Edit tour

Windows Analysis Report
Setup.msi

Overview

General Information

Sample name:	Setup.msi
Analysis ID:	1569989
MD5:	1f3f76a13d8e6acf1d558a8e4881d0f8
SHA1:	79547be133bb2324b747adb207506b5442a2f245
SHA256:	0339fed5c288bcc81b2c228b4b10924317bae6c529d9ac17b8007f0285b06295
Tags:	LegionLoadermsiRobotDroppersearch-keys-comuser-aachum
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Bypasses PowerShell execution policy

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious MsiExec Embedding Parent

Sigma detected: Use Short Name Path in Command Line

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7024 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2980 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3964 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337 MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 7500 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

openvpn.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe" MD5: 5E807B5DAD1B6C81982037C714DC9AEF)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3964, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3964, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3964, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.67.204.246, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3964, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49740

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3964, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 3964, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7500, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T13:51:51.464918+0100	2829202	1	A Network Trojan was detected	192.168.2.7	49740	172.67.204.246	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Setup.msi

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825E520 NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,	10_2_00007FF71825E520
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825E590 MultiByteToWideChar,malloc,MultiByteToWideChar,CertFindExtension,CryptDecodeObject,malloc,CryptDecodeObject,_stricmp,free,CryptFindOIDInfo,CryptFindOIDInfo,_stricmp,free,free,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,isxdigit,isxdigit,strncmp,CertFindCertificateInStore,CertVerifyTimeValidity,CertFindCertificateInStore,free,OBJ_sn2nid,EVP_PKEY_get_bits,NCryptSignHash,SetLastError,strcmp,NCryptSignHash,SetLastError,calloc,CertOpenStore,CertCloseStore,CertOpenStore,CertCloseStore,CertGetNameStringW,malloc,CertGetNameStringW,d2i_X509,CryptAcquireCertificatePrivateKey,X509_free,NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,free,free,X509_get_pubkey,free,free,	10_2_00007FF71825E590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825DE90 EVP_CIPHER_CTX_new,EVP_des_ede3_ecb,EVP_EncryptInit_ex,EVP_EncryptUpdate,EVP_EncryptFinal,_exit,EVP_CIPHER_CTX_free,	10_2_00007FF71825DE90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DF380 malloc,EVP_CipherInit_ex,EVP_CipherUpdate,_exit,EVP_CipherFinal,malloc,malloc,EVP_MAC_init,_exit,EVP_MAC_update,EVP_MAC_update,EVP_MAC_CTX_get_mac_size,EVP_MAC_final,CRYPTO_memcmp,malloc,malloc,htonl,htonl,free,free,ERR_clear_error,free,free,	10_2_00007FF7182DF380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71827DB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,	10_2_00007FF71827DB60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825D7B0 BIO_new_mem_buf,_exit,PEM_read_bio,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	10_2_00007FF71825D7B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718260C90 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,	10_2_00007FF718260C90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718294D00 SetConsoleOutputCP,memset,memset,__acrt_iob_func,__acrt_iob_func,CRYPTO_get_ex_new_index,OPENSSL_init_crypto,memset,malloc,calloc,	10_2_00007FF718294D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88A530 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,UpdateResourceW,SetLocalTime,lstrcmpW,GetWriteWatch,GetThreadDescription,TzSpecificLocalTimeToSystemTimeEx,CreateTimerQueue,MapViewOfFile,TerminateProcess,GlobalUnlock,SetThreadUILanguage,GetTickCount,SetConsoleCP,GetProcessIoCounters,GetComputerNameW,CreateThreadpoolWork,CreateSemaphoreW,CloseHandle,BindIoCompletionCallback,TrySubmitThreadpoolCallback,AddSecureMemoryCacheCallback,GetSystemPowerStatus,CopyFileW,UnlockFileEx,GetNamedPipeClientComputerNameW,LCMapStringW,FindFirstStreamTransactedW,EnumSystemGeoID,GetDurationFormatEx,FindNextFileW,SetCurrentDirectoryW,GetCalendarInfoEx,IsValidLocale,CreateDirectoryTransactedW,FreeUserPhysicalPages,GetProcessGroupAffinity,AddResourceAttributeAce,VerSetConditionMask,CreateThreadpoolWait,GetComputerNameExW,GetUserPreferredUILanguages,LocalFree,WriteFile,SetThreadLocale,CreateDirectoryExW,GetNamedPipeInfo,CompareFileTime,CancelSynchronousIo,GetProcessTimes,NeedCurrentDirectoryForExePathW,VirtualProtect,SetProcessDEPPolicy,TransmitCommChar,GetFileBandwidthReservation,CreateSemaphoreExW,SetNamedPipeHandleState,SetThreadDescription,CreateSymbolicLinkTransactedW,TryAcquireSRWLockShared,GetProcessHeaps,GetCPInfo,DiscardVirtualMemory,GetCurrentConsoleFont,GetFileMUIInfo,FileTimeToLocalFileTime,VerSetConditionMask,AddVectoredContinueHandler,GetSystemRegistryQuota,GetApplicationRestartSettings,DeleteTimerQueue,OutputDebugStringA,	10_2_00007FFB1C88A530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998028 CryptReleaseContext,	10_2_00007FFB1C998028
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998010 CryptGenRandom,	10_2_00007FFB1C998010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9E91 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	10_2_00007FFB1DEC9E91
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA5E80 CRYPTO_free,	10_2_00007FFB1DEA5E80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE91E80 CRYPTO_realloc,	10_2_00007FFB1DE91E80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9E7A ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	10_2_00007FFB1DEC9E7A
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE89E70 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	10_2_00007FFB1DE89E70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBFE60 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEBFE60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73E50 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFB1DE73E50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC1E40 CRYPTO_realloc,	10_2_00007FFB1DEC1E40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5DE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE5DE10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE79E10 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,	10_2_00007FFB1DE79E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED9E10 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DED9E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE55DB0 CRYPTO_malloc,	10_2_00007FFB1DE55DB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE57DA0 CRYPTO_free,	10_2_00007FFB1DE57DA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3D80 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEA3D80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,	10_2_00007FFB1DE73D70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9D1A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC9D1A
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9D03 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	10_2_00007FFB1DEC9D03
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE79CD0 EVP_MAC_CTX_free,CRYPTO_free,	10_2_00007FFB1DE79CD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8FCC0 CRYPTO_free,	10_2_00007FFB1DE8FCC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74070 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFB1DE74070
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC6050 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC6050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB8050 CRYPTO_malloc,COMP_expand_block,	10_2_00007FFB1DEB8050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7A040 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,	10_2_00007FFB1DE7A040
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE90020 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free,	10_2_00007FFB1DE90020
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA8010 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DEA8010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE92010 CRYPTO_free,	10_2_00007FFB1DE92010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5BFF0 CRYPTO_THREAD_run_once,	10_2_00007FFB1DE5BFF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE85FB0 CRYPTO_realloc,	10_2_00007FFB1DE85FB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBDFB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	10_2_00007FFB1DEBDFB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE59F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	10_2_00007FFB1DE59F90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECBF80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	10_2_00007FFB1DECBF80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5DF70 CRYPTO_malloc,BIO_snprintf,	10_2_00007FFB1DE5DF70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9F76 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEC9F76
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA5F70 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DEA5F70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3F60 CRYPTO_malloc,CRYPTO_free,	10_2_00007FFB1DEA3F60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE79F40 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy,	10_2_00007FFB1DE79F40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73F00 CRYPTO_free,CRYPTO_strdup,	10_2_00007FFB1DE73F00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE51EC0 CRYPTO_free,	10_2_00007FFB1DE51EC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7DEB0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	10_2_00007FFB1DE7DEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9BEB0 CRYPTO_zalloc,	10_2_00007FFB1DE9BEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC3A90 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC3A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBBA90 CRYPTO_free,	10_2_00007FFB1DEBBA90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE63A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE63A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73A70 CRYPTO_get_ex_data,	10_2_00007FFB1DE73A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE91A70 CRYPTO_free,	10_2_00007FFB1DE91A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB1A60 CRYPTO_free,	10_2_00007FFB1DEB1A60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5DA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	10_2_00007FFB1DE5DA50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBBA40 CRYPTO_free,	10_2_00007FFB1DEBBA40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA1A39 CRYPTO_malloc,CRYPTO_free,	10_2_00007FFB1DEA1A39
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9A2F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEC9A2F
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE59A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	10_2_00007FFB1DE59A20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE879E0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE879E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE919B0 CRYPTO_malloc,	10_2_00007FFB1DE919B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE61950 CRYPTO_free,CRYPTO_strdup,	10_2_00007FFB1DE61950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC5930 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC5930
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB9900 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEB9900
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE878E0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE878E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8B8E0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE8B8E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECB8B0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	10_2_00007FFB1DECB8B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECBC70 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	10_2_00007FFB1DECBC70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE59C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	10_2_00007FFB1DE59C50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE51C50 CRYPTO_zalloc,	10_2_00007FFB1DE51C50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9BC50 CRYPTO_free,	10_2_00007FFB1DE9BC50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE53C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE53C40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6BC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	10_2_00007FFB1DE6BC10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE57BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DE57BEE
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE51BE0 CRYPTO_zalloc,	10_2_00007FFB1DE51BE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEADBD0 CRYPTO_memcmp,	10_2_00007FFB1DEADBD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9B83 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC9B83
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9B6C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	10_2_00007FFB1DEC9B6C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE77B60 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	10_2_00007FFB1DE77B60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9B55 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,	10_2_00007FFB1DEC9B55
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB7AC0 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEB7AC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6DAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE6DAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6D68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free,	10_2_00007FFB1DE6D68B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB670 CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEBB670
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73650 CRYPTO_THREAD_unlock,	10_2_00007FFB1DE73650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8B600 CRYPTO_free,	10_2_00007FFB1DE8B600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC1600 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC1600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB5F0 CRYPTO_free,	10_2_00007FFB1DEBB5F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE515D0 CRYPTO_free,	10_2_00007FFB1DE515D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE775C0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	10_2_00007FFB1DE775C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE535C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,	10_2_00007FFB1DE535C8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE59590 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFB1DE59590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9570 ERR_new,ERR_set_debug,CRYPTO_clear_free,	10_2_00007FFB1DEC9570
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE75560 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	10_2_00007FFB1DE75560
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECB540 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	10_2_00007FFB1DECB540
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED5530 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DED5530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5B500 CRYPTO_free,	10_2_00007FFB1DE5B500
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE65500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	10_2_00007FFB1DE65500
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE734E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	10_2_00007FFB1DE734E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA34D0 CRYPTO_free,	10_2_00007FFB1DEA34D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8B4C0 CRYPTO_zalloc,	10_2_00007FFB1DE8B4C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC1880 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC1880
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE57870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	10_2_00007FFB1DE57870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB7870 CRYPTO_free,	10_2_00007FFB1DEB7870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE59850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	10_2_00007FFB1DE59850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE65840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	10_2_00007FFB1DE65840
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE73840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE73840
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE63820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc,	10_2_00007FFB1DE63820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED1820 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED1820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3820 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEA3820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB97F0 CRYPTO_malloc,ERR_new,ERR_set_debug,	10_2_00007FFB1DEB97F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBD7C0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,	10_2_00007FFB1DEBD7C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB7B0 CRYPTO_free,	10_2_00007FFB1DEBB7B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE65780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host,	10_2_00007FFB1DE65780
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB9770 CRYPTO_free,	10_2_00007FFB1DEB9770
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB760 CRYPTO_free,	10_2_00007FFB1DEBB760
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE51740 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE51740
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDB730 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEDB730
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA7720 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEA7720
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE63700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE63700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB9700 OPENSSL_cleanse,CRYPTO_free,	10_2_00007FFB1DEB9700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE856E0 CRYPTO_zalloc,	10_2_00007FFB1DE856E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE536C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,	10_2_00007FFB1DE536C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBD6B0 ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEBD6B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC76B0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC76B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAF280 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,	10_2_00007FFB1DEAF280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA1277 CRYPTO_realloc,	10_2_00007FFB1DEA1277
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED1260 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED1260
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE55240 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE55240
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE93230 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE93230
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	10_2_00007FFB1DE5321D
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE71210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	10_2_00007FFB1DE71210
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB210 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEBB210
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE851F0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	10_2_00007FFB1DE851F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBB1B0 CRYPTO_free,	10_2_00007FFB1DEBB1B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED91A0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DED91A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3190 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,	10_2_00007FFB1DEA3190
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBF170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	10_2_00007FFB1DEBF170
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7D150 CRYPTO_free,CRYPTO_malloc,	10_2_00007FFB1DE7D150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9D140 CRYPTO_realloc,	10_2_00007FFB1DE9D140
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC7130 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC7130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB3130 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEB3130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE69120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE69120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8D110 CRYPTO_free,	10_2_00007FFB1DE8D110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE850E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	10_2_00007FFB1DE850E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5B0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,	10_2_00007FFB1DE5B0B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA30B0 EVP_EncryptUpdate,OPENSSL_LH_retrieve,	10_2_00007FFB1DEA30B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED9470 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DED9470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7D450 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE7D450
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9F3E0 CRYPTO_realloc,	10_2_00007FFB1DE9F3E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE513A0 CRYPTO_free,	10_2_00007FFB1DE513A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5D360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE5D360
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE67360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	10_2_00007FFB1DE67360
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3350 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free,	10_2_00007FFB1DEA3350
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7D320 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE7D320
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA5320 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free,	10_2_00007FFB1DEA5320
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECB310 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	10_2_00007FFB1DECB310
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE79300 CRYPTO_realloc,memcpy,	10_2_00007FFB1DE79300
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA52E0 BIO_free,CRYPTO_free,	10_2_00007FFB1DEA52E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8B2E0 CRYPTO_free,	10_2_00007FFB1DE8B2E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE732C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE732C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC12B0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC12B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC4E90 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC4E90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAEE90 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEAEE90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE54E80 CRYPTO_free,	10_2_00007FFB1DE54E80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB8E60 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a,	10_2_00007FFB1DEB8E60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDCE30 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEDCE30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6CDC0 CRYPTO_malloc,CRYPTO_clear_free,	10_2_00007FFB1DE6CDC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5EDB0 CRYPTO_THREAD_run_once,	10_2_00007FFB1DE5EDB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9ADA0 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,	10_2_00007FFB1DE9ADA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC8D60 CRYPTO_free,CRYPTO_memdup,	10_2_00007FFB1DEC8D60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB8D50 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free,	10_2_00007FFB1DEB8D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE84D40 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,	10_2_00007FFB1DE84D40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7CD20 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE7CD20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED0D00 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DED0D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBCD00 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	10_2_00007FFB1DEBCD00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA2CF0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert,	10_2_00007FFB1DEA2CF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC0CF0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	10_2_00007FFB1DEC0CF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5ECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	10_2_00007FFB1DE5ECD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9ACD0 CRYPTO_free,	10_2_00007FFB1DE9ACD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74CC0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy,	10_2_00007FFB1DE74CC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAECB0 CRYPTO_free,	10_2_00007FFB1DEAECB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED0CA0 CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED0CA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE65070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE65070
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAF060 CRYPTO_malloc,CRYPTO_free,	10_2_00007FFB1DEAF060
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE65050 CRYPTO_set_ex_data,	10_2_00007FFB1DE65050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE75050 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DE75050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA3050 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,	10_2_00007FFB1DEA3050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE51030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,	10_2_00007FFB1DE51030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5D010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE5D010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE71000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE71000
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE56FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	10_2_00007FFB1DE56FC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAEF60 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEAEF60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE62F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	10_2_00007FFB1DE62F50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED0F50 CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED0F50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA2F00 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,	10_2_00007FFB1DEA2F00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE70EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE70EF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7CEE0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DE7CEE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE66A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	10_2_00007FFB1DE66A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52A80 CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE52A80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDAA80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEDAA80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE64A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE64A72
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE84A70 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	10_2_00007FFB1DE84A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDCA60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	10_2_00007FFB1DEDCA60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9AA60 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	10_2_00007FFB1DE9AA60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC2A50 CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEC2A50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74A30 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DE74A30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE649F0 CRYPTO_memdup,CRYPTO_free,	10_2_00007FFB1DE649F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAA9E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEAA9E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6E9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	10_2_00007FFB1DE6E9C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7C9B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE7C9B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DECC9B0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	10_2_00007FFB1DECC9B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA89A0 CRYPTO_realloc,	10_2_00007FFB1DEA89A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9E960 CRYPTO_zalloc,	10_2_00007FFB1DE9E960
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA4950 OPENSSL_LH_delete,CRYPTO_free,	10_2_00007FFB1DEA4950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,	10_2_00007FFB1DE52940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB2940 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEB2940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA0920 CRYPTO_malloc,memcpy,CRYPTO_free,	10_2_00007FFB1DEA0920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9A920 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	10_2_00007FFB1DE9A920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA6921 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,	10_2_00007FFB1DEA6921
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAE920 CRYPTO_free,	10_2_00007FFB1DEAE920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7A8C0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,	10_2_00007FFB1DE7A8C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA08C0 CRYPTO_clear_free,CRYPTO_free,	10_2_00007FFB1DEA08C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE968C0 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE968C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAE8C0 CRYPTO_free,	10_2_00007FFB1DEAE8C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE58C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	10_2_00007FFB1DE58C60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52C60 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE52C60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC6C00 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC6C00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAAC00 CRYPTO_realloc,	10_2_00007FFB1DEAAC00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB6C00 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,	10_2_00007FFB1DEB6C00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6ABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE6ABF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE86BC0 CRYPTO_malloc,	10_2_00007FFB1DE86BC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED6BB0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	10_2_00007FFB1DED6BB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7CB90 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE7CB90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC4B90 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC4B90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5AB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	10_2_00007FFB1DE5AB80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5CB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	10_2_00007FFB1DE5CB70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE86B40 CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE86B40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC2B00 CRYPTO_realloc,	10_2_00007FFB1DEC2B00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6AAD0 CRYPTO_set_ex_data,	10_2_00007FFB1DE6AAD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAAAD0 CRYPTO_zalloc,	10_2_00007FFB1DEAAAD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5CAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,	10_2_00007FFB1DE5CAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9EAB0 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,	10_2_00007FFB1DE9EAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74670 CRYPTO_free,CRYPTO_malloc,memcpy,	10_2_00007FFB1DE74670
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED4630 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,	10_2_00007FFB1DED4630
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED861C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DED861C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6C610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE6C610
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED85F6 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	10_2_00007FFB1DED85F6
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED85E4 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,	10_2_00007FFB1DED85E4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE845B0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	10_2_00007FFB1DE845B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE625A0 CRYPTO_strdup,CRYPTO_free,	10_2_00007FFB1DE625A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE78590 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE78590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8E520 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free,	10_2_00007FFB1DE8E520
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC0510 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC0510
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE984E0 CRYPTO_free,	10_2_00007FFB1DE984E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE624D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	10_2_00007FFB1DE624D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED84B7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED84B7
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBA4B0 RAND_bytes_ex,CRYPTO_malloc,memset,	10_2_00007FFB1DEBA4B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE744A0 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE744A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA2890 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free,	10_2_00007FFB1DEA2890
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5E880 CRYPTO_THREAD_run_once,	10_2_00007FFB1DE5E880
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52860 CRYPTO_zalloc,InitializeCriticalSection,	10_2_00007FFB1DE52860
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAE860 CRYPTO_malloc,	10_2_00007FFB1DEAE860
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74850 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE74850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9C850 CRYPTO_malloc,memcmp,memcpy,memcpy,	10_2_00007FFB1DE9C850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE58812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	10_2_00007FFB1DE58812
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC2800 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEC2800
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE527F0 DeleteCriticalSection,CRYPTO_free,	10_2_00007FFB1DE527F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9E7B0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE9E7B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA2780 OPENSSL_cleanse,CRYPTO_free,	10_2_00007FFB1DEA2780
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDC770 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DEDC770
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE58720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	10_2_00007FFB1DE58720
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9A710 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free,	10_2_00007FFB1DE9A710
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5E700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,	10_2_00007FFB1DE5E700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA2700 OPENSSL_cleanse,CRYPTO_free,	10_2_00007FFB1DEA2700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED26D0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	10_2_00007FFB1DED26D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA0280 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DEA0280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74270 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE74270
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC0240 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	10_2_00007FFB1DEC0240
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6E220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	10_2_00007FFB1DE6E220
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9C220 CRYPTO_free,	10_2_00007FFB1DE9C220
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE921F0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl,	10_2_00007FFB1DE921F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE681E0 CRYPTO_get_ex_data,	10_2_00007FFB1DE681E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB81A0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	10_2_00007FFB1DEB81A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE66190 CRYPTO_malloc,CRYPTO_free,	10_2_00007FFB1DE66190
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDC180 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,	10_2_00007FFB1DEDC180
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74170 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	10_2_00007FFB1DE74170
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE78150 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DE78150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE60130 CRYPTO_zalloc,CRYPTO_free,	10_2_00007FFB1DE60130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE74130 CRYPTO_set_ex_data,	10_2_00007FFB1DE74130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA0120 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEA0120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC2100 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEC2100
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE840F0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	10_2_00007FFB1DE840F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE640E0 CRYPTO_get_ex_data,	10_2_00007FFB1DE640E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED0490 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DED0490
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE92480 CRYPTO_zalloc,	10_2_00007FFB1DE92480
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB2480 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	10_2_00007FFB1DEB2480
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free,	10_2_00007FFB1DE52460
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE70450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	10_2_00007FFB1DE70450

