ref: 00007FFBBB918CEC
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB915844), ref: 00007FFBBB918D0A
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBB915844), ref: 00007FFBBB918D22
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$O_freeO_zalloc
                                                                  • String ID: ssl\record\methods\tls_common.c$tls_initialise_write_packets_default
                                                                  • API String ID: 2822291608-433091719
                                                                  • Opcode ID: 76aa22a4aaccd3730c27be6f5947fc2801cdc8750fdd7d2ce1e19ca69cc863dd
                                                                  • Instruction ID: 8ebf148742d9ce1774f1be2d68054f3a5592b742676543e1b456eb074ef35076
                                                                  • Opcode Fuzzy Hash: 76aa22a4aaccd3730c27be6f5947fc2801cdc8750fdd7d2ce1e19ca69cc863dd
                                                                  • Instruction Fuzzy Hash: B231D9A2B1868393E750DB3AE9417AA6751FB847C4F448031EF8C47BA6DF3CE5459704
                                                                  Function 00007FFBBB8D79B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB8B6310: BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBB8B6352
                                                                    • Part of subcall function 00007FFBBB8B6310: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB8B635E
                                                                    • Part of subcall function 00007FFBBB8B6310: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB8B6376
                                                                    • Part of subcall function 00007FFBBB8CF140: EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF17D
                                                                    • Part of subcall function 00007FFBBB8CF140: EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF185
                                                                    • Part of subcall function 00007FFBBB8CF140: EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF198
                                                                    • Part of subcall function 00007FFBBB8CF140: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF1A5
                                                                    • Part of subcall function 00007FFBBB8CF140: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF200
                                                                    • Part of subcall function 00007FFBBB8CF140: EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBB8CF21D
                                                                    • Part of subcall function 00007FFBBB8D6CC0: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB8D6D85
                                                                    • Part of subcall function 00007FFBBB8D6CC0: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB8D6DA3
                                                                  • OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBB8D7AB6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$D_get_sizeL_cleanseO_ctrlX_freeX_get0_cipherX_new
                                                                  • String ID: $ $0$extended master secret$master secret
                                                                  • API String ID: 1082017977-741269486
                                                                  • Opcode ID: b144277d6bbb0e303d512a80b9faeac888aa8dabcaa9d5c2572c66ea408fa9e0
                                                                  • Instruction ID: 04255b0a8abc0488236c8a97dfe9557c98c762485bc73be1bcafb5996a06889e
                                                                  • Opcode Fuzzy Hash: b144277d6bbb0e303d512a80b9faeac888aa8dabcaa9d5c2572c66ea408fa9e0
                                                                  • Instruction Fuzzy Hash: 924115B6608B8185E724CB29F84039AB7A4FB88784F548135EBCC43B69EF7DD155CB14
                                                                  Function 00007FFBBB773BC8 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Concurrency::cancel_current_taskFacet_Register
                                                                  • String ID:
                                                                  • API String ID: 1514469905-0
                                                                  • Opcode ID: 332ef721d144477262d7bb05a648cef88784c939d2eb770dc8289c08c1968dcc
                                                                  • Instruction ID: 08f760cbaa0f2882171ccb625ddc7fb531e2e915fa5f6c82d1bcfcc069c67cab
                                                                  • Opcode Fuzzy Hash: 332ef721d144477262d7bb05a648cef88784c939d2eb770dc8289c08c1968dcc
                                                                  • Instruction Fuzzy Hash: 463180A2B19A4286EA15DB7FE8441B86760FB84BA0F098131DF5D472F5DF3CE482C308
                                                                  Function 00007FFBBB917920 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB9154E1), ref: 00007FFBBB917949
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB9154E1), ref: 00007FFBBB917961
                                                                    • Part of subcall function 00007FFBBB9176D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFBBB9134A0,?,00007FFBBB912DD6), ref: 00007FFBBB9176FE
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB9154E1), ref: 00007FFBBB9179D2
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB9154E1), ref: 00007FFBBB9179EA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: ssl\record\methods\tls_common.c$tls13_common_post_process_record
                                                                  • API String ID: 4275876640-3425960161
                                                                  • Opcode ID: 8e2b9a8b014cf900fbc52dd60a700427e7d18965291d3452dd1506d777650471
                                                                  • Instruction ID: b7f9e1786dea00b698ed102d8890cba85c5b24313f4590b42076a51a5279c2c9
                                                                  • Opcode Fuzzy Hash: 8e2b9a8b014cf900fbc52dd60a700427e7d18965291d3452dd1506d777650471
                                                                  • Instruction Fuzzy Hash: 4B2171B2B0858392E750DB2DE5417ED67A0FB84784F548532EB8C83B65CF7DD5818708
                                                                  Function 00007FFBBB7EE760 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32 ref: 00007FFBBB7EE76F
                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE784
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7A5
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7D2
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7E3
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F,?,?,00000000,00007FFBBB7F70E7), ref: 00007FFBBB7EE7F4
                                                                  • SetLastError.KERNEL32 ref: 00007FFBBB7EE80F
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 9a83606c4a075a5b41040a22f86703265698654417528fed1220d4407736ec0a
                                                                  • Instruction ID: e6cd4b4c9a72522a3e6f7d7a05f141616b486c9814d12dd39cf68f9b97dedbaa
                                                                  • Opcode Fuzzy Hash: 9a83606c4a075a5b41040a22f86703265698654417528fed1220d4407736ec0a
                                                                  • Instruction Fuzzy Hash: 60217FA0E1C28346FAA8933ED95503951567F847F4F54CA34EB2E17FF6DE2CB4019609
                                                                  Function 00007FFBBB8CBAA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_clear_errorR_newR_set_debugR_set_error
                                                                  • String ID: SSL_clear$ssl\ssl_lib.c
                                                                  • API String ID: 316169390-283065258
                                                                  • Opcode ID: b720089eeedaff3196e5f058fa76cc12c6884403f6b9091f27a65491424013f6
                                                                  • Instruction ID: 9d46641e5e71ef90d980bc4c72ae71b035f4de6080c467136386b87c208eacc7
                                                                  • Opcode Fuzzy Hash: b720089eeedaff3196e5f058fa76cc12c6884403f6b9091f27a65491424013f6
                                                                  • Instruction Fuzzy Hash: CF21D1B2B19A4687FB949B3DE9823BC2250FF48754F588130EB5D426F6DE6CD8C48718
                                                                  Function 00007FFBBB91BB10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: final_ems$ssl\statem\extensions.c
                                                                  • API String ID: 4275876640-224909566