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.204.246:443 -> 192.168.2.7:49740 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: Setup.msi, MSIEA9F.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, MSIE0AB.tmp.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 0000000A.00000002.1646484400.00007FFB0BC8C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi
Source:	Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 0000000A.00000002.1648309311.00007FFB23B21000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.3.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.3.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, MSIE0AB.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: Setup.msi, MSIEA9F.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi
Source:	Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: UnRar.exe.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSI91C9.tmp.3.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.3.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C887530 DefWindowProcW,InvalidateRect,BeginPaint,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,EndPaint,KillTimer,PostQuitMessage,SetTimer,GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,FreeResource,GetNamedPipeServerSessionId,SetDefaultCommConfigW,CreateDIBPatternBrushPt,SetComputerNameExW,GetRegionData,GetCommMask,PaintRgn,GetPrivateProfileStructW,FreeConsole,SetProcessAffinityMask,SetFileInformationByHandle,GetVolumeInformationByHandleW,DefineDosDeviceW,GetSystemFileCacheSize,SetWaitableTimer,GetTextColor,SetConsoleCtrlHandler,EnumResourceTypesExW,ReadDirectoryChangesW,WaitForThreadpoolWorkCallbacks,GetProcessGroupAffinity,SetPolyFillMode,MulDiv,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleCP,CommConfigDialogW,lstrcmpiW,EnumTimeFormatsW,GetConsoleProcessList,FindFirstStreamTransactedW,BuildCommDCBAndTimeoutsW,SetThreadExecutionState,IsBadStringPtrW,AllocateUserPhysicalPagesNuma,SetThreadDescription,ConvertThreadToFiber,BuildCommDCBW,FreeUserPhysicalPages,SetCalendarInfoW,HeapValidate,GetCompressedFileSizeW,HeapSize,AddIntegrityLabelToBoundaryDescriptor,CreateEventExW,DeleteBoundaryDescriptor,UnregisterApplicationRecoveryCallback,RegisterBadMemoryNotification,EscapeCommFunction,SetEvent,DeleteVolumeMountPointW,GetTickCount,ReadFileEx,ContinueDebugEvent,SetThreadPriorityBoost,TrySubmitThreadpoolCallback,MoveFileWithProgressW,CreateFiber,InitializeCriticalSectionAndSpinCount,FindFirstFileNameW,VirtualProtect,GetEnvironmentStringsW,GetOverlappedResult,IsValidLanguageGroup,QueueUserWorkItem,GlobalReAlloc,ExitProcess,	10_2_00007FFB1C887530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88F150 GetThreadUILanguage,FreeLibraryWhenCallbackReturns,TransactNamedPipe,WriteProfileSectionW,VirtualFreeEx,SetComputerNameExW,FatalAppExitW,RemoveVectoredExceptionHandler,DeleteFiber,SetConsoleCtrlHandler,GetFinalPathNameByHandleW,GetOEMCP,CreateThreadpoolIo,EnumCalendarInfoW,FlsAlloc,ConvertThreadToFiberEx,CreateMailslotW,GetUserPreferredUILanguages,GetConsoleWindow,CreateFileMappingFromApp,AddDllDirectory,IsBadWritePtr,OutputDebugStringW,DeleteProcThreadAttributeList,BackupWrite,GetLogicalProcessorInformation,LocalFileTimeToFileTime,FindFirstFileNameW,GetModuleFileNameW,CreateSymbolicLinkW,WriteConsoleOutputCharacterW,GetProcessIdOfThread,OutputDebugStringA,	10_2_00007FFB1C88F150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88CD30 RemoveMenu,GetProcessWorkingSetSizeEx,CloseWindow,DrawAnimatedRects,FindNextVolumeMountPointW,SwitchToThread,CloseThreadpoolTimer,UpdateResourceW,SetProtectedPolicy,GetClassWord,GetModuleHandleW,SetHandleInformation,SetWindowTextW,CopyFile2,GetAtomNameW,SetFilePointer,SetMailslotInfo,PostMessageW,GetProcessHandleCount,SetLayeredWindowAttributes,GetFileInformationByHandle,IsValidLanguageGroup,GetProcAddress,ReOpenFile,CreateCompatibleBitmap,SetDIBits,GlobalFree,MapUserPhysicalPagesScatter,CreateMemoryResourceNotification,Wow64GetThreadContext,UnregisterWait,SelectClipRgn,SetLocalTime,SelectObject,SetDefaultDllDirectories,FindFirstVolumeMountPointW,ExpandEnvironmentStringsW,GetNumaProximityNodeEx,CancelWaitableTimer,HeapWalk,Wow64SuspendThread,FlushFileBuffers,SetFileTime,FindFirstFileTransactedW,GetSystemDirectoryW,SizeofResource,EnumResourceLanguagesExW,EnumDateFormatsExW,GetSystemDefaultLangID,DeleteProcThreadAttributeList,GetLongPathNameW,GetMailslotInfo,LoadPackagedLibrary,ScrollConsoleScreenBufferW,BindIoCompletionCallback,GetLongPathNameW,EnumSystemFirmwareTables,DeleteProcThreadAttributeList,FindFirstFileNameW,CreateFileMappingFromApp,GetFileInformationByHandle,CreateEventW,GetThreadUILanguage,QueryMemoryResourceNotification,SetConsoleMode,GenerateConsoleCtrlEvent,PathFileExistsA,GlobalDeleteAtom,HeapReAlloc,TransactNamedPipe,ClosePrivateNamespace,ClearCommError,LocalFileTimeToFileTime,GetProcessPriorityBoost,CheckNameLegalDOS8Dot3W,MoveFileTransactedW,GlobalAddAtomW,SetCommState,SetDllDirectoryW,GetThreadPriorityBoost,GetFirmwareEnvironmentVariableW,UpdateProcThreadAttribute,SetConsoleMode,FreeLibraryWhenCallbackReturns,GetCalendarInfoW,GetTickCount64,GenerateConsoleCtrlEvent,FlushProcessWriteBuffers,SetThreadpoolWaitEx,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,GetConsoleHistoryInfo,SwitchToThread,CreateTapePartition,HeapReAlloc,UnregisterBadMemoryNotification,GetTimeFormatEx,EnumSystemFirmwareTables,lstrcmpW,WaitForThreadpoolIoCallbacks,GetSystemTimeAsFileTime,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,ScreenToClient,LogicalToPhysicalPoint,InitOnceInitialize,GetThreadErrorMode,OpenFileMappingW,IsImmersiveProcess,SetVolumeLabelW,SetDoubleClickTime,FlushFileBuffers,GetVersionExW,InsertMenuItemW,SetProcessRestrictionExemption,SetMenuInfo,CheckMenuRadioItem,CreateDirectoryW,CreateIconFromResourceEx,QueryThreadpoolStackInformation,IsProcessInJob,SetConsoleTitleW,ExitProcess,Concurrency::cancel_current_task,ExitProcess,	10_2_00007FFB1C88CD30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E5D40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	10_2_00007FFB1C8E5D40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E5CCC FindClose,FindFirstFileExW,GetLastError,	10_2_00007FFB1C8E5CCC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9035A4 FindFirstFileExW,	10_2_00007FFB1C9035A4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C888D50 IsThreadAFiber,WaitCommEvent,GetFileInformationByHandle,ConvertThreadToFiber,IsDebuggerPresent,lstrcpyW,HeapCompact,WaitForDebugEvent,CreateTapePartition,GetDurationFormat,OpenWaitableTimerW,GetProcessDEPPolicy,DeleteFileW,LoadResource,CommConfigDialogW,EscapeCommFunction,LocalHandle,SetupComm,NeedCurrentDirectoryForExePathW,DisableThreadLibraryCalls,GetLogicalProcessorInformation,GetAtomNameW,InitializeSListHead,CloseThreadpool,GetSystemRegistryQuota,DebugActiveProcessStop,TzSpecificLocalTimeToSystemTimeEx,OpenSemaphoreW,CountClipboardFormats,EnableWindow,MapWindowPoints,ReadThreadProfilingData,CharPrevW,LockFileEx,MulDiv,DeleteCriticalSection,MapWindowPoints,DeleteTimerQueueTimer,MessageBoxW,GetTickCount,EnumPropsW,SetProcessAffinityMask,DdeQueryStringW,GetActiveWindow,CreateMemoryResourceNotification,WaitForInputIdle,WaitMessage,VkKeyScanExW,GetUserDefaultLangID,HeapDestroy,GetInputState,CopyFileExW,ResolveLocaleName,GetActiveProcessorCount,GetDefaultCommConfigW,EnumCalendarInfoExEx,SetCommState,GetUserDefaultUILanguage,InitializeProcThreadAttributeList,GetUserDefaultLangID,SetProcessDEPPolicy,GetThreadSelectorEntry,EnumResourceTypesExW,SetTapeParameters,GetProcessPreferredUILanguages,GetNLSVersionEx,ReleaseMutexWhenCallbackReturns,GetFileInformationByHandle,OpenFileById,FindFirstFileW,GetMemoryErrorHandlingCapabilities,Wow64DisableWow64FsRedirection,GetProcessWorkingSetSizeEx,MapUserPhysicalPagesScatter,SetUnhandledExceptionFilter,EnumSystemLocalesEx,GetTempPathW,AttachConsole,CloseThreadpoolCleanupGroup,GetSystemDefaultLangID,GetFinalPathNameByHandleW,CreateJobObjectW,EnterSynchronizationBarrier,GlobalAddAtomW,GetConsoleAliasesLengthW,GetLastError,CallNamedPipeW,SearchPathW,SetFileValidData,SetCommBreak,MapUserPhysicalPagesScatter,GetWriteWatch,SetThreadpoolThreadMaximum,ReleaseSemaphoreWhenCallbackReturns,FillConsoleOutputCharacterW,GetProcessorSystemCycleTime,SetTextJustification,SetDefaultDllDirectories,SetBrushOrgEx,GetCurrentProcessorNumberEx,LockFileEx,SetConsoleDisplayMode,SetLastError,WritePrivateProfileSectionW,GetSystemTime,MapUserPhysicalPagesScatter,FindNextFileW,GetVolumeInformationW,EnumResourceTypesExW,HeapCreate,FindNextVolumeMountPointW,UnregisterApplicationRecoveryCallback,GetConsoleAliasW,QueryThreadProfiling,GetFullPathNameTransactedW,WritePrivateProfileSectionW,GetFileTime,CopyFileW,GetSystemTimeAsFileTime,HeapValidate,FileTimeToSystemTime,MoveFileWithProgressW,QueryDepthSList,EnumSystemFirmwareTables,QueryPerformanceCounter,MultiByteToWideChar,GetMaximumProcessorCount,GetActiveProcessorGroupCount,GetSystemFirmwareTable,DosDateTimeToFileTime,InterlockedPushListSListEx,SetThreadpoolTimerEx,InitOnceInitialize,GlobalAddAtomW,SetThreadpoolTimer,GetFocus,GetNextDlgGroupItem,GetTempPathW,GetDlgItemInt,CountClipboardFormats,PrivateExtractIconsW,MoveFileW,CreateDesktopExW,SetCalendarInfoW,SendInput,DrawCaption,SetFileAttributesTransactedW,EnterCriticalSection,ResetWriteWatch,WinHelpW,GlobalGetAtomNameW,GetL	10_2_00007FFB1C888D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FE0 FindFirstFileExW,QueryDosDeviceW,	10_2_00007FFB1C998FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FF8 FindFirstFileW,QueryDosDeviceW,	10_2_00007FFB1C998FF8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88C640 SetThreadGroupAffinity,SetTapeParameters,QueryDosDeviceW,WaitForDebugEvent,DeregisterShellHookWindow,CreateEventW,CreateFileMappingFromApp,RegisterClassExW,UnlockFile,CancelIoEx,ArrangeIconicWindows,CloseThreadpoolIo,PowerSetRequest,GetCursor,BroadcastSystemMessageExW,DestroyWindow,EnumSystemLocalesW,WriteTapemark,HeapValidate,CloseWindowStation,SetConsoleTextAttribute,GetTabbedTextExtentW,IsBadWritePtr,BuildCommDCBAndTimeoutsW,GetHandleInformation,GetVolumeInformationByHandleW,GetPriorityClass,SetLastErrorEx,RemoveDllDirectory,SetThreadErrorMode,UnregisterWaitEx,DebugSetProcessKillOnExit,QueryPerformanceFrequency,DuplicateHandle,GetFileSizeEx,HeapDestroy,CreateFiberEx,Wow64SuspendThread,OpenSemaphoreW,InitOnceExecuteOnce,CreateConsoleScreenBuffer,DeleteFileTransactedW,GetLocaleInfoEx,GetUserPreferredUILanguages,ClosePrivateNamespace,ReleaseSRWLockShared,FindNLSStringEx,SignalObjectAndWait,FindFirstFileW,DefineDosDeviceW,GetDurationFormat,EnumDateFormatsExEx,IsValidCodePage,FlsFree,GetProcessHeap,SetEvent,GlobalDeleteAtom,DisableThreadLibraryCalls,SetCurrentConsoleFontEx,SetLastError,GetConsoleScreenBufferInfoEx,AddResourceAttributeAce,GetDiskFreeSpaceExW,GetStringTypeA,SetProcessMitigationPolicy,RtlCaptureContext,RemoveDirectoryTransactedW,LCIDToLocaleName,lstrcatW,HeapCreate,GetNamedPipeInfo,SetConsoleCP,GetFileSizeEx,MoveFileWithProgressW,RemoveDirectoryTransactedW,PowerCreateRequest,CreatePrivateNamespaceW,BackupSeek,SizeofResource,WritePrivateProfileSectionW,InterlockedFlushSList,FileTimeToSystemTime,FindClose,SetThreadErrorMode,	10_2_00007FFB1C88C640
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998120 FindFirstFileA,	10_2_00007FFB1C998120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9981D0 FindFirstFileNameW,	10_2_00007FFB1C9981D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.7:49740 -> 172.67.204.246:443

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: openvpn.exe.3.dr

Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmGetAppIdFromFileName0, FwpmEngineClose0

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FF7182C9650 htons,GetLastError,WSAGetLastError,SetLastError,WSASetLastError,ResetEvent,ReadFile,WSARecvFrom,WSARecv,SetEvent,GetLastError,WSAGetLastError,SetEvent,free,free,

10_2_00007FF7182C9650

Source: global traffic

DNS traffic detected: DNS query: search-keys.com

Source: unknown

HTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: search-keys.comContent-Length: 48Cache-Control: no-cache

Source: UnRar.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: UnRar.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UnRar.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: UnRar.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: UnRar.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: UnRar.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UnRar.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: UnRar.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UnRar.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: UnRar.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: UnRar.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: UnRar.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: UnRar.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: openvpn.exe, openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://openvpn.net/faq.html#dhcpclientserv
Source: openvpn.exe, openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://openvpn.net/howto.html#mitm
Source: powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1544974565.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: UnRar.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000008.00000002.1544974565.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: https://gnu.org/licenses/
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: powershell.exe, 00000008.00000002.1544974565.000000000520D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.msi	String found in binary or memory: https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Params
Source: libgpg-error-0.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: openvpn.exe	String found in binary or memory: https://www.openssl.org/
Source: openvpn.exe, 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmp, openvpn.exe, 0000000A.00000002.1647191338.00007FFB0BD8F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.openssl.org/H

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Source: unknown

HTTPS traffic detected: 172.67.204.246:443 -> 192.168.2.7:49740 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C9991A0 CreateDesktopExW,

10_2_00007FFB1C9991A0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FF718260520: DeviceIoControl,GetLastError,_exit,

10_2_00007FF718260520

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b85d1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI90DD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI918A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI91C9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9238.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9297.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0BE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID1F3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID242.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0AB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA9F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIED11.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b85d4.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b85d4.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI90DD.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_043C1D68	8_2_043C1D68
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182E6540	10_2_00007FF7182E6540
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182EA130	10_2_00007FF7182EA130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825BD20	10_2_00007FF71825BD20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825E590	10_2_00007FF71825E590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718269D70	10_2_00007FF718269D70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71825AD60	10_2_00007FF71825AD60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718278D60	10_2_00007FF718278D60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182B25B0	10_2_00007FF7182B25B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182E9DA0	10_2_00007FF7182E9DA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182721A0	10_2_00007FF7182721A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DAA10	10_2_00007FF7182DAA10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182FBE10	10_2_00007FF7182FBE10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C1600	10_2_00007FF7182C1600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182D6DF0	10_2_00007FF7182D6DF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DA1E0	10_2_00007FF7182DA1E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C9650	10_2_00007FF7182C9650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182FA240	10_2_00007FF7182FA240
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718255640	10_2_00007FF718255640
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182F1630	10_2_00007FF7182F1630
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182A3A20	10_2_00007FF7182A3A20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182E7E90	10_2_00007FF7182E7E90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718256290	10_2_00007FF718256290
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718286A60	10_2_00007FF718286A60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718278EBD	10_2_00007FF718278EBD
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182EEAB0	10_2_00007FF7182EEAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182716B0	10_2_00007FF7182716B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182BBAA0	10_2_00007FF7182BBAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DD2A0	10_2_00007FF7182DD2A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DE710	10_2_00007FF7182DE710
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182EEF10	10_2_00007FF7182EEF10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182F26F0	10_2_00007FF7182F26F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182EE350	10_2_00007FF7182EE350
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182E6F80	10_2_00007FF7182E6F80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DF380	10_2_00007FF7182DF380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182EFF60	10_2_00007FF7182EFF60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718251F60	10_2_00007FF718251F60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71827DB60	10_2_00007FF71827DB60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DABD0	10_2_00007FF7182DABD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182E53C0	10_2_00007FF7182E53C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182D37C0	10_2_00007FF7182D37C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182827C0	10_2_00007FF7182827C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718272BC0	10_2_00007FF718272BC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C0BA0	10_2_00007FF7182C0BA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71827A3F0	10_2_00007FF71827A3F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182D3FE0	10_2_00007FF7182D3FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182F57E0	10_2_00007FF7182F57E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718253440	10_2_00007FF718253440
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182D5C20	10_2_00007FF7182D5C20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182DE470	10_2_00007FF7182DE470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182B6060	10_2_00007FF7182B6060
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718259460	10_2_00007FF718259460
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C48D0	10_2_00007FF7182C48D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182748C0	10_2_00007FF7182748C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182F34A0	10_2_00007FF7182F34A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF718294D00	10_2_00007FF718294D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C887530	10_2_00007FFB1C887530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C885550	10_2_00007FFB1C885550
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88F150	10_2_00007FFB1C88F150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88CD30	10_2_00007FFB1C88CD30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88A530	10_2_00007FFB1C88A530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C884860	10_2_00007FFB1C884860
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F3D20	10_2_00007FFB1C8F3D20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E5D40	10_2_00007FFB1C8E5D40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C893D60	10_2_00007FFB1C893D60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8B3CD0	10_2_00007FFB1C8B3CD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EFCC0	10_2_00007FFB1C8EFCC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FFE24	10_2_00007FFB1C8FFE24
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88BF50	10_2_00007FFB1C88BF50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C909F90	10_2_00007FFB1C909F90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998058	10_2_00007FFB1C998058
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998028	10_2_00007FFB1C998028
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998020	10_2_00007FFB1C998020
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998030	10_2_00007FFB1C998030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998088	10_2_00007FFB1C998088
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998068	10_2_00007FFB1C998068
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C884080	10_2_00007FFB1C884080
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998078	10_2_00007FFB1C998078
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998070	10_2_00007FFB1C998070
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C889FE0	10_2_00007FFB1C889FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F992C	10_2_00007FFB1C8F992C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9059CC	10_2_00007FFB1C9059CC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F7A04	10_2_00007FFB1C8F7A04
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F551C	10_2_00007FFB1C8F551C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9035A4	10_2_00007FFB1C9035A4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FF5D8	10_2_00007FFB1C8FF5D8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C905218	10_2_00007FFB1C905218
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EF214	10_2_00007FFB1C8EF214
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FF35C	10_2_00007FFB1C8FF35C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C888D50	10_2_00007FFB1C888D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998D08	10_2_00007FFB1C998D08
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998D00	10_2_00007FFB1C998D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998D18	10_2_00007FFB1C998D18
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998D10	10_2_00007FFB1C998D10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998CF0	10_2_00007FFB1C998CF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FCE54	10_2_00007FFB1C8FCE54
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EEE04	10_2_00007FFB1C8EEE04
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C887060	10_2_00007FFB1C887060
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FC0	10_2_00007FFB1C998FC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FD0	10_2_00007FFB1C998FD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FE8	10_2_00007FFB1C998FE8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EF010	10_2_00007FFB1C8EF010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FE0	10_2_00007FFB1C998FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FF8	10_2_00007FFB1C998FF8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F2918	10_2_00007FFB1C8F2918
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F0A58	10_2_00007FFB1C8F0A58
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998A70	10_2_00007FFB1C998A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EE9F4	10_2_00007FFB1C8EE9F4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F4B50	10_2_00007FFB1C8F4B50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C906B48	10_2_00007FFB1C906B48
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998AC0	10_2_00007FFB1C998AC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C894C40	10_2_00007FFB1C894C40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C886BF0	10_2_00007FFB1C886BF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EEC00	10_2_00007FFB1C8EEC00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F6558	10_2_00007FFB1C8F6558
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88C500	10_2_00007FFB1C88C500
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F0654	10_2_00007FFB1C8F0654
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C90A62C	10_2_00007FFB1C90A62C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998638	10_2_00007FFB1C998638
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88C640	10_2_00007FFB1C88C640
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998600	10_2_00007FFB1C998600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9986E8	10_2_00007FFB1C9986E8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9986F0	10_2_00007FFB1C9986F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998858	10_2_00007FFB1C998858
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998850	10_2_00007FFB1C998850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998890	10_2_00007FFB1C998890
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998868	10_2_00007FFB1C998868
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FC7D4	10_2_00007FFB1C8FC7D4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8EE7F0	10_2_00007FFB1C8EE7F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998158	10_2_00007FFB1C998158
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998150	10_2_00007FFB1C998150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998128	10_2_00007FFB1C998128
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998120	10_2_00007FFB1C998120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998130	10_2_00007FFB1C998130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998160	10_2_00007FFB1C998160
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9980C8	10_2_00007FFB1C9980C8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9980C0	10_2_00007FFB1C9980C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9980B8	10_2_00007FFB1C9980B8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998118	10_2_00007FFB1C998118
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F20E0	10_2_00007FFB1C8F20E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998110	10_2_00007FFB1C998110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9980E0	10_2_00007FFB1C9980E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998258	10_2_00007FFB1C998258
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F4280	10_2_00007FFB1C8F4280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C90820C	10_2_00007FFB1C90820C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998348	10_2_00007FFB1C998348
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8FC340	10_2_00007FFB1C8FC340
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9022FC	10_2_00007FFB1C9022FC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998448	10_2_00007FFB1C998448
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998470	10_2_00007FFB1C998470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998410	10_2_00007FFB1C998410
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9E91	10_2_00007FFB1DEC9E91
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED9E10	10_2_00007FFB1DED9E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB5DB0	10_2_00007FFB1DEB5DB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC6050	10_2_00007FFB1DEC6050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5C030	10_2_00007FFB1DE5C030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE82030	10_2_00007FFB1DE82030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED1F00	10_2_00007FFB1DED1F00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7DEB0	10_2_00007FFB1DE7DEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC3A90	10_2_00007FFB1DEC3A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC9A2F	10_2_00007FFB1DEC9A2F
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6B950	10_2_00007FFB1DE6B950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEADC60	10_2_00007FFB1DEADC60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE53C40	10_2_00007FFB1DE53C40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE5FBB0	10_2_00007FFB1DE5FBB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB3650	10_2_00007FFB1DEB3650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9F570	10_2_00007FFB1DE9F570
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB14A0	10_2_00007FFB1DEB14A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB5870	10_2_00007FFB1DEB5870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6B830	10_2_00007FFB1DE6B830
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAF280	10_2_00007FFB1DEAF280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC7270	10_2_00007FFB1DEC7270
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB3130	10_2_00007FFB1DEB3130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED9470	10_2_00007FFB1DED9470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE57400	10_2_00007FFB1DE57400
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAD3F0	10_2_00007FFB1DEAD3F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE55380	10_2_00007FFB1DE55380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE732C0	10_2_00007FFB1DE732C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC4E90	10_2_00007FFB1DEC4E90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB4E60	10_2_00007FFB1DEB4E60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBCD00	10_2_00007FFB1DEBCD00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEA8CB0	10_2_00007FFB1DEA8CB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9EF10	10_2_00007FFB1DE9EF10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE60EB0	10_2_00007FFB1DE60EB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DED6BB0	10_2_00007FFB1DED6BB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE7CAA0	10_2_00007FFB1DE7CAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE6C610	10_2_00007FFB1DE6C610
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBA4B0	10_2_00007FFB1DEBA4B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBA880	10_2_00007FFB1DEBA880
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE9C850	10_2_00007FFB1DE9C850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEC0720	10_2_00007FFB1DEC0720
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB0720	10_2_00007FFB1DEB0720
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE98710	10_2_00007FFB1DE98710
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEBE6B0	10_2_00007FFB1DEBE6B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEAE280	10_2_00007FFB1DEAE280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE8C250	10_2_00007FFB1DE8C250
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DE52210	10_2_00007FFB1DE52210
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEB81A0	10_2_00007FFB1DEB81A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDC450	10_2_00007FFB1DEDC450

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDEFC0 appears 801 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF718262CE0 appears 934 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF718263310 appears 49 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF7182526F0 appears 77 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDEA72 appears 126 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDEAF6 appears 36 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDEA66 appears 148 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DE992F0 appears 104 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DE883D0 appears 71 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDE39A appears 1283 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DE88340 appears 65 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDE2DA appears 55 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF718263290 appears 515 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDE2CE appears 62 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDE2D4 appears 442 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1DEDE44E appears 38 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFB1C8E8A9C appears 222 times

Source: libassuan-0.dll.3.dr	Static PE information: Number of sections : 12 > 10
Source: vlc.exe.3.dr	Static PE information: Number of sections : 14 > 10
Source: libgpg-error-0.dll.3.dr	Static PE information: Number of sections : 12 > 10
Source: libwinpthread-1.dll.3.dr	Static PE information: Number of sections : 12 > 10

Source: api-ms-win-crt-environment-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.3.dr	Static PE information: No import functions for PE file found

Source: Setup.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameSecureProp.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs Setup.msi
Source: Setup.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Setup.msi

Source: classification engine

Classification label: mal42.troj.evad.winMSI@10/154@1/1

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C883C30 GetDiskFreeSpaceExA,

10_2_00007FFB1C883C30

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C887530 DefWindowProcW,InvalidateRect,BeginPaint,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,EndPaint,KillTimer,PostQuitMessage,SetTimer,GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,FreeResource,GetNamedPipeServerSessionId,SetDefaultCommConfigW,CreateDIBPatternBrushPt,SetComputerNameExW,GetRegionData,GetCommMask,PaintRgn,GetPrivateProfileStructW,FreeConsole,SetProcessAffinityMask,SetFileInformationByHandle,GetVolumeInformationByHandleW,DefineDosDeviceW,GetSystemFileCacheSize,SetWaitableTimer,GetTextColor,SetConsoleCtrlHandler,EnumResourceTypesExW,ReadDirectoryChangesW,WaitForThreadpoolWorkCallbacks,GetProcessGroupAffinity,SetPolyFillMode,MulDiv,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleCP,CommConfigDialogW,lstrcmpiW,EnumTimeFormatsW,GetConsoleProcessList,FindFirstStreamTransactedW,BuildCommDCBAndTimeoutsW,SetThreadExecutionState,IsBadStringPtrW,AllocateUserPhysicalPagesNuma,SetThreadDescription,ConvertThreadToFiber,BuildCommDCBW,FreeUserPhysicalPages,SetCalendarInfoW,HeapValidate,GetCompressedFileSizeW,HeapSize,AddIntegrityLabelToBoundaryDescriptor,CreateEventExW,DeleteBoundaryDescriptor,UnregisterApplicationRecoveryCallback,RegisterBadMemoryNotification,EscapeCommFunction,SetEvent,DeleteVolumeMountPointW,GetTickCount,ReadFileEx,ContinueDebugEvent,SetThreadPriorityBoost,TrySubmitThreadpoolCallback,MoveFileWithProgressW,CreateFiber,InitializeCriticalSectionAndSpinCount,FindFirstFileNameW,VirtualProtect,GetEnvironmentStringsW,GetOverlappedResult,IsValidLanguageGroup,QueueUserWorkItem,GlobalReAlloc,ExitProcess,

10_2_00007FFB1C887530

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLEDE2.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5E9D9845B78F3BEF.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: Setup.msi

ReversingLabs: Detection: 13%

Source: openvpn.exe	String found in binary or memory: tun-stop
Source: openvpn.exe	String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe	String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe	String found in binary or memory: Use --help for more information.
Source: openvpn.exe	String found in binary or memory: Use --help for more information.
Source: openvpn.exe	String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe	String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe	String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: openvpn.exe	String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libssl-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libcrypto-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libpkcs11-helper-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libcrypto-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: vlc.lnk.3.dr

LNK file: ..\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}

Jump to behavior

Source: Setup.msi

Static file information: File size 56197120 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: Setup.msi, MSIEA9F.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, MSIE0AB.tmp.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 0000000A.00000002.1646484400.00007FFB0BC8C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi
Source:	Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 0000000A.00000002.1648309311.00007FFB23B21000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.3.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.3.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, MSIE0AB.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: Setup.msi, MSIEA9F.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi
Source:	Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: UnRar.exe.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, MSI91C9.tmp.3.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.3.dr

Source: vlc.exe.3.dr

Static PE information: 0xA6D0A6C0 [Sun Sep 8 06:27:12 2058 UTC]