                                                                  • Opcode ID: 0da9a07e1feb414013fdeba588f310a082dc6ae0b632e0890db4051c38c98f88
                                                                  • Instruction ID: 9ccb9a6536cee653830fb86e3090563fb9ffab0826a4881597b3d96c4be3c99c
                                                                  • Opcode Fuzzy Hash: 0da9a07e1feb414013fdeba588f310a082dc6ae0b632e0890db4051c38c98f88
                                                                  • Instruction Fuzzy Hash: C5118EB2E4964397F784DB79D44A7F82252FF84710F94C031D74C426B5DE2CA986C61D
                                                                  Function 00007FFBBB8016A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                  • String ID: CONOUT$
                                                                  • API String ID: 3230265001-3130406586
                                                                  • Opcode ID: b83bb3ad7459ce5309a5367e1d11714289d783daa632166cbfaf408edbcc18b1
                                                                  • Instruction ID: cc74c188ca81edbcd99f53915e194b2e0222b70c6e2b89da78258c5aa7f60901
                                                                  • Opcode Fuzzy Hash: b83bb3ad7459ce5309a5367e1d11714289d783daa632166cbfaf408edbcc18b1
                                                                  • Instruction Fuzzy Hash: 61118461728A4187E7509B6AEC4432967A0FB49FE5F448234EB5D877A4DF3CD8048748
                                                                  Function 00007FFBBB8B59F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error$L_sk_freeL_sk_new_nullstrchrstrncmp
                                                                  • String ID: ssl\d1_srtp.c$ssl_ctx_make_profiles
                                                                  • API String ID: 4085728402-797804856
                                                                  • Opcode ID: 8847f4933e00ffb02b96382a3c5e0800a52636921573a3eae90287bfdbb066db
                                                                  • Instruction ID: 427162fdac74b73b69e78867df69318826099a5ad681b36003d1e919cb53df50
                                                                  • Opcode Fuzzy Hash: 8847f4933e00ffb02b96382a3c5e0800a52636921573a3eae90287bfdbb066db
                                                                  • Instruction Fuzzy Hash: CD01C4E3E0A61346EA64E779D8517F91251BF84380F40C031EF4C526A2EE2E94424718
                                                                  Function 00007FFBBB8B29E0 Relevance: 10.5, APIs: 7, Instructions: 39threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$Enter$CurrentReleaseSemaphoreThread
                                                                  • String ID:
                                                                  • API String ID: 4252005047-0
                                                                  • Opcode ID: 028c4c0836ae4cabca33a3449e1248e774a890a0f4de7988a47adc37785eea0e
                                                                  • Instruction ID: 03e3a915f76356970ae98789e4236e1706de16b557ad72b0e6bb14138ff32a17
                                                                  • Opcode Fuzzy Hash: 028c4c0836ae4cabca33a3449e1248e774a890a0f4de7988a47adc37785eea0e
                                                                  • Instruction Fuzzy Hash: 6E11E8B6A14B02D7E7689F79E9951283370FB49B44B149431CF8E43724DF38E4A4C704
                                                                  Function 00007FFBBB8D2C60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: A_freeR_newR_set_debugR_set_error
                                                                  • String ID: SSL_CTX_use_RSAPrivateKey_ASN1$ssl\ssl_rsa_legacy.c
                                                                  • API String ID: 4284916926-3527806555
                                                                  • Opcode ID: dcf2d47ae0eac96585e7b31662573dda4dd776a59a605c140b5ae1f888b9e1df
                                                                  • Instruction ID: dd5688cdb3e5d0140bc881cd4d8cd9751e9926031f3be109ca9938ef0c9121e7
                                                                  • Opcode Fuzzy Hash: dcf2d47ae0eac96585e7b31662573dda4dd776a59a605c140b5ae1f888b9e1df
                                                                  • Instruction Fuzzy Hash: C801DB92B18E0382EA44A73DE5412B95250FF883C0F449436F78D47BABDD2CD5408628
                                                                  Function 00007FFBBB7D8384 Relevance: 9.2, APIs: 6, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide
                                                                  • String ID:
                                                                  • API String ID: 2829165498-0
                                                                  • Opcode ID: fc703ce3d69f644adad85738efe477ed3353f614893da33bc734d2292c9868b6
                                                                  • Instruction ID: fb9a87842a9dd40118f7f024aee2a28b5b6ccd43612f5146050f14969b043cdd
                                                                  • Opcode Fuzzy Hash: fc703ce3d69f644adad85738efe477ed3353f614893da33bc734d2292c9868b6
                                                                  • Instruction Fuzzy Hash: F1818DF2A0974186EB208F2EE94026962A5FF44BE8F548675EB5D47BF9EF3CD4018704
                                                                  Function 00007FFBBB7E560C Relevance: 9.2, APIs: 6, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 3215553584-0
                                                                  • Opcode ID: 8a873846761dbbe63e27274433d0f5c4eba8684864d2fcd0bbd6e0531239e310
                                                                  • Instruction ID: 051beb05cc57d24aec7c047c302655c86f8c093f787f940b8e0735c2ab3c3bcd
                                                                  • Opcode Fuzzy Hash: 8a873846761dbbe63e27274433d0f5c4eba8684864d2fcd0bbd6e0531239e310
                                                                  • Instruction Fuzzy Hash: 206118A291860A81EB61AF3ED05027C32A8FF50F64B54C231D7A9177F9DF3CA451C71A
                                                                  Function 00007FFBBB7D8680 Relevance: 9.1, APIs: 6, Instructions: 94threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AcquireExclusiveLock$CurrentThreadsys_get_time
                                                                  • String ID:
                                                                  • API String ID: 184115430-0
                                                                  • Opcode ID: cf94e7fb6760240fbddfc608ca63849ae68eb7c62328f16ac9bd84df5a7da401
                                                                  • Instruction ID: ae853798a2e75c6e6d3c955aebd6969288ed85cc5bc63236c47ddf66868e39a1
                                                                  • Opcode Fuzzy Hash: cf94e7fb6760240fbddfc608ca63849ae68eb7c62328f16ac9bd84df5a7da401
                                                                  • Instruction Fuzzy Hash: 29414CF2A1960686E7648F7ED84023C73A0FB54BA4F408471D78D466B8EF3DE881CB08
                                                                  Function 00007FFBBB8C7B30 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: L_sk_num$L_sk_freeL_sk_new_nullL_sk_pushL_sk_value
                                                                  • String ID:
                                                                  • API String ID: 1173513325-0
                                                                  • Opcode ID: 6b500d0c9a1a1803aee1c5ada926352a13d2bbd8437f3adec64672f62db75574
                                                                  • Instruction ID: c1ebcf9de7d4cca3acd43cd156866a301d69377745b278b188825069dd595e0c
                                                                  • Opcode Fuzzy Hash: 6b500d0c9a1a1803aee1c5ada926352a13d2bbd8437f3adec64672f62db75574
                                                                  • Instruction Fuzzy Hash: 462165D5B0965342FAA5AA3AE8002795290BF84FC4F18D435EF8D57BE6DE7CE8424308
                                                                  Function 00007FFBBB7DBCE4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 3523768491-393685449
                                                                  • Opcode ID: c41cb92720b91c9db3c5d6677faef10c581319b407977545ddd0c939eeb25316
                                                                  • Instruction ID: 697f48889bb460aefdcff7cdf557f6aaaf9142afaa6da254ac35f6356f244cef
                                                                  • Opcode Fuzzy Hash: c41cb92720b91c9db3c5d6677faef10c581319b407977545ddd0c939eeb25316
                                                                  • Instruction Fuzzy Hash: 5FE1AFF29096828AE7209F3AD4842BD77A0FB45788F148235EB8D577B6DF38E485C704
                                                                  Function 00007FFBBB7EE8D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32 ref: 00007FFBBB7EE8E7