Source: vlc.exe.3.dr	Static PE information: section name: .buildid
Source: vlc.exe.3.dr	Static PE information: section name: .xdata
Source: vlc.exe.3.dr	Static PE information: section name: /4
Source: libassuan-0.dll.3.dr	Static PE information: section name: .xdata
Source: libgpg-error-0.dll.3.dr	Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.3.dr	Static PE information: section name: _RDATA
Source: libwinpthread-1.dll.3.dr	Static PE information: section name: .xdata
Source: SecureProp.dll.3.dr	Static PE information: section name: .fptable
Source: UnRar.exe.3.dr	Static PE information: section name: _RDATA
Source: libpkcs11-helper-1.dll.3.dr	Static PE information: section name: .udata
Source: MSID1F3.tmp.3.dr	Static PE information: section name: .fptable
Source: MSID242.tmp.3.dr	Static PE information: section name: .fptable
Source: MSIE0AB.tmp.3.dr	Static PE information: section name: .fptable
Source: MSI90DD.tmp.3.dr	Static PE information: section name: .fptable
Source: MSI918A.tmp.3.dr	Static PE information: section name: .fptable
Source: MSI91C9.tmp.3.dr	Static PE information: section name: .fptable
Source: MSI9238.tmp.3.dr	Static PE information: section name: .fptable
Source: MSI9297.tmp.3.dr	Static PE information: section name: .fptable
Source: MSIB0BE.tmp.3.dr	Static PE information: section name: .fptable
Source: MSIEA9F.tmp.3.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_043C0B35 push ebx; iretd	8_2_043C0B42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_043C329C pushfd ; ret	8_2_043C32B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_043CBD83 push esp; ret	8_2_043CBD93
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71826D2CD push rbx; iretd	10_2_00007FF71826D2CE
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C99D155 push rsi; ret	10_2_00007FFB1C99D156

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9297.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI91C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0AB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID1F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID242.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI918A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9238.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI90DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID1F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9297.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID242.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI918A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9238.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI91C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI90DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0AB.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C885550 GetLocalTime,CreateSemaphoreA,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,GetTempPathA,GetEnvironmentVariableW,GetMaximumProcessorGroupCount,GlobalMemoryStatus,WriteConsoleOutputAttribute,FindVolumeClose,SetFileTime,SetConsoleMode,SetStdHandle,OpenWaitableTimerW,SetConsoleDisplayMode,SetThreadErrorMode,EnumTimeFormatsW,RtlCaptureContext,GetVersionExW,IsWindowUnicode,CreatePopupMenu,WritePrivateProfileSectionW,AddScopedPolicyIDAce,InsertMenuW,DebugActiveProcess,SetFocus,GetCapture,TrackPopupMenuEx,GetClassLongW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetInputState,PowerCreateRequest,ChangeTimerQueueTimer,OpenJobObjectW,PrepareTape,SetProcessRestrictionExemption,GetActiveProcessorCount,ReuseDDElParam,DebugActiveProcess,GetNumaProcessorNodeEx,GetConsoleScreenBufferInfo,lstrcmpW,LocalLock,GetProcessHeap,OpenSemaphoreW,GetPrivateProfileStructW,CreateThreadpoolWork,FindFirstChangeNotificationW,WritePrivateProfileStringW,GetLogicalProcessorInformationEx,IsProcessInJob,SearchPathW,SetFileAttributesW,TryAcquireSRWLockExclusive,AcquireSRWLockExclusive,EnumTimeFormatsEx,CreateRemoteThread,DisableThreadLibraryCalls,GetDevicePowerState,HeapAlloc,CopyFileTransactedW,GetFileType,FindVolumeMountPointClose,DeviceIoControl,GetCompressedFileSizeW,GetStringTypeExW,GetNamedPipeClientProcessId,Wow64DisableWow64FsRedirection,FindFirstStreamTransactedW,GetConsoleProcessList,OpenProcess,EnumResourceTypesW,VirtualAlloc,HeapCreate,GetLastError,HeapAlloc,GetLastError,HeapFree,HeapDestroy,SizeofResource,WriteProfileStringW,InitOnceExecuteOnce,CloseThreadpoolWait,GetSystemRegistryQuota,DebugSetProcessKillOnExit,FreeLibraryWhenCallbackReturns,CompareStringOrdinal,FindFirstChangeNotificationW,QueueUserWorkItem,WaitForThreadpoolWorkCallbacks,SetFileShortNameW,GlobalReAlloc,DebugBreakProcess,WritePrivateProfileStringW,UnregisterApplicationRestart,CreateDirectoryExW,VirtualQueryEx,RegisterBadMemoryNotification,

10_2_00007FFB1C885550

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: GetAdaptersInfo,malloc,GetAdaptersInfo,malloc,

10_2_00007FF7182E7970

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3794			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1444			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9297.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEA9F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI91C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB0BE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE0AB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID1F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID242.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9238.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI918A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI90DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

API coverage: 1.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep count: 3794 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 1444 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C887530 DefWindowProcW,InvalidateRect,BeginPaint,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,EndPaint,KillTimer,PostQuitMessage,SetTimer,GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,FreeResource,GetNamedPipeServerSessionId,SetDefaultCommConfigW,CreateDIBPatternBrushPt,SetComputerNameExW,GetRegionData,GetCommMask,PaintRgn,GetPrivateProfileStructW,FreeConsole,SetProcessAffinityMask,SetFileInformationByHandle,GetVolumeInformationByHandleW,DefineDosDeviceW,GetSystemFileCacheSize,SetWaitableTimer,GetTextColor,SetConsoleCtrlHandler,EnumResourceTypesExW,ReadDirectoryChangesW,WaitForThreadpoolWorkCallbacks,GetProcessGroupAffinity,SetPolyFillMode,MulDiv,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleCP,CommConfigDialogW,lstrcmpiW,EnumTimeFormatsW,GetConsoleProcessList,FindFirstStreamTransactedW,BuildCommDCBAndTimeoutsW,SetThreadExecutionState,IsBadStringPtrW,AllocateUserPhysicalPagesNuma,SetThreadDescription,ConvertThreadToFiber,BuildCommDCBW,FreeUserPhysicalPages,SetCalendarInfoW,HeapValidate,GetCompressedFileSizeW,HeapSize,AddIntegrityLabelToBoundaryDescriptor,CreateEventExW,DeleteBoundaryDescriptor,UnregisterApplicationRecoveryCallback,RegisterBadMemoryNotification,EscapeCommFunction,SetEvent,DeleteVolumeMountPointW,GetTickCount,ReadFileEx,ContinueDebugEvent,SetThreadPriorityBoost,TrySubmitThreadpoolCallback,MoveFileWithProgressW,CreateFiber,InitializeCriticalSectionAndSpinCount,FindFirstFileNameW,VirtualProtect,GetEnvironmentStringsW,GetOverlappedResult,IsValidLanguageGroup,QueueUserWorkItem,GlobalReAlloc,ExitProcess,	10_2_00007FFB1C887530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88F150 GetThreadUILanguage,FreeLibraryWhenCallbackReturns,TransactNamedPipe,WriteProfileSectionW,VirtualFreeEx,SetComputerNameExW,FatalAppExitW,RemoveVectoredExceptionHandler,DeleteFiber,SetConsoleCtrlHandler,GetFinalPathNameByHandleW,GetOEMCP,CreateThreadpoolIo,EnumCalendarInfoW,FlsAlloc,ConvertThreadToFiberEx,CreateMailslotW,GetUserPreferredUILanguages,GetConsoleWindow,CreateFileMappingFromApp,AddDllDirectory,IsBadWritePtr,OutputDebugStringW,DeleteProcThreadAttributeList,BackupWrite,GetLogicalProcessorInformation,LocalFileTimeToFileTime,FindFirstFileNameW,GetModuleFileNameW,CreateSymbolicLinkW,WriteConsoleOutputCharacterW,GetProcessIdOfThread,OutputDebugStringA,	10_2_00007FFB1C88F150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88CD30 RemoveMenu,GetProcessWorkingSetSizeEx,CloseWindow,DrawAnimatedRects,FindNextVolumeMountPointW,SwitchToThread,CloseThreadpoolTimer,UpdateResourceW,SetProtectedPolicy,GetClassWord,GetModuleHandleW,SetHandleInformation,SetWindowTextW,CopyFile2,GetAtomNameW,SetFilePointer,SetMailslotInfo,PostMessageW,GetProcessHandleCount,SetLayeredWindowAttributes,GetFileInformationByHandle,IsValidLanguageGroup,GetProcAddress,ReOpenFile,CreateCompatibleBitmap,SetDIBits,GlobalFree,MapUserPhysicalPagesScatter,CreateMemoryResourceNotification,Wow64GetThreadContext,UnregisterWait,SelectClipRgn,SetLocalTime,SelectObject,SetDefaultDllDirectories,FindFirstVolumeMountPointW,ExpandEnvironmentStringsW,GetNumaProximityNodeEx,CancelWaitableTimer,HeapWalk,Wow64SuspendThread,FlushFileBuffers,SetFileTime,FindFirstFileTransactedW,GetSystemDirectoryW,SizeofResource,EnumResourceLanguagesExW,EnumDateFormatsExW,GetSystemDefaultLangID,DeleteProcThreadAttributeList,GetLongPathNameW,GetMailslotInfo,LoadPackagedLibrary,ScrollConsoleScreenBufferW,BindIoCompletionCallback,GetLongPathNameW,EnumSystemFirmwareTables,DeleteProcThreadAttributeList,FindFirstFileNameW,CreateFileMappingFromApp,GetFileInformationByHandle,CreateEventW,GetThreadUILanguage,QueryMemoryResourceNotification,SetConsoleMode,GenerateConsoleCtrlEvent,PathFileExistsA,GlobalDeleteAtom,HeapReAlloc,TransactNamedPipe,ClosePrivateNamespace,ClearCommError,LocalFileTimeToFileTime,GetProcessPriorityBoost,CheckNameLegalDOS8Dot3W,MoveFileTransactedW,GlobalAddAtomW,SetCommState,SetDllDirectoryW,GetThreadPriorityBoost,GetFirmwareEnvironmentVariableW,UpdateProcThreadAttribute,SetConsoleMode,FreeLibraryWhenCallbackReturns,GetCalendarInfoW,GetTickCount64,GenerateConsoleCtrlEvent,FlushProcessWriteBuffers,SetThreadpoolWaitEx,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,GetConsoleHistoryInfo,SwitchToThread,CreateTapePartition,HeapReAlloc,UnregisterBadMemoryNotification,GetTimeFormatEx,EnumSystemFirmwareTables,lstrcmpW,WaitForThreadpoolIoCallbacks,GetSystemTimeAsFileTime,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,ScreenToClient,LogicalToPhysicalPoint,InitOnceInitialize,GetThreadErrorMode,OpenFileMappingW,IsImmersiveProcess,SetVolumeLabelW,SetDoubleClickTime,FlushFileBuffers,GetVersionExW,InsertMenuItemW,SetProcessRestrictionExemption,SetMenuInfo,CheckMenuRadioItem,CreateDirectoryW,CreateIconFromResourceEx,QueryThreadpoolStackInformation,IsProcessInJob,SetConsoleTitleW,ExitProcess,Concurrency::cancel_current_task,ExitProcess,	10_2_00007FFB1C88CD30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E5D40 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	10_2_00007FFB1C8E5D40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E5CCC FindClose,FindFirstFileExW,GetLastError,	10_2_00007FFB1C8E5CCC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9035A4 FindFirstFileExW,	10_2_00007FFB1C9035A4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C888D50 IsThreadAFiber,WaitCommEvent,GetFileInformationByHandle,ConvertThreadToFiber,IsDebuggerPresent,lstrcpyW,HeapCompact,WaitForDebugEvent,CreateTapePartition,GetDurationFormat,OpenWaitableTimerW,GetProcessDEPPolicy,DeleteFileW,LoadResource,CommConfigDialogW,EscapeCommFunction,LocalHandle,SetupComm,NeedCurrentDirectoryForExePathW,DisableThreadLibraryCalls,GetLogicalProcessorInformation,GetAtomNameW,InitializeSListHead,CloseThreadpool,GetSystemRegistryQuota,DebugActiveProcessStop,TzSpecificLocalTimeToSystemTimeEx,OpenSemaphoreW,CountClipboardFormats,EnableWindow,MapWindowPoints,ReadThreadProfilingData,CharPrevW,LockFileEx,MulDiv,DeleteCriticalSection,MapWindowPoints,DeleteTimerQueueTimer,MessageBoxW,GetTickCount,EnumPropsW,SetProcessAffinityMask,DdeQueryStringW,GetActiveWindow,CreateMemoryResourceNotification,WaitForInputIdle,WaitMessage,VkKeyScanExW,GetUserDefaultLangID,HeapDestroy,GetInputState,CopyFileExW,ResolveLocaleName,GetActiveProcessorCount,GetDefaultCommConfigW,EnumCalendarInfoExEx,SetCommState,GetUserDefaultUILanguage,InitializeProcThreadAttributeList,GetUserDefaultLangID,SetProcessDEPPolicy,GetThreadSelectorEntry,EnumResourceTypesExW,SetTapeParameters,GetProcessPreferredUILanguages,GetNLSVersionEx,ReleaseMutexWhenCallbackReturns,GetFileInformationByHandle,OpenFileById,FindFirstFileW,GetMemoryErrorHandlingCapabilities,Wow64DisableWow64FsRedirection,GetProcessWorkingSetSizeEx,MapUserPhysicalPagesScatter,SetUnhandledExceptionFilter,EnumSystemLocalesEx,GetTempPathW,AttachConsole,CloseThreadpoolCleanupGroup,GetSystemDefaultLangID,GetFinalPathNameByHandleW,CreateJobObjectW,EnterSynchronizationBarrier,GlobalAddAtomW,GetConsoleAliasesLengthW,GetLastError,CallNamedPipeW,SearchPathW,SetFileValidData,SetCommBreak,MapUserPhysicalPagesScatter,GetWriteWatch,SetThreadpoolThreadMaximum,ReleaseSemaphoreWhenCallbackReturns,FillConsoleOutputCharacterW,GetProcessorSystemCycleTime,SetTextJustification,SetDefaultDllDirectories,SetBrushOrgEx,GetCurrentProcessorNumberEx,LockFileEx,SetConsoleDisplayMode,SetLastError,WritePrivateProfileSectionW,GetSystemTime,MapUserPhysicalPagesScatter,FindNextFileW,GetVolumeInformationW,EnumResourceTypesExW,HeapCreate,FindNextVolumeMountPointW,UnregisterApplicationRecoveryCallback,GetConsoleAliasW,QueryThreadProfiling,GetFullPathNameTransactedW,WritePrivateProfileSectionW,GetFileTime,CopyFileW,GetSystemTimeAsFileTime,HeapValidate,FileTimeToSystemTime,MoveFileWithProgressW,QueryDepthSList,EnumSystemFirmwareTables,QueryPerformanceCounter,MultiByteToWideChar,GetMaximumProcessorCount,GetActiveProcessorGroupCount,GetSystemFirmwareTable,DosDateTimeToFileTime,InterlockedPushListSListEx,SetThreadpoolTimerEx,InitOnceInitialize,GlobalAddAtomW,SetThreadpoolTimer,GetFocus,GetNextDlgGroupItem,GetTempPathW,GetDlgItemInt,CountClipboardFormats,PrivateExtractIconsW,MoveFileW,CreateDesktopExW,SetCalendarInfoW,SendInput,DrawCaption,SetFileAttributesTransactedW,EnterCriticalSection,ResetWriteWatch,WinHelpW,GlobalGetAtomNameW,GetL	10_2_00007FFB1C888D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FE0 FindFirstFileExW,QueryDosDeviceW,	10_2_00007FFB1C998FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998FF8 FindFirstFileW,QueryDosDeviceW,	10_2_00007FFB1C998FF8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88C640 SetThreadGroupAffinity,SetTapeParameters,QueryDosDeviceW,WaitForDebugEvent,DeregisterShellHookWindow,CreateEventW,CreateFileMappingFromApp,RegisterClassExW,UnlockFile,CancelIoEx,ArrangeIconicWindows,CloseThreadpoolIo,PowerSetRequest,GetCursor,BroadcastSystemMessageExW,DestroyWindow,EnumSystemLocalesW,WriteTapemark,HeapValidate,CloseWindowStation,SetConsoleTextAttribute,GetTabbedTextExtentW,IsBadWritePtr,BuildCommDCBAndTimeoutsW,GetHandleInformation,GetVolumeInformationByHandleW,GetPriorityClass,SetLastErrorEx,RemoveDllDirectory,SetThreadErrorMode,UnregisterWaitEx,DebugSetProcessKillOnExit,QueryPerformanceFrequency,DuplicateHandle,GetFileSizeEx,HeapDestroy,CreateFiberEx,Wow64SuspendThread,OpenSemaphoreW,InitOnceExecuteOnce,CreateConsoleScreenBuffer,DeleteFileTransactedW,GetLocaleInfoEx,GetUserPreferredUILanguages,ClosePrivateNamespace,ReleaseSRWLockShared,FindNLSStringEx,SignalObjectAndWait,FindFirstFileW,DefineDosDeviceW,GetDurationFormat,EnumDateFormatsExEx,IsValidCodePage,FlsFree,GetProcessHeap,SetEvent,GlobalDeleteAtom,DisableThreadLibraryCalls,SetCurrentConsoleFontEx,SetLastError,GetConsoleScreenBufferInfoEx,AddResourceAttributeAce,GetDiskFreeSpaceExW,GetStringTypeA,SetProcessMitigationPolicy,RtlCaptureContext,RemoveDirectoryTransactedW,LCIDToLocaleName,lstrcatW,HeapCreate,GetNamedPipeInfo,SetConsoleCP,GetFileSizeEx,MoveFileWithProgressW,RemoveDirectoryTransactedW,PowerCreateRequest,CreatePrivateNamespaceW,BackupSeek,SizeofResource,WritePrivateProfileSectionW,InterlockedFlushSList,FileTimeToSystemTime,FindClose,SetThreadErrorMode,	10_2_00007FFB1C88C640
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998120 FindFirstFileA,	10_2_00007FFB1C998120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C9981D0 FindFirstFileNameW,	10_2_00007FFB1C9981D0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q4classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q3classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q-classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/common/JVMCIError.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QOclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q;classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCI.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q0classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q)classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QEclasses/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QLclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q6classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QEclasses/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q%classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QVclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QIclasses/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q<classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q4classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: n/QGclasses/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.classPK
Source: jdk.internal.vm.ci.jmod.3.dr	Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.classPK

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C884860 GetTempPathA,GetTempFileNameA,GetDurationFormat,GetPaletteEntries,InitOnceComplete,GetSystemDefaultUILanguage,GlobalHandle,GetModuleHandleW,GetProcessGroupAffinity,SetCommBreak,DeleteBoundaryDescriptor,DeleteTimerQueueTimer,OpenFileMappingW,GetPolyFillMode,SetTapeParameters,EnumResourceTypesW,TryAcquireSRWLockExclusive,GetProcessIoCounters,HeapLock,IsDebuggerPresent,CreateBoundaryDescriptorW,GetGeoInfoW,GetPolyFillMode,SetBkColor,HeapCreate,UnregisterApplicationRestart,SetFileApisToOEM,AllocateUserPhysicalPages,CreateSemaphoreExW,CreateFileW,LoadLibraryW,CancelSynchronousIo,ApplicationRecoveryInProgress,EscapeCommFunction,SetHandleInformation,CancelSynchronousIo,ApplicationRecoveryInProgress,GetNumberOfConsoleInputEvents,ReleaseMutex,ReadFileEx,GetOverlappedResult,SetThreadGroupAffinity,RegOpenKeyExA,SetEventWhenCallbackReturns,GetUserDefaultUILanguage,GetDurationFormat,BuildCommDCBAndTimeoutsW,FindCloseChangeNotification,GetFileAttributesExW,QueryThreadCycleTime,GetComputerNameW,EnumCalendarInfoExW,Wow64EnableWow64FsRedirection,CallbackMayRunLong,InitOnceInitialize,DuplicateHandle,GetFileTime,GlobalSize,FlushViewOfFile,GlobalLock,GetCurrentConsoleFont,EnterCriticalSection,CreateThreadpoolWork,CreateBoundaryDescriptorW,PeekNamedPipe,GetNamedPipeClientSessionId,UnmapViewOfFile,EnterCriticalSection,RegQueryValueExA,EnumDateFormatsW,CreateFiberEx,GetSystemPreferredUILanguages,LCMapStringW,CancelWaitableTimer,SetLocalTime,InitializeCriticalSectionAndSpinCount,DeleteTimerQueue,TryAcquireSRWLockShared,FillConsoleOutputAttribute,DeleteTimerQueueTimer,QueryPerformanceCounter,SetConsoleTextAttribute,GetConsoleWindow,CheckNameLegalDOS8Dot3W,GetLongPathNameW,GetNumaProximityNode,DnsHostnameToComputerNameW,AddSecureMemoryCacheCallback,LoadModule,ApplicationRecoveryInProgress,RegCloseKey,OutputDebugStringA,

10_2_00007FFB1C884860

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

10_2_00007FFB1C885550

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

10_2_00007FFB1C885550

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182FC9F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF7182FC9F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8F36A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFB1C8F36A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C8E77FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFB1C8E77FC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C888D50 IsThreadAFiber,WaitCommEvent,GetFileInformationByHandle,ConvertThreadToFiber,IsDebuggerPresent,lstrcpyW,HeapCompact,WaitForDebugEvent,CreateTapePartition,GetDurationFormat,OpenWaitableTimerW,GetProcessDEPPolicy,DeleteFileW,LoadResource,CommConfigDialogW,EscapeCommFunction,LocalHandle,SetupComm,NeedCurrentDirectoryForExePathW,DisableThreadLibraryCalls,GetLogicalProcessorInformation,GetAtomNameW,InitializeSListHead,CloseThreadpool,GetSystemRegistryQuota,DebugActiveProcessStop,TzSpecificLocalTimeToSystemTimeEx,OpenSemaphoreW,CountClipboardFormats,EnableWindow,MapWindowPoints,ReadThreadProfilingData,CharPrevW,LockFileEx,MulDiv,DeleteCriticalSection,MapWindowPoints,DeleteTimerQueueTimer,MessageBoxW,GetTickCount,EnumPropsW,SetProcessAffinityMask,DdeQueryStringW,GetActiveWindow,CreateMemoryResourceNotification,WaitForInputIdle,WaitMessage,VkKeyScanExW,GetUserDefaultLangID,HeapDestroy,GetInputState,CopyFileExW,ResolveLocaleName,GetActiveProcessorCount,GetDefaultCommConfigW,EnumCalendarInfoExEx,SetCommState,GetUserDefaultUILanguage,InitializeProcThreadAttributeList,GetUserDefaultLangID,SetProcessDEPPolicy,GetThreadSelectorEntry,EnumResourceTypesExW,SetTapeParameters,GetProcessPreferredUILanguages,GetNLSVersionEx,ReleaseMutexWhenCallbackReturns,GetFileInformationByHandle,OpenFileById,FindFirstFileW,GetMemoryErrorHandlingCapabilities,Wow64DisableWow64FsRedirection,GetProcessWorkingSetSizeEx,MapUserPhysicalPagesScatter,SetUnhandledExceptionFilter,EnumSystemLocalesEx,GetTempPathW,AttachConsole,CloseThreadpoolCleanupGroup,GetSystemDefaultLangID,GetFinalPathNameByHandleW,CreateJobObjectW,EnterSynchronizationBarrier,GlobalAddAtomW,GetConsoleAliasesLengthW,GetLastError,CallNamedPipeW,SearchPathW,SetFileValidData,SetCommBreak,MapUserPhysicalPagesScatter,GetWriteWatch,SetThreadpoolThreadMaximum,ReleaseSemaphoreWhenCallbackReturns,FillConsoleOutputCharacterW,GetProcessorSystemCycleTime,SetTextJustification,SetDefaultDllDirectories,SetBrushOrgEx,GetCurrentProcessorNumberEx,LockFileEx,SetConsoleDisplayMode,SetLastError,WritePrivateProfileSectionW,GetSystemTime,MapUserPhysicalPagesScatter,FindNextFileW,GetVolumeInformationW,EnumResourceTypesExW,HeapCreate,FindNextVolumeMountPointW,UnregisterApplicationRecoveryCallback,GetConsoleAliasW,QueryThreadProfiling,GetFullPathNameTransactedW,WritePrivateProfileSectionW,GetFileTime,CopyFileW,GetSystemTimeAsFileTime,HeapValidate,FileTimeToSystemTime,MoveFileWithProgressW,QueryDepthSList,EnumSystemFirmwareTables,QueryPerformanceCounter,MultiByteToWideChar,GetMaximumProcessorCount,GetActiveProcessorGroupCount,GetSystemFirmwareTable,DosDateTimeToFileTime,InterlockedPushListSListEx,SetThreadpoolTimerEx,InitOnceInitialize,GlobalAddAtomW,SetThreadpoolTimer,GetFocus,GetNextDlgGroupItem,GetTempPathW,GetDlgItemInt,CountClipboardFormats,PrivateExtractIconsW,MoveFileW,CreateDesktopExW,SetCalendarInfoW,SendInput,DrawCaption,SetFileAttributesTransactedW,EnterCriticalSection,ResetWriteWatch,WinHelpW,GlobalGetAtomNameW,GetL	10_2_00007FFB1C888D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C998E30 SetUnhandledExceptionFilter,	10_2_00007FFB1C998E30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDFC20 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FFB1DEDFC20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1DEDF040 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FFB1DEDF040

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user~1\appdata\local\temp\psse113.ps1" -propfile "c:\users\user~1\appdata\local\temp\msie101.txt" -scriptfile "c:\users\user~1\appdata\local\temp\scre102.ps1" -scriptargsfile "c:\users\user~1\appdata\local\temp\scre103.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user~1\appdata\local\temp\psse113.ps1" -propfile "c:\users\user~1\appdata\local\temp\msie101.txt" -scriptfile "c:\users\user~1\appdata\local\temp\scre102.ps1" -scriptargsfile "c:\users\user~1\appdata\local\temp\scre103.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FF7182F4560 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateSemaphoreA,WaitForSingleObject,_exit,

10_2_00007FF7182F4560

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C90D110 cpuid

10_2_00007FFB1C90D110

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	10_2_00007FFB1C8FDCB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_00007FFB1C90793C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	10_2_00007FFB1C9079EC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00007FFB1C907B20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	10_2_00007FFB1C907504
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_00007FFB1C90759C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	10_2_00007FFB1C8FD770
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	10_2_00007FFB1C9077E4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_00007FFB1C9070D8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	10_2_00007FFB1C907434
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: IsThreadAFiber,WaitCommEvent,GetFileInformationByHandle,ConvertThreadToFiber,IsDebuggerPresent,lstrcpyW,HeapCompact,WaitForDebugEvent,CreateTapePartition,GetDurationFormat,OpenWaitableTimerW,GetProcessDEPPolicy,DeleteFileW,LoadResource,CommConfigDialogW,EscapeCommFunction,LocalHandle,SetupComm,NeedCurrentDirectoryForExePathW,DisableThreadLibraryCalls,GetLogicalProcessorInformation,GetAtomNameW,InitializeSListHead,CloseThreadpool,GetSystemRegistryQuota,DebugActiveProcessStop,TzSpecificLocalTimeToSystemTimeEx,OpenSemaphoreW,CountClipboardFormats,EnableWindow,MapWindowPoints,ReadThreadProfilingData,CharPrevW,LockFileEx,MulDiv,DeleteCriticalSection,MapWindowPoints,DeleteTimerQueueTimer,MessageBoxW,GetTickCount,EnumPropsW,SetProcessAffinityMask,DdeQueryStringW,GetActiveWindow,CreateMemoryResourceNotification,WaitForInputIdle,WaitMessage,VkKeyScanExW,GetUserDefaultLangID,HeapDestroy,GetInputState,CopyFileExW,ResolveLocaleName,GetActiveProcessorCount,GetDefaultCommConfigW,EnumCalendarInfoExEx,SetCommState,GetUserDefaultUILanguage,InitializeProcThreadAttributeList,GetUserDefaultLangID,SetProcessDEPPolicy,GetThreadSelectorEntry,EnumResourceTypesExW,SetTapeParameters,GetProcessPreferredUILanguages,GetNLSVersionEx,ReleaseMutexWhenCallbackReturns,GetFileInformationByHandle,OpenFileById,FindFirstFileW,GetMemoryErrorHandlingCapabilities,Wow64DisableWow64FsRedirection,GetProcessWorkingSetSizeEx,MapUserPhysicalPagesScatter,SetUnhandledExceptionFilter,EnumSystemLocalesEx,GetTempPathW,AttachConsole,CloseThreadpoolCleanupGroup,GetSystemDefaultLangID,GetFinalPathNameByHandleW,CreateJobObjectW,EnterSynchronizationBarrier,GlobalAddAtomW,GetConsoleAliasesLengthW,GetLastError,CallNamedPipeW,SearchPathW,SetFileValidData,SetCommBreak,MapUserPhysicalPagesScatter,GetWriteWatch,SetThreadpoolThreadMaximum,ReleaseSemaphoreWhenCallbackReturns,FillConsoleOutputCharacterW,GetProcessorSystemCycleTime,SetTextJustification,SetDefaultDllDirectories,SetBrushOrgEx,GetCurrentProcessorNumberEx,LockFileEx,SetConsoleDisplayMode,SetLastError,WritePrivateProfileSectionW,GetSystemTime,MapUserPhysicalPagesScatter,FindNextFileW,GetVolumeInformationW,EnumResourceTypesExW,HeapCreate,FindNextVolumeMountPointW,UnregisterApplicationRecoveryCallback,GetConsoleAliasW,QueryThreadProfiling,GetFullPathNameTransactedW,WritePrivateProfileSectionW,GetFileTime,CopyFileW,GetSystemTimeAsFileTime,HeapValidate,FileTimeToSystemTime,MoveFileWithProgressW,QueryDepthSList,EnumSystemFirmwareTables,QueryPerformanceCounter,MultiByteToWideChar,GetMaximumProcessorCount,GetActiveProcessorGroupCount,GetSystemFirmwareTable,DosDateTimeToFileTime,InterlockedPushListSListEx,SetThreadpoolTimerEx,InitOnceInitialize,GlobalAddAtomW,SetThreadpoolTimer,GetFocus,GetNextDlgGroupItem,GetTempPathW,GetDlgItemInt,CountClipboardFormats,PrivateExtractIconsW,MoveFileW,CreateDesktopExW,SetCalendarInfoW,SendInput,DrawCaption,SetFileAttributesTransactedW,EnterCriticalSection,ResetWriteWatch,WinHelpW,GlobalGetAtomNameW,GetLongPathNameTransactedW	10_2_00007FFB1C888D50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	10_2_00007FFB1C998EB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoEx,FormatMessageA,	10_2_00007FFB1C8E4FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: SetThreadGroupAffinity,SetTapeParameters,QueryDosDeviceW,WaitForDebugEvent,DeregisterShellHookWindow,CreateEventW,CreateFileMappingFromApp,RegisterClassExW,UnlockFile,CancelIoEx,ArrangeIconicWindows,CloseThreadpoolIo,PowerSetRequest,GetCursor,BroadcastSystemMessageExW,DestroyWindow,EnumSystemLocalesW,WriteTapemark,HeapValidate,CloseWindowStation,SetConsoleTextAttribute,GetTabbedTextExtentW,IsBadWritePtr,BuildCommDCBAndTimeoutsW,GetHandleInformation,GetVolumeInformationByHandleW,GetPriorityClass,SetLastErrorEx,RemoveDllDirectory,SetThreadErrorMode,UnregisterWaitEx,DebugSetProcessKillOnExit,QueryPerformanceFrequency,DuplicateHandle,GetFileSizeEx,HeapDestroy,CreateFiberEx,Wow64SuspendThread,OpenSemaphoreW,InitOnceExecuteOnce,CreateConsoleScreenBuffer,DeleteFileTransactedW,GetLocaleInfoEx,GetUserPreferredUILanguages,ClosePrivateNamespace,ReleaseSRWLockShared,FindNLSStringEx,SignalObjectAndWait,FindFirstFileW,DefineDosDeviceW,GetDurationFormat,EnumDateFormatsExEx,IsValidCodePage,FlsFree,GetProcessHeap,SetEvent,GlobalDeleteAtom,DisableThreadLibraryCalls,SetCurrentConsoleFontEx,SetLastError,GetConsoleScreenBufferInfoEx,AddResourceAttributeAce,GetDiskFreeSpaceExW,GetStringTypeA,SetProcessMitigationPolicy,RtlCaptureContext,RemoveDirectoryTransactedW,LCIDToLocaleName,lstrcatW,HeapCreate,GetNamedPipeInfo,SetConsoleCP,GetFileSizeEx,MoveFileWithProgressW,RemoveDirectoryTransactedW,PowerCreateRequest,CreatePrivateNamespaceW,BackupSeek,SizeofResource,WritePrivateProfileSectionW,InterlockedFlushSList,FileTimeToSystemTime,FindClose,SetThreadErrorMode,	10_2_00007FFB1C88C640

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FF7182FD3EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_00007FF7182FD3EC

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 10_2_00007FFB1C8FF5D8 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