                                                                  • FlsSetValue.KERNEL32(?,?,000044AEF0A65C40,00007FFBBB7E4575,?,?,?,?,00007FFBBB7F8852,?,?,00000000,00007FFBBB7FA6B7,?,?,?), ref: 00007FFBBB7EE91D
                                                                  • FlsSetValue.KERNEL32(?,?,000044AEF0A65C40,00007FFBBB7E4575,?,?,?,?,00007FFBBB7F8852,?,?,00000000,00007FFBBB7FA6B7,?,?,?), ref: 00007FFBBB7EE94A
                                                                  • FlsSetValue.KERNEL32(?,?,000044AEF0A65C40,00007FFBBB7E4575,?,?,?,?,00007FFBBB7F8852,?,?,00000000,00007FFBBB7FA6B7,?,?,?), ref: 00007FFBBB7EE95B
                                                                  • FlsSetValue.KERNEL32(?,?,000044AEF0A65C40,00007FFBBB7E4575,?,?,?,?,00007FFBBB7F8852,?,?,00000000,00007FFBBB7FA6B7,?,?,?), ref: 00007FFBBB7EE96C
                                                                  • SetLastError.KERNEL32 ref: 00007FFBBB7EE987
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Value$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 2506987500-0
                                                                  • Opcode ID: 72ab780c25ba5c864d47a731ba652f97d6eaf09ed321dc141c72ea5ffb974a8c
                                                                  • Instruction ID: 21f6df29df6b7dd4ad5bf0d61cd096398f03da6e37db2011bb5058ace7658b96
                                                                  • Opcode Fuzzy Hash: 72ab780c25ba5c864d47a731ba652f97d6eaf09ed321dc141c72ea5ffb974a8c
                                                                  • Instruction Fuzzy Hash: DC1142A0E1868346FAE8973BD95103961967F447F4F55CA34EB2E06BF6DE2CF401920A
                                                                  Function 00007FFBBB77C0D1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                  • String ID: ,$false$true
                                                                  • API String ID: 1173176844-760133229
                                                                  • Opcode ID: a4840bfdb9d837ec348fc45042d453f39fa3442094ac73bcd7728b46a1a762bd
                                                                  • Instruction ID: 9e5b0da5f8cd076873d9b9b89ad88d57e31fc5d191ed2467cb375ce67dcb98c9
                                                                  • Opcode Fuzzy Hash: a4840bfdb9d837ec348fc45042d453f39fa3442094ac73bcd7728b46a1a762bd
                                                                  • Instruction Fuzzy Hash: 32616BB2B1AA4585EB109F7AD4442E923A8FF58788F544136EF4C47BB9EE78D506C308
                                                                  Function 00007FFBBB9249B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_new$O_zallocR_set_debug
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_supported_versions
                                                                  • API String ID: 3661993454-4203788918
                                                                  • Opcode ID: 5361361cb8ef8a2e52ad03665cacb31d5d65c32ae060ee2d0db4cbebd068e1a9
                                                                  • Instruction ID: 0694fc0c5795b2961fc422b132374cddb4b38fa00d7bed1b97b7261c3ac17628
                                                                  • Opcode Fuzzy Hash: 5361361cb8ef8a2e52ad03665cacb31d5d65c32ae060ee2d0db4cbebd068e1a9
                                                                  • Instruction Fuzzy Hash: 87214292F1894342FA54973AE9457BD2351BF847C0F158031EB8D8B6E6EE2DE845835C
                                                                  Function 00007FFBBB8BA970 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: ssl3_do_change_cipher_spec$ssl\s3_msg.c
                                                                  • API String ID: 1552677711-2944025119
                                                                  • Opcode ID: 474896de26a07473f52d7c90f788f6b8832359557cb9bbcc756f5ee14a8d88f3
                                                                  • Instruction ID: d34114f2b56b715f28bd64a42bf41e46cce26de325e81fd35fa5fc9b11b250d7
                                                                  • Opcode Fuzzy Hash: 474896de26a07473f52d7c90f788f6b8832359557cb9bbcc756f5ee14a8d88f3
                                                                  • Instruction Fuzzy Hash: D5217573B08A4282E7549B39E8853AD2390FB84B84F588032DB5D473A5DF39C8D6C704
                                                                  Function 00007FFBBB8E0B6F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_indentO_printf
                                                                  • String ID: %s=0x%x (%s)$cookie$server_version
                                                                  • API String ID: 1860387303-2821402668
                                                                  • Opcode ID: a940f3b7a24d50b7e4e351222ed599abd1bb65f0fdbb4cd931de438e67b08520
                                                                  • Instruction ID: 5e38fbeeb16fe79e701ebbbee1ccc076c3e50191364865a7f2e41b4465a0ff28
                                                                  • Opcode Fuzzy Hash: a940f3b7a24d50b7e4e351222ed599abd1bb65f0fdbb4cd931de438e67b08520
                                                                  • Instruction Fuzzy Hash: A41127A2B0829249EA108B38E81A1F93252FBC0768F45C232CBEC037F4DE3CD142C318
                                                                  Function 00007FFBBB905C30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: quic_set_protocol_version$ssl\quic\quic_tls.c
                                                                  • API String ID: 1552677711-978048924
                                                                  • Opcode ID: 4e968e8428bb09aff2c4d3c7654aab038859941f1975555b1a579969c78df0fe
                                                                  • Instruction ID: 37ed8f704c0848f0c3ba0107ce57b29e4cbbce5a6fba554f0be7b12568bcfd7f
                                                                  • Opcode Fuzzy Hash: 4e968e8428bb09aff2c4d3c7654aab038859941f1975555b1a579969c78df0fe
                                                                  • Instruction Fuzzy Hash: 6AF090E2F096034BFB949778D9867B81281BF80300FA8C430DB8C426B1DE2C99C58719
                                                                  Function 00007FFBBB7EC874 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: a50e3a01188f6dc9efe75aefd6baebe2f3b52dce452edef7a7c28fc6910371ca
                                                                  • Instruction ID: b33b0cdff3cb0fd7d3e5049a082183ae56a3d07037a6eefb0bbae13ab37d80b3
                                                                  • Opcode Fuzzy Hash: a50e3a01188f6dc9efe75aefd6baebe2f3b52dce452edef7a7c28fc6910371ca
                                                                  • Instruction Fuzzy Hash: 92F062A5B1870292FE148B39EC553796324FF89B61F549635D76E452F4CF6CD448C308
                                                                  Function 00007FFBBB8B7BB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: ssl3_ctrl$ssl\s3_lib.c
                                                                  • API String ID: 1552677711-3530330221
                                                                  • Opcode ID: 40067164864a4a7e23fcf65eba692f3328a1f9b77b06b008942a7021cdaa2fe3
                                                                  • Instruction ID: c8f88414fdded0ed981f87def93af8baaab85fcd78d0edc95d55b79d5514b455
                                                                  • Opcode Fuzzy Hash: 40067164864a4a7e23fcf65eba692f3328a1f9b77b06b008942a7021cdaa2fe3
                                                                  • Instruction Fuzzy Hash: 8FF0BBA6B08A5283E760D778E8016BE1311FF84750F908032DF8C57AB6DE2DE542C715
                                                                  Function 00007FFBBB91AA30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: ssl\record\methods\tlsany_meth.c$tls_any_set_crypto_state
                                                                  • API String ID: 1552677711-1973945482
                                                                  • Opcode ID: eb085a95f7e5908a15c866621bae7a982f16639ace6ade9780de6d467ab8683d
                                                                  • Instruction ID: 9a900721eb424d3dcd9a882da971221d854354fbe816f8923ec472288b999313
                                                                  • Opcode Fuzzy Hash: eb085a95f7e5908a15c866621bae7a982f16639ace6ade9780de6d467ab8683d
                                                                  • Instruction Fuzzy Hash: 5BE01AA6E1990383F644E37CC8527A91252BFD4300FE4C131E69D416F2EE1DA9498619
                                                                  Function 00007FFBBB8B7B7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_set_error
                                                                  • String ID: ssl3_ctrl$ssl\s3_lib.c
                                                                  • API String ID: 1552677711-3530330221