10_2_00007FFB1C8FF5D8

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

10_2_00007FFB1C885550

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C5E60 setsockopt,bind,_exit,	10_2_00007FF7182C5E60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF7182C5660 listen,_exit,free,free,	10_2_00007FF7182C5660
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FF71827D370 socket,listen,_exit,getsockname,free,free,	10_2_00007FF71827D370
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88CD30 RemoveMenu,GetProcessWorkingSetSizeEx,CloseWindow,DrawAnimatedRects,FindNextVolumeMountPointW,SwitchToThread,CloseThreadpoolTimer,UpdateResourceW,SetProtectedPolicy,GetClassWord,GetModuleHandleW,SetHandleInformation,SetWindowTextW,CopyFile2,GetAtomNameW,SetFilePointer,SetMailslotInfo,PostMessageW,GetProcessHandleCount,SetLayeredWindowAttributes,GetFileInformationByHandle,IsValidLanguageGroup,GetProcAddress,ReOpenFile,CreateCompatibleBitmap,SetDIBits,GlobalFree,MapUserPhysicalPagesScatter,CreateMemoryResourceNotification,Wow64GetThreadContext,UnregisterWait,SelectClipRgn,SetLocalTime,SelectObject,SetDefaultDllDirectories,FindFirstVolumeMountPointW,ExpandEnvironmentStringsW,GetNumaProximityNodeEx,CancelWaitableTimer,HeapWalk,Wow64SuspendThread,FlushFileBuffers,SetFileTime,FindFirstFileTransactedW,GetSystemDirectoryW,SizeofResource,EnumResourceLanguagesExW,EnumDateFormatsExW,GetSystemDefaultLangID,DeleteProcThreadAttributeList,GetLongPathNameW,GetMailslotInfo,LoadPackagedLibrary,ScrollConsoleScreenBufferW,BindIoCompletionCallback,GetLongPathNameW,EnumSystemFirmwareTables,DeleteProcThreadAttributeList,FindFirstFileNameW,CreateFileMappingFromApp,GetFileInformationByHandle,CreateEventW,GetThreadUILanguage,QueryMemoryResourceNotification,SetConsoleMode,GenerateConsoleCtrlEvent,PathFileExistsA,GlobalDeleteAtom,HeapReAlloc,TransactNamedPipe,ClosePrivateNamespace,ClearCommError,LocalFileTimeToFileTime,GetProcessPriorityBoost,CheckNameLegalDOS8Dot3W,MoveFileTransactedW,GlobalAddAtomW,SetCommState,SetDllDirectoryW,GetThreadPriorityBoost,GetFirmwareEnvironmentVariableW,UpdateProcThreadAttribute,SetConsoleMode,FreeLibraryWhenCallbackReturns,GetCalendarInfoW,GetTickCount64,GenerateConsoleCtrlEvent,FlushProcessWriteBuffers,SetThreadpoolWaitEx,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,GetConsoleHistoryInfo,SwitchToThread,CreateTapePartition,HeapReAlloc,UnregisterBadMemoryNotification,GetTimeFormatEx,EnumSystemFirmwareTables,lstrcmpW,WaitForThreadpoolIoCallbacks,GetSystemTimeAsFileTime,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,ScreenToClient,LogicalToPhysicalPoint,InitOnceInitialize,GetThreadErrorMode,OpenFileMappingW,IsImmersiveProcess,SetVolumeLabelW,SetDoubleClickTime,FlushFileBuffers,GetVersionExW,InsertMenuItemW,SetProcessRestrictionExemption,SetMenuInfo,CheckMenuRadioItem,CreateDirectoryW,CreateIconFromResourceEx,QueryThreadpoolStackInformation,IsProcessInJob,SetConsoleTitleW,ExitProcess,Concurrency::cancel_current_task,ExitProcess,	10_2_00007FFB1C88CD30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 10_2_00007FFB1C88A530 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,UpdateResourceW,SetLocalTime,lstrcmpW,GetWriteWatch,GetThreadDescription,TzSpecificLocalTimeToSystemTimeEx,CreateTimerQueue,MapViewOfFile,TerminateProcess,GlobalUnlock,SetThreadUILanguage,GetTickCount,SetConsoleCP,GetProcessIoCounters,GetComputerNameW,CreateThreadpoolWork,CreateSemaphoreW,CloseHandle,BindIoCompletionCallback,TrySubmitThreadpoolCallback,AddSecureMemoryCacheCallback,GetSystemPowerStatus,CopyFileW,UnlockFileEx,GetNamedPipeClientComputerNameW,LCMapStringW,FindFirstStreamTransactedW,EnumSystemGeoID,GetDurationFormatEx,FindNextFileW,SetCurrentDirectoryW,GetCalendarInfoEx,IsValidLocale,CreateDirectoryTransactedW,FreeUserPhysicalPages,GetProcessGroupAffinity,AddResourceAttributeAce,VerSetConditionMask,CreateThreadpoolWait,GetComputerNameExW,GetUserPreferredUILanguages,LocalFree,WriteFile,SetThreadLocale,CreateDirectoryExW,GetNamedPipeInfo,CompareFileTime,CancelSynchronousIo,GetProcessTimes,NeedCurrentDirectoryForExePathW,VirtualProtect,SetProcessDEPPolicy,TransmitCommChar,GetFileBandwidthReservation,CreateSemaphoreExW,SetNamedPipeHandleState,SetThreadDescription,CreateSymbolicLinkTransactedW,TryAcquireSRWLockShared,GetProcessHeaps,GetCPInfo,DiscardVirtualMemory,GetCurrentConsoleFont,GetFileMUIInfo,FileTimeToLocalFileTime,VerSetConditionMask,AddVectoredContinueHandler,GetSystemRegistryQuota,GetApplicationRestartSettings,DeleteTimerQueue,OutputDebugStringA,	10_2_00007FFB1C88A530

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Network Sniffing	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Create Account	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Network Sniffing	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	36 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	21 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.msi	13%	ReversingLabs	Win64.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll	29%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	0%	ReversingLabs
C:\Windows\Installer\MSI90DD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI918A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI91C9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9238.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9297.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB0BE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID1F3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID242.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIE0AB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEA9F.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://search-keys.com/licenseUser.php	0%	Avira URL Cloud	safe
https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Params	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
search-keys.com	172.67.204.246	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://search-keys.com/licenseUser.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://openvpn.net/howto.html#mitm	openvpn.exe, openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000008.00000002.1544974565.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000008.00000002.1544974565.000000000520D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	openvpn.exe, 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmp, openvpn.exe, 0000000A.00000002.1647191338.00007FFB0BD8F000.00000002.00000001.01000000.00000009.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1547474511.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gnu.org/licenses/	libgpg-error-0.dll.3.dr	false		high
https://gnu.org/licenses/gpl.html	libgpg-error-0.dll.3.dr	false		high
http://openvpn.net/faq.html#dhcpclientserv	openvpn.exe, openvpn.exe, 0000000A.00000000.1635085211.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 0000000A.00000002.1643374808.00007FF7182FE000.00000002.00000001.01000000.00000007.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1544974565.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.openssl.org/	openvpn.exe	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1544974565.0000000004B36000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search-keys.com/licenseUser.phpAI_DATA_SETTER_4Params	Setup.msi	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.204.246	search-keys.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569989
Start date and time:	2024-12-06 13:50:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.msi
Detection:	MAL
Classification:	mal42.troj.evad.winMSI@10/154@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: Setup.msi

Simulations

Behavior and APIs

Time	Type	Description
09:47:08	API Interceptor	4x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
search-keys.com	installer.msi	Get hash	malicious	Unknown	Browse	104.21.42.101

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	104.26.13.205
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	104.26.12.205
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://rnicrosoft-secured-office.squarespace.com/sharepoint?e=test@test.com.au	Get hash	malicious	HTMLPhisher	Browse	104.21.25.148
	https://i.postimg.cc/y6hBTtv7/png-Hand-SAward.png	Get hash	malicious	HTMLPhisher	Browse	104.21.85.204
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.18.69.40
	Simple1.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Document_PDF.vbs	Get hash	malicious	FormBook	Browse	172.67.204.246
	Pr9cqW75nY.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	G3vWD786PN.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	hTXtTJXdLt.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	fqufh5EOJr.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	NGVW0QXQSn.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	EU2Yvx0L9q.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	0XyV1vWJn6.lnk	Get hash	malicious	Unknown	Browse	172.67.204.246
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.204.246
	NewOrder12052024.js	Get hash	malicious	Remcos	Browse	172.67.204.246

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	installer.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	installer.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	v.1.6.3__x64__.msi	Get hash	malicious	LegionLoader	Browse
	v.1.5.4__x64__.msi	Get hash	malicious	LegionLoader	Browse
	LegionLoader (21).msi	Get hash	malicious	Unknown	Browse
	LegionLoader (22).msi	Get hash	malicious	Unknown	Browse
	LegionLoader (17).msi	Get hash	malicious	Unknown	Browse
	LegionLoader (13).msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\6b85d3.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	24134
Entropy (8bit):	5.806329377223401
Encrypted:	false
SSDEEP:	384:Ihwvb0uMkQn64g6LTOCDWkZXr+BhrF70NH5DKLaDoXTKU5K8v5LgPswyswDlc9bD:Ihwvb0uMkQn64g6LTOCDWkZXr+BhrF70
MD5:	AC2CE321F66B828B2C1CC4C72A04C24D
SHA1:	C1E7557C4FB2171BBA4938FB7BCD24FF96898245
SHA-256:	EEF0BF6BDB2ACFBC2D5BEB724EF986E7CF81017FDD0B436536C012D56659FA6A
SHA-512:	29974AA95CB235DD00FFCBF8DE53AB6B26DC0852288686E55A2A710DFE61B15BCD33860BF9BFFFD1E9D932A74A76B17877003575428F16E04CC46F1A47D47A00
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@\|>.Y.@.....@.....@.....@.....@.....@......&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}..Ifid Apps..Setup.msi.@.....@.....@.....@......icon_32.exe..&.{9ED1FB04-2953-4096-9113-EE8E25C60EEA}.....@.....@.....@.....@.......@.....@.....@.......@......Ifid Apps......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{CBCD90DF-DB36-4D67-AEDD-4171F1E02C1A}&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}.@......&.{8BD726EB-D80E-44BF-87C1-E0FF3732DEBE}&.{64A66691-0BFB-4BF1

C:\ProgramData\vlc.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jun 18 23:44:58 2021, mtime=Fri Dec 6 11:51:58 2024, atime=Fri Jun 18 23:44:58 2021, length=984312, window=hide
Category:	dropped
Size (bytes):	2147
Entropy (8bit):	3.8804357464225703
Encrypted:	false
SSDEEP:	24:8itq2y9U4SXKojAD3onreABiBtQoXojADcoXojAD+ok6BA5du1W6BAcM4tm:8itq2ytSX3XBBimnhnnzP5du1WP14t
MD5:	B169AFF6C80F7356B57875C5B28FE487
SHA1:	F17C2BA6955DEEEC2B5A24542231D707194D7A3A
SHA-256:	62DEAB64D5454A9684758C25DB2121A4C1F148637A74AC7D066DB63DB0DD8570
SHA-512:	5F85F8CA4ADA31E1FB0C7F85223471E0C0CC850FEA3CB0E8767D633A3DAA8ED7C9F7020981DD61AEAA30D3FA12505700864ED74BE30493097AE29025C91DF984
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....a'T.d...u..G...a'T.d..........................$.:..DG..Yr?.D..U..k0.&...&......Qg._...^....G..K0..G......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y.u..........................3N.A.p.p.D.a.t.a...B.V.1......Y.u..Roaming.@......EW.=.Y.u..........................;YD.R.o.a.m.i.n.g.....^.1......Y.u..GROVIT~1..F......Y.u.Y.u....E.....................;YD.G.r.o.v.i. .T.e.n.d.....\.1......Y.u..IFIDAP~1..D......Y.u.Y.u....I.......................?.I.f.i.d. .A.p.p.s.....V.2......R.. .vlc.exe.@.......R...Y.f.....J........................v.l.c...e.x.e.......n...............-.......m............g.o.....C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe..?.....\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.o.v.i. .T.e.n.d.\.I.f.i.d. .A.p.p.s.\.v.l.c...e.x.e.8.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.o.v.i. .T.e.n.d.\.I.f.i.d. .A.p.p.s.\.i.C.:.\.U.s.e.r.s.\.f.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\licenseUser[1].htm

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:u:u
MD5:	E99BB33727D338314912E86FBDEC87AF
SHA1:	6779AFBC3E993C547CA0800A9754F37A6E80E0ED
SHA-256:	6856C5A3A26B5A3F2EAD70CA56870769D1FEE88F9C457F4360812F2203565824
SHA-512:	00FC5A88AB965B5A16D7CA33CFEF247ECE3185560F2C778CFBDD0353FE73505638E300B35F447713D26A5001AB29F6F969622BCEAEF1C100E80913F7430CC085
Malicious:	false
Preview:	0a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.415059038751397
Encrypted:	false
SSDEEP:	24:3Uyt3WSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R82r6SVbu:ky9WSU4y4RQmFoUeWmfmZ9tK8NWR823Q
MD5:	C9FCDEDA736FE17312D6972E2794F6C0
SHA1:	577B74490A15625AA1F5EB1C3FDC1CEF6CC08826
SHA-256:	B9903D16E49921FE437EC4C8DA74163F9369C519B8E3F3DC763B73AF2B40422A
SHA-512:	96A1C2ADBE659F8D15BE35B342DA7479A2F196F64D9DA82F22E618391C12E37E413F25E539EC17AF3F7FD2DAAF656D2EA509E022BF00BD88A91681484FC98A44
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hix3epg.dpk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmmx3cuo.xyy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\msiE101.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	122
Entropy (8bit):	3.1667420649728686
Encrypted:	false
SSDEEP:	3:QtFKYpjKjKDiAl35Yplf8fvlx3lMlRfLlYplf955:Q6mfDj0LknzmDfqLN
MD5:	BEF676D96B9656E7AC627E98505E7E6E
SHA1:	DC401309AC594D38E1B9F4FB00BEBFEB7F0DD68E
SHA-256:	A4C7D6203AEE535ACF78FA50329D7FD325C09F7C5D0A83F123B4304970E6426B
SHA-512:	9803B91D168FDCE7EE2556C2B55A2A3BAB215399851EF9FD651C60AAEA5EC5701F75F262332D4A0F8A0AAC86CD4C7DEEB32BE195680942C3AC5CFDF12CFC2614
Malicious:	false
Preview:	..H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e. .:.<.-.>.:. .0.a. .<.<.:.>.>. .C.y.o.q.R.i.n. .:.<.-.>.:. .0. .<.<.:.>.>. .