                                                                  • Opcode ID: 020e8f8e706ceab002d3951e0eb20ee59482c098b6842db8e2a32c2a221e1dd0
                                                                  • Instruction ID: 09f0e6f155dd8eb9098a820765c54b8f375f7626ccb9322bc675195893558508
                                                                  • Opcode Fuzzy Hash: 020e8f8e706ceab002d3951e0eb20ee59482c098b6842db8e2a32c2a221e1dd0
                                                                  • Instruction Fuzzy Hash: 4AE09262B0C90283E250E778E4011AA1311FB84350F908432EB8C126B6DE2DE582CB05
                                                                  Function 00007FFBBB7DB0E4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustPointer
                                                                  • String ID:
                                                                  • API String ID: 1740715915-0
                                                                  • Opcode ID: 0cd83f57b40d9c7e4f086feb6d9adce1cf8411821878e2ede0003dadba80d1a4
                                                                  • Instruction ID: 5ecc1d99ec4656b82724dbfec1cf4a2c3d895b818597ab0f13f1d1fa94a43448
                                                                  • Opcode Fuzzy Hash: 0cd83f57b40d9c7e4f086feb6d9adce1cf8411821878e2ede0003dadba80d1a4
                                                                  • Instruction Fuzzy Hash: B9B16AE2A0B68281EA65DA3BD58067D62A0FF44BD4F19C435DF4D07BB9DE2CE542C308
                                                                  Function 00007FFBBB7F5588 Relevance: 7.7, APIs: 5, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: a45dbe67722917e9e620d8e2f6377aaf6bd03ca370a67afd48f10dc18185b7ea
                                                                  • Instruction ID: a1d0b4c96aff1f32656031bde9a95d085098320ed6b7104f884ee5e48cab5d85
                                                                  • Opcode Fuzzy Hash: a45dbe67722917e9e620d8e2f6377aaf6bd03ca370a67afd48f10dc18185b7ea
                                                                  • Instruction Fuzzy Hash: 6781E6A2D18AC689F7328F3EE84027A6691BF55754F14C331EB6E265F5DF3CA481860C
                                                                  Function 00007FFBBB775040 Relevance: 7.7, APIs: 5, Instructions: 177COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                  • String ID:
                                                                  • API String ID: 3053331623-0
                                                                  • Opcode ID: 16c1d222b5d30258de6498a3e0b1be7f1db093b342c1f4b2477f55804a0fa261
                                                                  • Instruction ID: d20a50dc278d61ccc504f013cab4dabbc71c9aead8c18285c0c0ddadece15ceb
                                                                  • Opcode Fuzzy Hash: 16c1d222b5d30258de6498a3e0b1be7f1db093b342c1f4b2477f55804a0fa261
                                                                  • Instruction Fuzzy Hash: FB618FE2B19A8285EB10AB7BE9002B96355FB44BD4F588631DF6D477B5DE3CE442C308
                                                                  Function 00007FFBBB7DEEE0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 2067211477-0
                                                                  • Opcode ID: c5eef55b4ac746f19d02c9b4151b7f705716c06618003bfdb12a3f1d4331ac77
                                                                  • Instruction ID: a6c0027d62125d79056a379f4ef005bca7c80a6feae72050dffb8e90a88daae4
                                                                  • Opcode Fuzzy Hash: c5eef55b4ac746f19d02c9b4151b7f705716c06618003bfdb12a3f1d4331ac77
                                                                  • Instruction Fuzzy Hash: 68212FE5A0A74186EE56DB7AE810079B3A4BF88BD4F048535EF8D47B75DE3CE4008708
                                                                  Function 00007FFBBB8027CC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _set_statfp
                                                                  • String ID:
                                                                  • API String ID: 1156100317-0
                                                                  • Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                                  • Instruction ID: 909c972f389e6815f68a6c8ccb8d6f86cfa9c3b46983a63be45a0684c314b6a5
                                                                  • Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
                                                                  • Instruction Fuzzy Hash: 2B1160AAE1CE524DFF66193DE84637514427F583B0EC48634EB7E0E6FA8E9CE841410C
                                                                  Function 00007FFBBB7EE9A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FFBBB7E94C3,?,?,00000000,00007FFBBB7E975E,?,?,?,?,?,00007FFBBB7E96EA), ref: 00007FFBBB7EE9BF
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7E94C3,?,?,00000000,00007FFBBB7E975E,?,?,?,?,?,00007FFBBB7E96EA), ref: 00007FFBBB7EE9DE
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7E94C3,?,?,00000000,00007FFBBB7E975E,?,?,?,?,?,00007FFBBB7E96EA), ref: 00007FFBBB7EEA06
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7E94C3,?,?,00000000,00007FFBBB7E975E,?,?,?,?,?,00007FFBBB7E96EA), ref: 00007FFBBB7EEA17
                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFBBB7E94C3,?,?,00000000,00007FFBBB7E975E,?,?,?,?,?,00007FFBBB7E96EA), ref: 00007FFBBB7EEA28
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: 8670fe13bb22f74c34b22405e995b167eb0ea3ebec6e5a984af4c82bd0115d3c
                                                                  • Instruction ID: 2f9f04cd68093e18b931f5be152fd3433e618785444da20e21ddda7e84b96ff4
                                                                  • Opcode Fuzzy Hash: 8670fe13bb22f74c34b22405e995b167eb0ea3ebec6e5a984af4c82bd0115d3c
                                                                  • Instruction Fuzzy Hash: D8113DA0E0C24385FA98973FD94117921557F847F4F98CA38EB2D46BF6EE2CE401970A
                                                                  Function 00007FFBBB7EE834 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F), ref: 00007FFBBB7EE845
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F), ref: 00007FFBBB7EE864
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F), ref: 00007FFBBB7EE88C
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F), ref: 00007FFBBB7EE89D
                                                                  • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBBB7FB0BF,?,?,?,00007FFBBB7F27DC,?,?,?,00007FFBBB7E372F), ref: 00007FFBBB7EE8AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Value
                                                                  • String ID:
                                                                  • API String ID: 3702945584-0
                                                                  • Opcode ID: d7453682ebd60790346ddad3dc7dae4e974891c008823ebf67c4ffa64b0f24aa
                                                                  • Instruction ID: 6b669a49de92f7f93145e8d9801d9d4e0f806638787296716011ac8832a7d777
                                                                  • Opcode Fuzzy Hash: d7453682ebd60790346ddad3dc7dae4e974891c008823ebf67c4ffa64b0f24aa
                                                                  • Instruction Fuzzy Hash: 97111FE0E1824749FDA8A23FC81107912557F41374E989F34E73D1AAF2DE2DB442D25E
                                                                  Function 00007FFBBB7F7AD8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                  • API String ID: 3215553584-1196891531
                                                                  • Opcode ID: 708392866f3ffc2eacb2ccc82c52df9093dcec0f36330b1e5e5f37d4ca63fa98
                                                                  • Instruction ID: 1d73794c2adef3eac3e0e0851707a1887c4c0c04ad47e9aa24dba6ffe975f543
                                                                  • Opcode Fuzzy Hash: 708392866f3ffc2eacb2ccc82c52df9093dcec0f36330b1e5e5f37d4ca63fa98
                                                                  • Instruction Fuzzy Hash: 9A8179B2E0D28285FAB58E3FC55027C2AB4BB11B88F95C035CB0E576F5DA2DA901D60D
                                                                  Function 00007FFBBB7F7814 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                  • API String ID: 3215553584-1196891531
                                                                  • Opcode ID: 8efebdb8745b2f95129e75fecac41ab326e1388f5099d9c4ecdf8f93629436d6
                                                                  • Instruction ID: 878bf963bdde91b48fffc681e9c3a15cfd0d405c230b4f8e5dcd89458547c942
                                                                  • Opcode Fuzzy Hash: 8efebdb8745b2f95129e75fecac41ab326e1388f5099d9c4ecdf8f93629436d6
                                                                  • Instruction Fuzzy Hash: 2D81ACA2D0C28385FB658E3FC65037C2BA0FF12748F59D035CB4E566B9CA2DA941974E
                                                                  Function 00007FFBBB7DC458 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: 59cfb2ac428590d5884f33eed17d7067f5edd8fb15c69a7d4ac569cc88dd1819
                                                                  • Instruction ID: c65a6d2ce8c72afb815f906a4651f61ef776a055ac5e4950d5471039e2a79427
                                                                  • Opcode Fuzzy Hash: 59cfb2ac428590d5884f33eed17d7067f5edd8fb15c69a7d4ac569cc88dd1819
                                                                  • Instruction Fuzzy Hash: EA91AEF3A097818AE750CB7AE8842AC7BA0FB45788F14812AEB8D17775DF78D195C704
                                                                  Function 00007FFBBB7DAAC8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 2395640692-1018135373
                                                                  • Opcode ID: 0e7e05fca23d0be64c80da0afa573bb57b8c9d50aa0844b0dfc2dad01dffa221
                                                                  • Instruction ID: 7c7c534066bdc971566d029f24b9441cb13202f9812c56bd854f0bc4d24be760
                                                                  • Opcode Fuzzy Hash: 0e7e05fca23d0be64c80da0afa573bb57b8c9d50aa0844b0dfc2dad01dffa221
                                                                  • Instruction Fuzzy Hash: E9518CB2B1A6028BDB548B2AE444A3837A2FB44BD8F55C135DB4E477B4EE7DE841C704
                                                                  Function 00007FFBBB7DC9D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 3896166516-3733052814
                                                                  • Opcode ID: 99ea2689ce33465aa4bd33317c6964fcd983a4fe3115a0b4913bd1e3505f3df8
                                                                  • Instruction ID: 22a03933ca64492dc17f6cc5358547b6135a28119517dacd43b46c158bdf0b37
                                                                  • Opcode Fuzzy Hash: 99ea2689ce33465aa4bd33317c6964fcd983a4fe3115a0b4913bd1e3505f3df8
                                                                  • Instruction Fuzzy Hash: 05517DF2A092428AEA648B3AD44827876A4FB54BC4F14C236DB8D477F5CF78E491C709
                                                                  Function 00007FFBBB7DC1E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 3544855599-2084237596
                                                                  • Opcode ID: a934c75064e80c6e61a66f51b9929d7da283163dc44a7e2eb0ea9cbc835b1767
                                                                  • Instruction ID: b2fa51d4cc35c9d02698d90b7df4bbb07c834fbac899ecd283c1e18e6a48fcdc
                                                                  • Opcode Fuzzy Hash: a934c75064e80c6e61a66f51b9929d7da283163dc44a7e2eb0ea9cbc835b1767
                                                                  • Instruction Fuzzy Hash: C66181B2909BC585D7209B3AE4443AABBA0FB857D4F048225EB8D07B75CF7CE190CB04
                                                                  Function 00007FFBBB77A7D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                  • String ID: bad locale name
                                                                  • API String ID: 2775327233-1405518554
                                                                  • Opcode ID: 399b10412ab5c48950b10ed75db8c4015c1038117764a9261569a9b845db649f
                                                                  • Instruction ID: 9576dde39a591ac88564110ce93693318955657697e3266a80f64946ce444109
                                                                  • Opcode Fuzzy Hash: 399b10412ab5c48950b10ed75db8c4015c1038117764a9261569a9b845db649f
                                                                  • Instruction Fuzzy Hash: C4413862B0AB81C9FB55DFBAD4902AC22A4BF44748F048475DB4D26AB9CE38D526D348
                                                                  Function 00007FFBBB938C50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ossl_statem_server_write_transition$ssl\statem\statem_srvr.c
                                                                  • API String ID: 0-156501081
                                                                  • Opcode ID: 6b90e2bd732a7681113251406979414f34a959441fe0ee47379ff1f6580afdcb
                                                                  • Instruction ID: 35057007803e95ace662286716aab99f8ccf913d39e4165b3bbe82438e315b99
                                                                  • Opcode Fuzzy Hash: 6b90e2bd732a7681113251406979414f34a959441fe0ee47379ff1f6580afdcb
                                                                  • Instruction Fuzzy Hash: 733185A3A0D2C287D307CB78D8A976D3F61EB95B50B998076CBC887392CA1C9445C726
                                                                  Function 00007FFBBB924A90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_use_srtp
                                                                  • API String ID: 0-4262462768
                                                                  • Opcode ID: 1dbd6c968758370de88e685021f503603b2bd29b882fd1edeae1ee7c7993a590
                                                                  • Instruction ID: d2654316b23d54f9375fcf64a814e54551d5ad92343d6a5c67c31d582828eb56
                                                                  • Opcode Fuzzy Hash: 1dbd6c968758370de88e685021f503603b2bd29b882fd1edeae1ee7c7993a590
                                                                  • Instruction Fuzzy Hash: FB2186A1F1894342F754A73AE9117BD6291BF847C0F488030DF498BBE6DE6DE845C648
                                                                  Function 00007FFBBB923990 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_etm
                                                                  • API String ID: 193678381-2237796182
                                                                  • Opcode ID: 55a91c111f0f6f8a383a7e3a70f9a50266bc949a5dcc389b0bc07d4a5e8d8172
                                                                  • Instruction ID: e8526a50925ebb67ccd5bc26dece09586b1074710c183274818c3365fa23b67e
                                                                  • Opcode Fuzzy Hash: 55a91c111f0f6f8a383a7e3a70f9a50266bc949a5dcc389b0bc07d4a5e8d8172
                                                                  • Instruction Fuzzy Hash: FB2192A2E1854346FBA4963EE5447B97290FB44BC4F598031DB4C86AF1DE2DE981CB08
                                                                  Function 00007FFBBB931BD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_vset_error
                                                                  • String ID: dtls_construct_change_cipher_spec$ssl\statem\statem_dtls.c
                                                                  • API String ID: 1390262125-552485801
                                                                  • Opcode ID: 33fc52ca146c8aa9b2b28eaef0248a497ac2538005c4976f17a1c9f91cdd72df
                                                                  • Instruction ID: cb1d42b75eceffec1b13018d70087a89036f6a3a12f2e132b65fdb0ef025ac8c
                                                                  • Opcode Fuzzy Hash: 33fc52ca146c8aa9b2b28eaef0248a497ac2538005c4976f17a1c9f91cdd72df
                                                                  • Instruction Fuzzy Hash: 3A01D1E2A1855383E710973AC8457F81640FB94B84F148031EF8C477B1EB2C95828218
                                                                  Function 00007FFBBB9299E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug
                                                                  • String ID: ossl_statem_client_process_message$ssl\statem\statem_clnt.c
                                                                  • API String ID: 193678381-934574601
                                                                  • Opcode ID: 5800bdd5140233e93d4bc069794586a3b69b53f256ff028688403d7198a4993c
                                                                  • Instruction ID: 2692c50d0b2058d98d125755330097611e1e91baccf2ed56e9db554845c3b012
                                                                  • Opcode Fuzzy Hash: 5800bdd5140233e93d4bc069794586a3b69b53f256ff028688403d7198a4993c
                                                                  • Instruction Fuzzy Hash: 0001A7A2F08A8286E300DB29E8416BD7750BF857C4F948131EB8C47BB6DF2CD542C715
                                                                  Function 00007FFBBB91B9C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFBBB932CA0: OPENSSL_sk_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB91B9DE), ref: 00007FFBBB932CCC
                                                                    • Part of subcall function 00007FFBBB932CA0: ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB91B9DE), ref: 00007FFBBB932CDB