C:\Users\user\AppData\Local\Temp\pssE113.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	false
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scrE102.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.531795843558323
Encrypted:	false
SSDEEP:	6:Qgk79idK3fgmfDjplXhkvKN+KiV6IrMTl0x1LlG7JidK3fclOmDF+thkvl:QPEgxkvKstrMT9NIxB+Dkvl
MD5:	EA4BD253C1500BFABE6550E439E102C8
SHA1:	A734A4AC299183E0749655492DDD0D5952071063
SHA-256:	8BC5B5F9B666FE7CFF50539329F096F2D69BA3280084FCDA670A3314896359DB
SHA-512:	449DFAFB91AC4933267FE6B94EEAF04EE870295122F7A553C8C3B26641496B36C8A764B3DACDB2EFE45CE09CD4CC880C5F41976DB62E0DAD9481D8A6746CBA18
Malicious:	false
Preview:	..$.s.a.i.f.a.h. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e.".....$.o.i.a.w.e.j.f.i.o.u. .=. .[.u.i.n.t.3.2.].(.$.s.a.i.f.a.h. .-.r.e.p.l.a.c.e. .'.a.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.y.o.q.R.i.n.". .$.o.i.a.w.e.j.f.i.o.u.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	256864
Entropy (8bit):	6.8622477797553
Encrypted:	false
SSDEEP:	3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
MD5:	E0BFA64EEFA440859C8525DFEC1962D0
SHA1:	4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
SHA-256:	8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
SHA-512:	04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: installer.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	506008
Entropy (8bit):	6.4284173495366845
Encrypted:	false
SSDEEP:	6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
MD5:	98CCD44353F7BC5BAD1BC6BA9AE0CD68
SHA1:	76A4E5BF8D298800C886D29F85EE629E7726052D
SHA-256:	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
SHA-512:	D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: installer.msi, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: v.1.6.3__x64__.msi, Detection: malicious, Browse Filename: v.1.5.4__x64__.msi, Detection: malicious, Browse Filename: LegionLoader (21).msi, Detection: malicious, Browse Filename: LegionLoader (22).msi, Detection: malicious, Browse Filename: LegionLoader (17).msi, Detection: malicious, Browse Filename: LegionLoader (13).msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............\|.&.....\|.$.J...\|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................\|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97152
Entropy (8bit):	6.423207912198565
Encrypted:	false
SSDEEP:	1536:yOHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1lLN:yOr/Z+jPYNV9H0Q8ecbjt1j
MD5:	5797D2A762227F35CDD581EC648693A8
SHA1:	E587B804DB5E95833CBD2229AF54C755EE0393B9
SHA-256:	C51C64DFB7C445ECF0001F69C27E13299DDCFBA0780EFA72B866A7487B7491C7
SHA-512:	5C4DE4F65C0338F9A63B853DB356175CAE15C2DDC6B727F473726D69EE0D07545AC64B313C380548211216EA667CAF32C5A0FD86F7ABE75FC60086822BC4C92E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p...............................................'J....`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14272
Entropy (8bit):	6.519411559704781
Encrypted:	false
SSDEEP:	192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
MD5:	E173F3AB46096482C4361378F6DCB261
SHA1:	7922932D87D3E32CE708F071C02FB86D33562530
SHA-256:	C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
SHA-512:	3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.659079053710614
Encrypted:	false
SSDEEP:	192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
MD5:	9C9B50B204FCB84265810EF1F3C5D70A
SHA1:	0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
SHA-256:	25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
SHA-512:	EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11200
Entropy (8bit):	6.7627840671368835
Encrypted:	false
SSDEEP:	192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
MD5:	0233F97324AAAA048F705D999244BC71
SHA1:	5427D57D0354A103D4BB8B655C31E3189192FC6A
SHA-256:	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
SHA-512:	8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.590253878523919
Encrypted:	false
SSDEEP:	192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
MD5:	E1BA66696901CF9B456559861F92786E
SHA1:	D28266C7EDE971DC875360EB1F5EA8571693603E
SHA-256:	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
SHA-512:	08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.672720452347989
Encrypted:	false
SSDEEP:	192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
MD5:	7A15B909B6B11A3BE6458604B2FF6F5E
SHA1:	0FEB824D22B6BEEB97BCE58225688CB84AC809C7
SHA-256:	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
SHA-512:	D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13760
Entropy (8bit):	6.575688560984027
Encrypted:	false
SSDEEP:	192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
MD5:	6C3FCD71A6A1A39EAB3E5C2FD72172CD
SHA1:	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
SHA-256:	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
SHA-512:	EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.70261983917014
Encrypted:	false
SSDEEP:	192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
MD5:	D175430EFF058838CEE2E334951F6C9C
SHA1:	7F17FBDCEF12042D215828C1D6675E483A4C62B1
SHA-256:	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
SHA-512:	6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.599515320379107
Encrypted:	false
SSDEEP:	192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
MD5:	9D43B5E3C7C529425EDF1183511C29E4
SHA1:	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
SHA-256:	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
SHA-512:	C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.690164913578267
Encrypted:	false
SSDEEP:	192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
MD5:	43E1AE2E432EB99AA4427BB68F8826BB
SHA1:	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
SHA-256:	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
SHA-512:	40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.615761482304143
Encrypted:	false
SSDEEP:	192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
MD5:	735636096B86B761DA49EF26A1C7F779
SHA1:	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
SHA-256:	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
SHA-512:	3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.627282858694643
Encrypted:	false
SSDEEP:	192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
MD5:	031DC390780AC08F498E82A5604EF1EB
SHA1:	CF23D59674286D3DC7A3B10CD8689490F583F15F
SHA-256:	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
SHA-512:	1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.435326465651674
Encrypted:	false
SSDEEP:	192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
MD5:	285DCD72D73559678CFD3ED39F81DDAD
SHA1:	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
SHA-256:	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
SHA-512:	84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.5874576656353145
Encrypted:	false
SSDEEP:	192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
MD5:	5CCE7A5ED4C2EBAF9243B324F6618C0E
SHA1:	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
SHA-256:	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
SHA-512:	FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.645869978118917
Encrypted:	false
SSDEEP:	192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
MD5:	41FBBB054AF69F0141E8FC7480D7F122
SHA1:	3613A572B462845D6478A92A94769885DA0843AF
SHA-256:	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
SHA-512:	97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.564006501134889
Encrypted:	false
SSDEEP:	192:8a9aY17aFBRAWYhWYWWFYg7VWQ4eWbr0tJSUtpwBqnajrmaaG:8ad9WYhW4F/qlQG
MD5:	212D58CEFB2347BD694B214A27828C83
SHA1:	F0E98E2D594054E8A836BD9C6F68C3FE5048F870
SHA-256:	8166321F14D5804CE76F172F290A6F39CE81373257887D9897A6CF3925D47989
SHA-512:	637C215ED3E781F824AE93A0E04A7B6C0A6B1694D489E9058203630DCFC0B8152F2EB452177EA9FD2872A8A1F29C539F85A2F2824CF50B1D7496FA3FEBE27DFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...h{............" .........................................................0......J(....`.........................................0................ ...................!..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.678162783983714
Encrypted:	false
SSDEEP:	192:+WYhWoWWFYg7VWQ4eWSoV7jjT6iBTqnajbQwr1:+WYhWIiVTTXZl3QC
MD5:	242829C7BE4190564BECEE51C7A43A7E
SHA1:	663154C1437ACF66480518068FBC756F5CABB72F
SHA-256:	EDC1699E9995F98826DF06D2C45BEB9E02AA7817BAE3E61373096AE7F6FA06E0
SHA-512:	3529FDE428AFFC3663C5C69BAEE60367A083841B49583080F0C4C7E72EAA63CABBF8B9DA8CCFC473B3C552A0453405A4A68FCD7888D143529D53E5EEC9A91A34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...+P............" .........................................................0......@.....`.........................................0...e............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	6.2047011292890195
Encrypted:	false
SSDEEP:	192:8JIDSM4Oe59rmkUALQe1hgmL44WYhWWWWFYg7VWQ4yWARgKZRqnajl6umA:8JI2M4Oe59Ckb1hgmLhWYhW2v2yRlwQ
MD5:	FB79420EC05AA715FE76D9B89111F3E2
SHA1:	15C6D65837C9979AF7EC143E034923884C3B0DBD
SHA-256:	F6A93FE6B57A54AAC46229F2ED14A0A979BF60416ADB2B2CFC672386CCB2B42E
SHA-512:	C40884C80F7921ADDCED37B1BF282BB5CB47608E53D4F4127EF1C6CE7E6BB9A4ADC7401389BC8504BF24751C402342693B11CEF8D06862677A63159A04DA544E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...IV............" .........,...............................................P.......e....`.........................................0....%...........@...............0...!..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19904
Entropy (8bit):	6.189411151090302
Encrypted:	false
SSDEEP:	384:4SrxLPmIHJI6/CpG3t2G3t4odXLhWYhWfgy6l9ne:4iPmIHJI6vZO
MD5:	A5B920F24AEA5C2528FE539CD7D20105
SHA1:	3FAE25B81DC65923C1911649ED19F193ADC7BDDE
SHA-256:	5B3E29116383BA48A2F46594402246264B4CB001023237EBBF28E7E9292CDB92
SHA-512:	F77F83C7FAD442A9A915ABCBC2AF36198A56A1BC93D1423FC22E6016D5CC53E47DE712E07C118DD85E72D4750CA450D90FDB6F9544D097AFC170AEECC5863158
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.../..N.........." .........(...............................................P......C.....`.........................................0.... ...........@...............,...!..............T............................................................................rdata..$".......$..................@..@.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64456
Entropy (8bit):	5.53593950821058
Encrypted:	false
SSDEEP:	1536:Se6De5c4bFe2JyhcvxXWpD7d3334BkZn+PI5c:Se6De5c4bFe2JyhcvxXWpD7d3334BkZU
MD5:	5C2004DAF398620211F0AD9781FF4EC2
SHA1:	E43DD814E90330880EE75259809EEE7B91B4FFA6
SHA-256:	55BC91A549D22B160AE4704485E19DEE955C7C2534E7447AFB84801EE629639B
SHA-512:	11EDBBC662584BB1DEA37D1B23C56426B970D127F290F3BE21CD1BA0A80D1F202047ABB80D8460D17A7CACF095DE90B78A54F7C7EC395043D54B49FFE688DF51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......F.........." ......................................................................`.........................................0...T................................!..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12736
Entropy (8bit):	6.592404054572702
Encrypted:	false
SSDEEP:	192:+nqjd7dWYhWDWWFYg7VWQ4yWMJ5HKZRqnajl6b:+nsWYhWxp5HyRlwb
MD5:	DD899C6FFECCE1DCA3E1C3B9BA2C8DA2
SHA1:	2914B84226F5996161EB3646E62973B1E6C9E596
SHA-256:	191F53988C7F02DD888C4FBF7C1D3351570F3B641146FAE6D60ACDAE544771AE
SHA-512:	2DB47FAA025C797D8B9B82DE4254EE80E499203DE8C6738BD17DDF6A77149020857F95D0B145128681A3084B95C7D14EB678C0A607C58B76137403C80FE8F856
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...P..D.........." .........................................................0......N.....`.........................................0...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16328
Entropy (8bit):	6.449442433945565
Encrypted:	false
SSDEEP:	192:maajPrpJhhf4AN5/KixWYhW4XWWFYg7VWQ4eWvppXjxceXqnajLJhrdCq:mlbr7nWYhW41MXjmAlnJhUq
MD5:	883120F9C25633B6C688577D024EFD12
SHA1:	E4FA6254623A2B4CDEA61712CDFA9C91AA905F18
SHA-256:	4390C389BBBF9EC7215D12D22723EFD77BEB4CD83311C75FFE215725ECFD55DC
SHA-512:	F17D3B667CC8002F4B6E6B96B630913FA1CB4083D855DB5B7269518F6FF6EEBF835544FA3B737F4FC0EB46CCB368778C4AE8B11EBCF9274CE1E5A0BA331A0E2F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...9..b.........." .........................................................@......^%....`.........................................0...4............0...................!..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17864
Entropy (8bit):	6.393000322519701
Encrypted:	false
SSDEEP:	192:WpPLNPjFuWYFxEpahTWYhWHWWFYg7VWQ4eW9M3u57ZqnajgnLSuRCz:W19OFVhTWYhWlBu5llk2
MD5:	29680D7B1105171116A137450C8BB452
SHA1:	492BB8C231AAE9D5F5AF565ABB208A706FB2B130
SHA-256:	6F6F6E857B347F70ECC669B4DF73C32E42199B834FE009641D7B41A0B1C210AF
SHA-512:	87DCF131E21041B06ED84C3A510FE360048DE46F1975155B4B12E4BBF120F2DD0CB74CCD2E8691A39EEE0DA7F82AD39BC65C81F530FC0572A726F0A6661524F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....v..........." ......... ...............................................@............`.........................................0...a............0...............$...!..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\dictionaries\en_US.aff

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3246
Entropy (8bit):	4.313391741874073
Encrypted:	false
SSDEEP:	48:T7emiglihmWpRlH61/98BuY3SZQU3uD4Vg1lwsbJ0EcWiOr5NSr5NK3WuhYljrHN:RigQLsAiOUoeFTQUydYVrF31pwhwoe
MD5:	D329845E5D86AFEBE0DB82B3422C70C2
SHA1:	E432BEE2397B8573444ECAE348300F06AA5DF032
SHA-256:	56E2090475E1CE11A1885CE8ECE4D4B1F1E863F69A7233CC00BAF56CDAAA9096
SHA-512:	137202D74C374EC168BC64BBD0039BE2A77DC052842367550EB8E31C9C95B58585F4D3F46F72F80D4A22229C64B8600629B3FAB4F1E9E681446635E0A7524892
Malicious:	false
Preview:	SET ISO8859-1..TRY esianrtolcdugmphbyfvkwzESIANRTOLCDUGMPHBYFVKWZ'..NOSUGGEST !....# ordinal numbers..COMPOUNDMIN 1..# only in compounds: 1th, 2th, 3th..ONLYINCOMPOUND c..# compound rules:..# 1. [0-9]1[0-9]th (10th, 11th, 12th, 56714th, etc.)..# 2. [0-9][02-9](1st\|2nd\|3rd\|[4-9]th) (21st, 22nd, 123rd, 1234th, etc.)..COMPOUNDRULE 2..COMPOUNDRULE n1t..COMPOUNDRULE nmp..WORDCHARS 0123456789....PFX A Y 1..PFX A 0 re .....PFX I Y 1..PFX I 0 in .....PFX U Y 1..PFX U 0 un .....PFX C Y 1..PFX C 0 de .....PFX E Y 1..PFX E 0 dis .....PFX F Y 1..PFX F 0 con .....PFX K Y 1..PFX K 0 pro .....SFX V N 2..SFX V e ive e..SFX V 0 ive [^e]....SFX N Y 3..SFX N e ion e..SFX N y ication y ..SFX N 0 en [^ey] ....SFX X Y 3..SFX X e ions e..SFX X y ications y..SFX X 0 ens [^ey]....SFX H N 2..SFX H y ieth

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\dictionaries\en_US.dic

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	758251
Entropy (8bit):	4.79038751246559
Encrypted:	false
SSDEEP:	12288:ja/Jivuk9SBJTgI6ecuunMM9J2QX6aCYyV9KdrbHzQnkzDBfcbEwoiiJQC:IJivGTvcuc36FK9m0i1C
MD5:	3D51E0A789AD7B97307DC64229EFE5BA
SHA1:	A8665D0D492D85B3A4F903C9C4D43CC42D416516
SHA-256:	800EA3988CE7707858D97DA15228A30A7C0C0EECDC560EACE14BC0F0965A338E
SHA-512:	86BC40B7B87E15A36498F2BE31E1C05D6CBE2F4C8290FD5DC6A5D561E3F6AC8500D5F56585760582DE89518A23C4219EBB5D53BDC9FFAD121AFF9057E95668F8
Malicious:	false
Preview:	62118..0/nm..1/n1..2/nm..3/nm..4/nm..5/nm..6/nm..7/nm..8/nm..9/nm..0th/pt..1st/p..1th/tc..2nd/p..2th/tc..3rd/p..3th/tc..4th/pt..5th/pt..6th/pt..7th/pt..8th/pt..9th/pt..a..A..AA..AAA..Aachen/M..aardvark/SM..Aaren/M..Aarhus/M..Aarika/M..Aaron/M..AB..aback..abacus/SM..abaft..Abagael/M..Abagail/M..abalone/SM..abandoner/M..abandon/LGDRS..abandonment/SM..abase/LGDSR..abasement/S..abaser/M..abashed/UY..abashment/MS..abash/SDLG..abate/DSRLG..abated/U..abatement/MS..abater/M..abattoir/SM..Abba/M..Abbe/M..abb./S..abbess/SM..Abbey/M..abbey/MS..Abbie/M..Abbi/M..Abbot/M..abbot/MS..Abbott/M..abbr..abbrev..abbreviated/UA..abbreviates/A..abbreviate/XDSNG..abbreviating/A..abbreviation/M..Abbye/M..Abby/M..ABC/M..Abdel/M..abdicate/NGDSX..abdication/M..abdomen/SM..abdominal/YS..abduct/DGS..abduction/SM..abductor/SM..Abdul/M..ab/DY..abeam..Abelard/M..Abel/M..Abelson/M..Abe/M..Aberdeen/M..Abernathy/M..aberrant/YS..aberrational..aberration/SM..abet/S..abetted..abetting..abettor/SM..Abeu/M..abeyance/MS..abeya