                                                                    • Part of subcall function 00007FFBBB932CA0: ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB91B9DE), ref: 00007FFBBB932CF3
                                                                    • Part of subcall function 00007FFBBB932CA0: OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB91B9DE), ref: 00007FFBBB932EBA
                                                                    • Part of subcall function 00007FFBBB932CA0: X509_NAME_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBB91B9DE), ref: 00007FFBBB932EC2
                                                                  • ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB91B9E9
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB91BA01
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$E_freeL_sk_newL_sk_pop_freeR_vset_errorX509_
                                                                  • String ID: ssl\statem\extensions.c$tls_parse_certificate_authorities
                                                                  • API String ID: 2305212849-3887711058
                                                                  • Opcode ID: 8864dffe7eeda9412dc0b4195dad0871c92933ccdb30e70dffed77abfe629ccb
                                                                  • Instruction ID: 53e23a748cd1b66540b540d903a0b0b14f39f887a965f51cf5c6ea71cf3e746c
                                                                  • Opcode Fuzzy Hash: 8864dffe7eeda9412dc0b4195dad0871c92933ccdb30e70dffed77abfe629ccb
                                                                  • Instruction Fuzzy Hash: A8F062A3F18A4382E7949B79F5457AD2251FF88780F559031EB8C826A6DE2CE881C619
                                                                  Function 00007FFBBB934C60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_vset_error
                                                                  • String ID: ssl\statem\statem_lib.c$tls_construct_key_update
                                                                  • API String ID: 1390262125-2630406174
                                                                  • Opcode ID: e526b1e2e25e20ad7f4215d3e6e8a22949e66ab2aaf1245ce59b27d8cc5b99b1
                                                                  • Instruction ID: 2ba9cf4bb7f570eb6a2bfc03d3935ce4ae730761fddbc36abac8683084d8492c
                                                                  • Opcode Fuzzy Hash: e526b1e2e25e20ad7f4215d3e6e8a22949e66ab2aaf1245ce59b27d8cc5b99b1
                                                                  • Instruction Fuzzy Hash: C1F0B4E2F0864383E710ABBED945BF81241BF85790F548131EE5C867E2EF6D95918718
                                                                  Function 00007FFBBB92AACE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AAFF
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB17
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  • ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB5D
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB92F83B), ref: 00007FFBBB92AB75
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debug$R_vset_error
                                                                  • String ID: set_client_ciphersuite$ssl\statem\statem_clnt.c
                                                                  • API String ID: 4275876640-3316213183
                                                                  • Opcode ID: 41334e634ceab13c68610188addce95adeab93b03f885ed48fb2e42abb38404c
                                                                  • Instruction ID: 4c7f01a469fd4f7c9445a4dbc94b3a3f3717bb92e32706b1f04edcd01c7afc6d
                                                                  • Opcode Fuzzy Hash: 41334e634ceab13c68610188addce95adeab93b03f885ed48fb2e42abb38404c
                                                                  • Instruction Fuzzy Hash: 4AF0F6A2B19A4386E640A739E4017A95750FF987C0F948031EF8C47BA3DE3DD4458B04
                                                                  Function 00007FFBBB934A10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_vset_error
                                                                  • String ID: ssl\statem\statem_lib.c$tls_construct_change_cipher_spec
                                                                  • API String ID: 1390262125-1264406544
                                                                  • Opcode ID: d58a22fe6c20e08274df03ec018a60af4e79a52a9a60bdf05a214dc99a182b1b
                                                                  • Instruction ID: bd5afd067dd1264310eda43c0641cb2164f1aaadfabfb969f47e63c1bde25337
                                                                  • Opcode Fuzzy Hash: d58a22fe6c20e08274df03ec018a60af4e79a52a9a60bdf05a214dc99a182b1b
                                                                  • Instruction Fuzzy Hash: 5BF082D2F1850347F751A37ADC417F81540AF88380F448031EF4CC67A2EE5DA5918618
                                                                  Function 00007FFBBB925A90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_newR_set_debugR_vset_error
                                                                  • String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_ems
                                                                  • API String ID: 1390262125-1416650426
                                                                  • Opcode ID: 31bfe024f764f0f694fc5aa2f5c3624799ede8a5f747bf9d82fba7889b7f4b9d
                                                                  • Instruction ID: 0daf20a1cd25b9db80cb6f4fa9496cc866d4498dbf01f63d74409fe634a28f82
                                                                  • Opcode Fuzzy Hash: 31bfe024f764f0f694fc5aa2f5c3624799ede8a5f747bf9d82fba7889b7f4b9d
                                                                  • Instruction Fuzzy Hash: 8BF0B4F2E0664343F7449779E4867E93650FF40304F648431DB48825A3CE2D5986C758
                                                                  Function 00007FFBBB7F074C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                  • String ID:
                                                                  • API String ID: 2718003287-0
                                                                  • Opcode ID: 3799314ee1cfd625e11555ee89304760d3159bd2e0c66e88f2afc7bdc2c26c83
                                                                  • Instruction ID: a014a053c4ff7b94a182203c812a8723a48dd386edb00bfa9fc5d1dc2c3537e9
                                                                  • Opcode Fuzzy Hash: 3799314ee1cfd625e11555ee89304760d3159bd2e0c66e88f2afc7bdc2c26c83
                                                                  • Instruction Fuzzy Hash: 6ED1A0B2B18A818DEB11CF7AD8402AC37B2FB547D8B448225DF5D57BA9DE38D456C308
                                                                  Function 00007FFBBB7F110C Relevance: 6.2, APIs: 4, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleErrorLastMode
                                                                  • String ID:
                                                                  • API String ID: 953036326-0
                                                                  • Opcode ID: bfd713935063917cc9986b786dede5837a95fe393c82948e6561126edaf099fd
                                                                  • Instruction ID: 0ff7133533354affc6cc803203d1077cd3b3d599fdac6004a107786fa6b09c3e
                                                                  • Opcode Fuzzy Hash: bfd713935063917cc9986b786dede5837a95fe393c82948e6561126edaf099fd
                                                                  • Instruction Fuzzy Hash: C391B7A2F2869285F7549F7ED8402BD2BA4BB45B88F548139DF0E56EB4DE38D442C70C
                                                                  Function 00007FFBBB7E54A0 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo
                                                                  • String ID:
                                                                  • API String ID: 3215553584-0
                                                                  • Opcode ID: c5b8750d38824bf2c705dc17d82750f8ee3abaf0229cca77347289f3f593e0c6
                                                                  • Instruction ID: 7c3365dda38c7880628806fc854717dd75bef48f108c381d71a3b05d7fac5c88
                                                                  • Opcode Fuzzy Hash: c5b8750d38824bf2c705dc17d82750f8ee3abaf0229cca77347289f3f593e0c6
                                                                  • Instruction Fuzzy Hash: 694118B290464681EB616F6AD41127D32AAFF44F64F54C231DBAD073F8EE3CA491C71A
                                                                  Function 00007FFBBB7D95D0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 4ceac8830371720be4db30080552c56735b85db0be38725c9d9d282a24d9eecf
                                                                  • Instruction ID: 960e99befbc43be124aeb345614768894ce4555ef6d0b1f0785fe0d7d2c3990d
                                                                  • Opcode Fuzzy Hash: 4ceac8830371720be4db30080552c56735b85db0be38725c9d9d282a24d9eecf
                                                                  • Instruction Fuzzy Hash: 41114562B24B068AEB008F78EC442B833A4FB19759F440E31EB2D867A4DF78D1988340
                                                                  Function 00007FFBAAABBB48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1642666606.00007FFBAA898000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFBAA770000, based on PE: true
                                                                  • Associated: 00000008.00000002.1642646115.00007FFBAA770000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1642666606.00007FFBAA771000.00000020.00000001.01000000.00000008.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1646635036.00007FFBAAABC000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654344820.00007FFBAABB7000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654430778.00007FFBAABBB000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1654521008.00007FFBAABBF000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbaa770000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
                                                                  • Instruction ID: 04d4651995a62c44b4d44bf3e1c79fdd3c0cc0bca0241575b15da42ec01904fb
                                                                  • Opcode Fuzzy Hash: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
                                                                  • Instruction Fuzzy Hash: E6114C66B15B05C9EB018F70E8542A833A8FB19B58F440A35DE2D467A4EF78D5568350
                                                                  Function 00007FFBBB7DCC10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: __except_validate_context_record
                                                                  • String ID: csm$csm
                                                                  • API String ID: 1467352782-3733052814
                                                                  • Opcode ID: acfedaecfa21d29a54b4768025f156be0f70de59702f3b5b078f9a19ada8114b
                                                                  • Instruction ID: 9191ec28300bfe6ccc03174328681bfb3e25b09c12c171400658e7b4354e1573
                                                                  • Opcode Fuzzy Hash: acfedaecfa21d29a54b4768025f156be0f70de59702f3b5b078f9a19ada8114b
                                                                  • Instruction Fuzzy Hash: BB71ADE290A6818ADB618B3AD4487787BA0FB04BC4F14C135DF8C47AB9CF6CD5A1D748
                                                                  Function 00007FFBBB7F4CF8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                  • String ID: ?
                                                                  • API String ID: 1286766494-1684325040
                                                                  • Opcode ID: 7c6634978e63bc6cfdd9526200d8ada95340b4251f1642bc68eb96d7f0d0ea28
                                                                  • Instruction ID: df6611cc2fa57daf5e435c42ffef312302f07561e0f13ed2544fa0d444f7589b
                                                                  • Opcode Fuzzy Hash: 7c6634978e63bc6cfdd9526200d8ada95340b4251f1642bc68eb96d7f0d0ea28
                                                                  • Instruction Fuzzy Hash: 6141C4A2A186C246FB649B3BE45137A6665FF80BA4F248235EF5C06AF5DF3CD441870C
                                                                  Function 00007FFBBB7DD2A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFrameInfo__except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 2558813199-1018135373
                                                                  • Opcode ID: 82f6d9a556e8a4db2300196d5a2a1be1af8ad0f9d735eeaf5ee8ac932018ec2a
                                                                  • Instruction ID: 5883488be086a76a9fa208b51059100d5e3f8ea71422beeeec811c306a785164
                                                                  • Opcode Fuzzy Hash: 82f6d9a556e8a4db2300196d5a2a1be1af8ad0f9d735eeaf5ee8ac932018ec2a
                                                                  • Instruction Fuzzy Hash: 91514BF661A74186E620AB2AE14026E77A4FB89BE5F145134EB8D07B75CF38E461CB04
                                                                  Function 00007FFBBB7F0DE4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastWrite
                                                                  • String ID: U
                                                                  • API String ID: 442123175-4171548499
                                                                  • Opcode ID: 1c5baf15f1addb8e5ce662da58281797f187834669ca24fc89185a086a58d60d
                                                                  • Instruction ID: 07068b759b7e510e81eeed101b404766865f15955786603044ab751d40b3eb90
                                                                  • Opcode Fuzzy Hash: 1c5baf15f1addb8e5ce662da58281797f187834669ca24fc89185a086a58d60d
                                                                  • Instruction Fuzzy Hash: EA41E5A2719A8586DB209F3AE8443B977A1FB88794F858031EF4D877A8DF3CD401C748
                                                                  Function 00007FFBBB8E6960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BIO_write_ex.LIBCRYPTO-3-X64(?,00000030,00007FFBBB8E686A,00000000,?,?,00007FFBBB8E6CE8,00000000,00007FFBBB8E8477,02000100,00007FFBBB8E7847,?,00007FFBBB8E96D5,02000100,00007FFBBB8EE4FE), ref: 00007FFBBB8E69E3
                                                                    • Part of subcall function 00007FFBBB8E61D0: BIO_write_ex.LIBCRYPTO-3-X64(?,00007FFBBB8E65BF,?,00007FFBBB8E63F5,?,00007FFBBB8E5FE1,00000000,00007FFBBB8E6D3C,?,00007FFBBB8E8468,02000100,00007FFBBB8E7847,?,00007FFBBB8E96D5,02000100,00007FFBBB8EE4FE), ref: 00007FFBBB8E6283
                                                                  • memcpy.VCRUNTIME140(?,00000030,00007FFBBB8E686A,00000000,?,?,00007FFBBB8E6CE8,00000000,00007FFBBB8E8477,02000100,00007FFBBB8E7847,?,00007FFBBB8E96D5,02000100,00007FFBBB8EE4FE), ref: 00007FFBBB8E6A22
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_write_ex$memcpy
                                                                  • String ID: \u00
                                                                  • API String ID: 2000845359-188400610
                                                                  • Opcode ID: 7e8a7a027ac97acd49fc4236f48b8d564cca3361a61dcb43984a64c161ddd71f
                                                                  • Instruction ID: 0b4dda2e48a683aade5e46e27ad9a7f1314ee1083dfe3e66f7207a7586efd15e
                                                                  • Opcode Fuzzy Hash: 7e8a7a027ac97acd49fc4236f48b8d564cca3361a61dcb43984a64c161ddd71f
                                                                  • Instruction Fuzzy Hash: ED2183A2A08A8293D6609F79E5402AD7BA0FB45784F18D035DF8C17AA6DF7DE8718314
                                                                  Function 00007FFBBB7DA988 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1654677810.00007FFBBB761000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBBB760000, based on PE: true
                                                                  • Associated: 00000008.00000002.1654586367.00007FFBBB760000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655063770.00007FFBBB806000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655141146.00007FFBBB807000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655445976.00007FFBBB880000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655473799.00007FFBBB886000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb760000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: 8adbea8ae4a9d307575151ca02fe16c3afb6393bd6d00009f41194b1d853cebc
                                                                  • Instruction ID: 9e1509457c1f459494f339b8a636c3c57f7779d83b8eb977270f20b711e7de4e
                                                                  • Opcode Fuzzy Hash: 8adbea8ae4a9d307575151ca02fe16c3afb6393bd6d00009f41194b1d853cebc
                                                                  • Instruction Fuzzy Hash: E3115E72619B8182EB208F29E80026977E0FB88B84F598630DBCD07778DF3CD551CB04
                                                                  Function 00007FFBBB938B59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #
                                                                  • API String ID: 0-1885708031
                                                                  • Opcode ID: 7d61655720d5b3a9f4bdf40f64c4ee573691099f3114abfc23b8a0f9f70256f5
                                                                  • Instruction ID: ce40308b214aa44fb6945e5a6dcc72ed1226406de54b3c8d47c71666c36f2acb
                                                                  • Opcode Fuzzy Hash: 7d61655720d5b3a9f4bdf40f64c4ee573691099f3114abfc23b8a0f9f70256f5
                                                                  • Instruction Fuzzy Hash: E711EDE3E0924386FBA58A79D0983BC2691FBC4B04F189175DB8C0A6E5CFBC95D48719
                                                                  Function 00007FFBBB9389AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flagsR_newR_set_debug
                                                                  • String ID: $
                                                                  • API String ID: 4119164335-3993045852
                                                                  • Opcode ID: 45315a51009b6ea3b8f327a946f5396e08bfac6f47d5ad81c7bd9488ec58002a
                                                                  • Instruction ID: e4f05ae1be3a59889d493ed3d3db9946b95577d5850d35b0706da1ba35c6f25d
                                                                  • Opcode Fuzzy Hash: 45315a51009b6ea3b8f327a946f5396e08bfac6f47d5ad81c7bd9488ec58002a
                                                                  • Instruction Fuzzy Hash: 400152A3A0924386FB618B79D0983BD22C0FBC4B04F088035D78C0A6D6CFBC94C4831A
                                                                  Function 00007FFBBB938A0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flags
                                                                  • String ID: 0
                                                                  • API String ID: 3946675294-4108050209
                                                                  • Opcode ID: 60fba8e9691c12e7c6909934540e174aff250b22def16f630c64826a899feb4f
                                                                  • Instruction ID: 3bef52f742de2284249cf9543e9d8ed860199eff0bd9f3a4f9db3d14aef497c2
                                                                  • Opcode Fuzzy Hash: 60fba8e9691c12e7c6909934540e174aff250b22def16f630c64826a899feb4f
                                                                  • Instruction Fuzzy Hash: 31015EB2E092434AFB659A79D0953BD2281AFC5758F08C034DB884A2D6DBBC98D58329
                                                                  Function 00007FFBBB928C17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,00000000,-00000031,00007FFBBB928862), ref: 00007FFBBB928CEC
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debugR_vset_error
                                                                  • String ID: ssl\statem\statem.c$write_state_machine
                                                                  • API String ID: 3681713388-3145639028
                                                                  • Opcode ID: 53f9587544ee152073a3c384fd0aba8bb824b028562e89c6c633afdb516e0797
                                                                  • Instruction ID: 1245921fa1a68ba9fef7aa28a455e7abd046fb5866c4bf854ebc2fe4ca152e12
                                                                  • Opcode Fuzzy Hash: 53f9587544ee152073a3c384fd0aba8bb824b028562e89c6c633afdb516e0797
                                                                  • Instruction Fuzzy Hash: 27F06D63A0878287E342DB39E895AE93721FB45790F098173CF8843692EB38D856C311
                                                                  Function 00007FFBBB928C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ERR_set_debug.LIBCRYPTO-3-X64(?,?,00000000,-00000031,00007FFBBB928862), ref: 00007FFBBB928CEC
                                                                    • Part of subcall function 00007FFBBB927DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBB9123E4), ref: 00007FFBBB927E0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: R_set_debugR_vset_error
                                                                  • String ID: ssl\statem\statem.c$write_state_machine
                                                                  • API String ID: 3681713388-3145639028
                                                                  • Opcode ID: a031b6a3655688636e3abd0483b9f56cc66997ac321083640bf76cf2e73233fb
                                                                  • Instruction ID: c13dd28378f2d980b65cc5ea3bd182113d339d60d38bbc1a5773656fe3eb47c7
                                                                  • Opcode Fuzzy Hash: a031b6a3655688636e3abd0483b9f56cc66997ac321083640bf76cf2e73233fb
                                                                  • Instruction Fuzzy Hash: 46F09063A1878287E342DB39E455BE93710FB45754F098577CF8803692EB39D855C300
                                                                  Function 00007FFBBB938BD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flags
                                                                  • String ID: $
                                                                  • API String ID: 3946675294-3993045852
                                                                  • Opcode ID: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
                                                                  • Instruction ID: 54c063031212fffc9647ad42c49c22f995b6d9bb63eaf97f1de566d77f4eda14
                                                                  • Opcode Fuzzy Hash: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
                                                                  • Instruction Fuzzy Hash: F9F030A2F0924346FB959A79E0953BD1281BBC9B44F08C074DB8C0A7D6DFBD94C58329
                                                                  Function 00007FFBBB938BF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flags
                                                                  • String ID: #
                                                                  • API String ID: 3946675294-1885708031
                                                                  • Opcode ID: 1d88ec13c16be52937f73777048aedb863c1fa7d75dce3262a3ecc1ba3ce0d9b
                                                                  • Instruction ID: e8c7346aa7e6b6be02502fd3195dbcdf2b0b28ada5aba4b7ae789173d73842c7
                                                                  • Opcode Fuzzy Hash: 1d88ec13c16be52937f73777048aedb863c1fa7d75dce3262a3ecc1ba3ce0d9b
                                                                  • Instruction Fuzzy Hash: F7F030A2F0924346FB959A79E0953B91281FBC8B44F08C074DB8C0A7D6DFFD95C58329
                                                                  Function 00007FFBBB938B3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flags
                                                                  • String ID:
                                                                  • API String ID: 3946675294-3916222277
                                                                  • Opcode ID: b8cc9c79ce2812fc6d945ae83f4e4255f90c926594a368cdfc60e93b94ab9c01
                                                                  • Instruction ID: 26e19d6b4877ff7aae78083231c18d310979b0c7cba8fd32a3090acd26ce58df
                                                                  • Opcode Fuzzy Hash: b8cc9c79ce2812fc6d945ae83f4e4255f90c926594a368cdfc60e93b94ab9c01
                                                                  • Instruction Fuzzy Hash: 34F030A2F0924346FB959A79E0953BD1281FBC9B44F08D074DB8C0A7D6DFBD94C58329
                                                                  Function 00007FFBBB9389ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.1655579386.00007FFBBB8B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBB8B0000, based on PE: true
                                                                  • Associated: 00000008.00000002.1655538202.00007FFBBB8B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655733971.00007FFBBB940000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655786219.00007FFBBB96D000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655818734.00007FFBBB970000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 00000008.00000002.1655844144.00007FFBBB971000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffbbb8b0000_openvpn.jbxd
                                                                  Similarity
                                                                  • API ID: O_clear_flagsO_set_flags
                                                                  • String ID: $
                                                                  • API String ID: 3946675294-3993045852
                                                                  • Opcode ID: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
                                                                  • Instruction ID: 54c063031212fffc9647ad42c49c22f995b6d9bb63eaf97f1de566d77f4eda14
                                                                  • Opcode Fuzzy Hash: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
                                                                  • Instruction Fuzzy Hash: F9F030A2F0924346FB959A79E0953BD1281BBC9B44F08C074DB8C0A7D6DFBD94C58329