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\clipboard-40-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	280
Entropy (8bit):	6.328040373865125
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKEk/2wqNmEyvsYEE3r7UXGEoW7yR/bp:6v/78nMtIj9yx/6cl1
MD5:	C58286125E5CB909DAE9107DFD8F2006
SHA1:	21380AE4E18FC176759885416684A0B19C7F7C82
SHA-256:	A65F53D774AFC38308625E6C165B2EAD4F1DD03D25896548B42F2F21CF901D2B
SHA-512:	4E00ED5AC90F78C62BE0507A2DB2ECD57F4505DD79870AA4C1BF485B13E076D5CC29BF4EC9FB0625FEA9F186BF0C21C5F5D7D40BBD6A14C4CC9C6D840800FE1C
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`......%..w..v&&&A\..N...ey........&.-..... 6L.++..... 9...Z......\|......n..Tl..1..PO...!...../.O".o.....j..x..g..3.4..033K..2.!R S..,H.....l.......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\documents-folders-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	294
Entropy (8bit):	6.181656360209844
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKahknMBpLYoTn40eWuD1hidlYfelDblbp:6v/78nMtehFBpsWnLuDWvYQf
MD5:	09C1CB2C3931F1E4FA7039678026BFAC
SHA1:	72526E215BA70B6C0C53A14E30177B3C9C9B3AC7
SHA-256:	10E4A6EB6992319CA1EB35C7366E3B7A6F1ECA743456282DCF64E76528705D23
SHA-512:	79C273D66BC3D650643EE84C9C3BE4438848F23DFAB09EF345F93E45EE440147B858E4556B281F166A0640F6EA65A3D8F8D660B2466C9F7CE63DA42035C50E30
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$.... -!y.....e.L......5......Ib.8I........ddg.4...d@.J...@......W...N.r....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\download-folder-9-32.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.2752538251619265
Encrypted:	false
SSDEEP:	12:6v/7iwnMtI5NdBM926zd5296hYRSOGdZret7SnP4BZKPw2n:ckANbMH2OASOG/retb6
MD5:	CBECFA8E3A39AD187D0B5B611E8530D3
SHA1:	1F98EC988EB2326A7905EA0CB0DADB11DFF98456
SHA-256:	9B54F74F911E5F78A187B52EC94F2049180BF2FBFD043B3E56E5F1D4BF6654A0
SHA-512:	F68AFB9275F37AA3FB42879D0147B30367A8CE15DEDBC967557D9DEBE12F649665D6E86F32BE3E66640FE95243F7A275656CB5A440A6676BEC74DD2041F5C8CC
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDATX.c`..P...)!&.IIN......\XQN..H.H=U-W.....b....gee...@>".r.....H....v\|.A...c9)....2.Rg.......9...d,+%u...Ev...s.JH... ...W8.....3.9@NZ.6/.O<..O....CR....w...,..a.9..-.1.l....r".%(.:@^F.)zV......YI........O3.(......,."....+%.....2....Q...N.....H...PjeeaQ.......:d%..$...r.....L....b.HKH.G.........@1.t1`H...@_.cbb.G7....Q..{C.4 &"..T....,.j.....$.r>..t.gC%y...\\A.,.....&..Tw.4G.....e9..w.(+.k.\#.h%V...........Hv3...4......De.j....0..agg7gcc..f.c..DT.....P.Q.$....L.......F...P..#.v\baFk."..(h@.%P"... .@f....,.....Hp.3E$.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\employee-id-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	329
Entropy (8bit):	6.420308355307663
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyK2z8phbkbsxZG9leYdylfqCJ+k3iIp:6v/78nMtqYPoNl8fqCJlii
MD5:	0674729E929FD791FC0D0AEF5B2FB5D9
SHA1:	0A321E40FEA01E9FF341BAF78FCEE0D81963D84C
SHA-256:	CF909DDCDF9BAD76EC0640275CE54B73F20EAE0A5E80ED7DC9F48AE982ACA8DF
SHA-512:	59A317D283E2638593A82E149BDC3B8BC7E9FF0F5A575F3BC51845FCDF01174EB1E4B498C9B21897B73A461A1B2F9E068168920EF7A98F593DA61A99A83F15CE
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..........A....'P.W...io.;.....@...2.&.R..YAV.5.bl. .Az.6cS...".fcc..f(P.).Y.. ,)..KH@...Allj....q.@..k....%X..II.$..B.J..F.F..fFFF...P..{.3...@.......^.F..V.@qIl..L.l&XS"1XA.......I.`p....^..>.......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\eraser-16-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	324
Entropy (8bit):	6.491766680808101
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKll8n/sk3c7jBQxWgqbrTSMHmxHuESGmO2+vi8A9hN/sup:6v/78nMtboUKcuWgqbf5EHLSGmS6jD/N
MD5:	59CE25E2011AC621D8C76D5EBC98E421
SHA1:	27D9D254EDE7482CCBAE645E52CBB2BFB14EAB74
SHA-256:	5BE77F5B2BB5A057E27733A28E36E535076D2EF12A6263B13D2EAA6ED9E59B09
SHA-512:	3934D94EBC886D6386272D33782E8A7833945725AB227F3CB854FB2185A0539F2E43E9EC9E85A595C73F73E6BB57B289200A7E15F02240536ABF24CEA752603D
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c` ....9.........DD.*.+..a.I.sdk&..l...9K.f......!.h.ax..4K.K.$..`.s0012r.8..2.A.qqr...YLXd..vfff1.. .@-..o.4......!.5....L.!85.0..$&-!q.(......#d.@C...........4.Y3.e.@.<........37..H3.:........n....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\fonts-folder-3-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	267
Entropy (8bit):	6.19077973468042
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKzEj/0GGou28UK+L+WVmMFntkDqnXEuOp:6v/78nMtih228RnumMV+DqXEu8
MD5:	4E4AB21E8FDEE3C90C277F6EC23BF8CD
SHA1:	2CA13EA94FE3CAEDAB3A2BE44FC18CD2A523CECA
SHA-256:	956D447717A91521D4A0B48486189795B0F0E83F11C05E32F8FE666529D040C3
SHA-512:	EC6CA34F6D975D1E3E433D3B8BA9CCE9FB6742D3F17B2DCC27B7201A98EA23479C33FD209B2584A8F5C633B97802D757E4D2BC1397FA7BFA3D802291D699C78D
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.........0.:>^....011.......f.V...3.*..h..c...p1.....$A.#clj.z...@TB..P..%O..2.......sET....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\list-document-32.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	460
Entropy (8bit):	6.83761150187215
Encrypted:	false
SSDEEP:	6:6v/lhPKwnMRtyKIj7eaYGwoGn9iGUl/nf+wB417DbsLRtAJNfEYopHnt41dSoEs4:6v/7iwnMt8jsoi9lkwDsAsYopOdt7SaY
MD5:	09EFF4F4D770599A874BC2D94065A8CC
SHA1:	265B40063ED9EE376C5991AA39E5772AD68C406F
SHA-256:	A9238998CC2DCF53933685F7D92686C81F9433167087AD4820E121FAAEA460B5
SHA-512:	C3E01B97D92C5AF4F6A023374D4EF8A23BACA485DF82A2ADAE753650062FE857CA2FECF5AC33E720F8B92C2AFAD0C2FCD5B141475C11FD451C6DB82A9D26A349
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<...JIDATX.c`.L...+PAF......J....Gq..lll.$9.....?B..-@...r..-.c.Q......4w....=.....!A..@_......}lj...Zh..i...0s..].+M...>M..L..@...........M.0w..Y....M...r.0$....C?...@....."..-M...0G.B...@4]......y.[.....a.. *$<....MLXd... +%u.9=.S.]......`..4.....MRL\|.....s.0{.%....9...3.y......$..&B.(.M...p4..&.....t.00..8........r...8.0....;zg..(....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\safe-31-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	374
Entropy (8bit):	6.671134871061204
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKKy/nDjX8HfN2qmvwKliLbUpyfp1HZAp8TFEWdp:6v/78nMtOybjsHfN2ikinU6p15dKWz
MD5:	4A4930AE3498DCE09DDD80775E1FD7E4
SHA1:	548E0FCCD0C382778F26D2DE411560B30BF23ED4
SHA-256:	C21F5FC164884D7AE90D306B8098CA4A4FDDC028D63B04E75E06823293960D3E
SHA-512:	68ED2585AB02E9B3ECBC481C55FF3B42721D9689502A9E0FBDA162FF8C9AF78FCD98B0DDA683EE1224A14C5543271DC953CF788F5DF8AF38AD757CD81B88A6FE
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..&F&^A~.z!...b0H-H..X3.......r0.##...4r...c.9..Q..}.r..3.,.............@.s.s.r..[.K.<.i...4#.%$.1...Q..D...$'......B........I2...Y.$.......b...j..X@......b.....>+..}...PC&)..&)..r....y....N...}J.f....A....Cu::...p.I.0.<..P.=L.............IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\star-folder-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	301
Entropy (8bit):	6.433970126002673
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyK9Ej/0GGou28UKwrQdo/0ek1kCjFO75gD5NhUmuVp:6v/78nMtsh228RwrQq/Vk5O+Dimu7
MD5:	6212A7A0F72777E1702FF69655C11014
SHA1:	340F31181297EEFD1E7C710A53D34812F3FE5586
SHA-256:	5E0D0CC1E5A7CCDF0754A131C00FDEFB345E763047D00CF458B485A660F8C961
SHA-512:	819DCB658A57907C700366518E19814D2FF57DBC0902843FD1E5C0D140AEF9163A5EA0370A98EF93EC4D997DA362A96B9D204B30C2F45249B00BB2E92AD05FE8
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....xy3....D3V...\....x.......h...#.+.....r.P!....$y.]7Ia '-s...Y).KX..FE&.....\|nN.?....+PDHh..h..<...8t....<.J.......sr......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\swatch-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	275
Entropy (8bit):	6.241760254713669
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKxWuGoM+kPJzlX8jjbnbbvkLV+Vm+p:6v/78nMttpM36H8LV+Vms
MD5:	F7515A8ECBF2AA3AA9C57DFF3B05753E
SHA1:	F51571132ADA200E233E5279014F6E396800C8C4
SHA-256:	5BEBE21F8829533D8118E9B47DD49E2317C735A472477B583211670782312665
SHA-512:	9AE9D82588858A39C6B56B99AD2703CA2652EB99358B234A632D47C38E1FE48E1548DB7CC763352FA1AF4E49B0A4CF3DDA9B8425BBFC94FAC4B7D1E957294988
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`@........B.....$..CW...e.*.+...j.`..2..f...U.0..D..!..V.....`.@~... ....."....5.....(6...m...$F......^@NHD....(N. ..(dg&$....... 1l6..Lc..:.qo....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\sync-folder-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	358
Entropy (8bit):	6.674957154010901
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKaX2j/0GGou28UKztI9ohN9y6EHnqywm1jgWHopHbp:6v/78nMte0h228R5mvHnRwpWHopV
MD5:	D0301F65CE574CFB8601F381A04FC2DC
SHA1:	B970384F7B4D11280A41498CD99B73FFA8EED575
SHA-256:	D1E2AA31652F8CCD1F8C6BE5F7DBE5056407DA790EA8604BA776FD9856546BCD
SHA-512:	17CE1CA8593D575544EFDE570A30BD5D78DD7D35FF03C25D990ED11A5521D95BB6FCB7FAE899D93B7C46C8F5CC7C2533763A1D4DF31D7CFEDB8256801D0AEE56
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....E..&..... 1.Q.5.j.xy3.......U..,...N._....9).[ ...2.ab....0... #)u.......d..4@DHx0j...{.."V..l..$.(..WL...LL.r...ar...I...p.....n...,.0.XYY.y....L&)!...L...BrR......=f.Y....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\text-document-10-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	282
Entropy (8bit):	6.2049316386300095
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKOhknMBpLYoTn40eWus7vrGVr3gWndp:6v/78nMtKhFBpsWnLusHGVrgWz
MD5:	0943B8C4B397211B1C73B2288D2B0655
SHA1:	2437C95E1CBDD6240D84EEB88C57CAFDFA5AE792
SHA-256:	4221BB09453A0ED7183FB675B374F17B5F28BA7097AFBABBCCEBBB05EC557911
SHA-512:	DF7BF3F6DEF5CA7E227EB2BF3F1E313F066C3AFE178D584860D6D6325B03DBFE6949C0C72643C3E0D8748767182892D7FAB4D090C1E86FC7D1911D58EF13FC3E
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$..I5...4@BTl-r....W.d..]...>....... %3!.P..?...T"1\3.t..Wn%.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\upload-folder-5-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	325
Entropy (8bit):	6.5022763903385785
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKFEj/0GGou28UKs/5Ln9R/ZVfFMXqfXMsnM2Sup:6v/78nMtkh228Rs/550yMshSc
MD5:	ACFF953EC211AF6260069114D88B5D5E
SHA1:	DBCCE1D8B99F2AAF2411FAEE55885CE4B0C87343
SHA-256:	67D52CE987D7BB34817359BB689C69DD769FB3D147D136C65F16F94FDA16E2EF
SHA-512:	6C069BA0EB35774A23A3FB8B46119069F510AD7F0B3F9FB5B98E3667C91EDA0E4D5508E79480010B829C86E35B7A62CBAB6B0350169AFF8FA58CDD5D7869D650
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@......Q..}.K...7...\|<.i0o....cS#./P...n.......I&..i....\VR..A.8..A.....`....;A4.7w$Q^.%,.. ....W...=.......L\.XXX.XYX..F#>..JH .J...IVR..........4.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	158192
Entropy (8bit):	6.276215721465373
Encrypted:	false
SSDEEP:	3072:CHpTY9D4S6S8AFezF9bqtdf1i+PTHnlLee0cw1XbCzoll1e+Asrm+P0w:CHpTnF+qe3yCzolfe2rm7w
MD5:	04932B84E5CD4EA826840EE8EDE549B0
SHA1:	6FE6F09021D4341537EA0C9010048D37462A0782
SHA-256:	74DF283D6DDE5FC5DB3073619F712A80C9DEBE38291D3EF91EDCD3C220601407
SHA-512:	35E5C73E59785DF4E30BBE0B8B27960C9F38E3CF4944E0470622DF20424B421387648172427C17AD3502FAC3E2DF4D1C21F2B9B1E5261B6707A528D79F9F3C00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....:......P..........e.............................................. ......................................`.......p.......... ............>...+......................................(...................(t...............................text...............................`.P`.data... ...........................@.`..rdata...*.......,..................@.`@.pdata..............................@.0@.xdata.......0......................@.0@.bss....p....P........................`..edata.......`......................@.0@.idata.......p......."..............@.0..CRT....X............2..............@.@..tls.................4..............@.@..rsrc... ............6..............@.0..reloc...............<..............@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4700448
Entropy (8bit):	6.762778198451197
Encrypted:	false
SSDEEP:	98304:GF+qQZELs+X7bVqGoFkzfwnxPhSVM1CPwDvt3uFGCCLh:a98Ks+rbVqGoFkzInx11CPwDvt3uFGCq
MD5:	D1229452CA48896B048BDB0D12A5C505
SHA1:	D2B73383DDADE5BBD42669049BFB6265892572B7
SHA-256:	D9E31123FB00BA631FCCD9E697CD5F4DA4A4D09CB62F5B6F2F4C49EED8A8E27E
SHA-512:	5401A94C8E998A6259AFE7AD930E914CA3F5AAAED4F706EF6151136E568B06BA8C3BB27AB04F95CBBB40FC879A75C0B7C442A586D54816E7109F8FB2755BC6CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d.....f.........." ...'..4...........4.......................................G.....G.G...`...........................................A. ....TD.@....@G.......D.HI....G. )...PG.\.....?.T.............................?.@.............4..............................text.....4.......4................. ..`.rdata.......4.......4.............@..@.data....t...pD..J...^D.............@....pdata..HI....D..J....D.............@..@.rsrc........@G.......F.............@..@.reloc..\....PG.......F.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	252912
Entropy (8bit):	6.26449546686269
Encrypted:	false
SSDEEP:	6144:azN0KgZEaVmFI2qmDsHVf1JJKDo7wv52DP3dBrmSF:m0KgZcFIHmJU1BrR
MD5:	EFE675C00C0543DD08AD96E4D7DD022C
SHA1:	539A1724C5DB6279D239E28BF0BC1D06751CDF02
SHA-256:	EF3A3677540AA47F1543C475E4531CE8BE0C70FBE3B75957C0AD6A0993A4ECA5
SHA-512:	9E35D053D2C2CD5B3A70ECB88023B3854A7837D4FD0498622C9238A5D8EC0E2DDD51070A8525E2ED066B76E67FFB4602BBE7BBF1057D23373A71287AE7B2C126
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#............P.........(k.............................0............... ..............................................................P..p .......+... ...............................B..(....................................................text...H...........................`.P`.data...............................@.`..rdata..............................@.`@.pdata..p ...P..."...6..............@.0@.xdata........... ...X..............@.0@.bss..................................`..edata...............x..............@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1236992
Entropy (8bit):	6.779426863902579
Encrypted:	false
SSDEEP:	12288:UCJTdofamfcrRdnuFxh0QJXFGbsYunrY/hF3uhUjgwjy7LgCQBia:fJTPmfcrRdnuFxXJcIYceluhk6JQBi
MD5:	3D8931678D9EA99A2051820416677779
SHA1:	579135813979EF10536E6E192F5B33C4E38438AA
SHA-256:	A78B650F54D51CA055A1EA745D37CC4E45E5954F4F3B04EF6CC664F67492BECA
SHA-512:	C13F2D7C3D89C7A9891A18D04C9078754A179E629E08709226F0B1AAB1599F2DEAE31C299C7C7FA7382EE0089F28EF22B8EBFAC805A0D8035E113E33E35109EC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Qg.........." ...).....8.......v.......................................p............`......................................... ............................j...........P..l....v.......................x..(....u..@............................................text............................... ..`.data...............................@....pdata...j.......l..................@..@.udata..r...........................@..@.reloc..l....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	829216
Entropy (8bit):	6.300815379570505
Encrypted:	false
SSDEEP:	12288:/qxOwtce9UEE1KK2+SwtLde4UE8b35Vv8RAmpdEVB3SP:/It9BE1XYZJyxdEVB3SP
MD5:	18232E66F7998529421B051E678C38A4
SHA1:	3C040DA458F9231D3077193AC4A1F68144B8E2C2
SHA-256:	B9E15674A3DC28D604F3A03398F2F421C3654C1376D5AAD3A4835538E1C61F1A
SHA-512:	31258C52357B648093AD9AEC5760F0012202F596DD14F6C3A50DAC37286CB811F0CCE3BC418502767686FC199679DDC8D1F3DC790F19B8040D0229BC5DB636A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..\|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d.....f.........." ...'..................................................................`.........................................`0...K...{...................r...~.. )......X.......T...........................`...@............................................text...(........................... ..`.rdata..............................@..@.data...8=.......8..................@....pdata...r.......t..................@..@.rsrc................b..............@..@.reloc..X............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	66544
Entropy (8bit):	6.309954882128114
Encrypted:	false
SSDEEP:	1536:Xoun2j59yXrmGv5jqGcZJt7im3YtQrmEKP0m:XUyhAJt7im3YtQrmEKP0m
MD5:	4F8C576F1515282FF03306B01DE7F75D
SHA1:	52CECE362F99E1B65732F54275F9CA984338882D
SHA-256:	C27F1770F0648A3FEB826C6D480CECC37D8D807F193F45B721EB466688FF3998
SHA-512:	7DDE6F439314C79C485A3B2EB7213FE17FC822377984B77CFA4012E2AB0BAC4C0A5B2951727497D2017DBA2140646E71A169BFA720E0C19D54FE4FF81552E59A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....L......P..........d.............................`................ ......................................................@..P.......P........+...P..T...............................(....................................................text...P........................... .P`.data...............................@.P..rdata..............................@.`@.pdata..P...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....`.... ......................@.@..tls.........0......................@.@..rsrc...P....@......................@.0..reloc..T....P......................@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.base.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	18367853
Entropy (8bit):	7.968497771189572
Encrypted:	false
SSDEEP:	393216:BLz4LssSDaG2WEXljHcVPZBfJgPWFp93OKqNZNJyXgjrHKzMR:CLJSuCCVHaiPWFpkNzcXgnHKgR
MD5:	C6C96A3F5AC8A949A7F920D83D4C8B3F
SHA1:	2D6B7E5973DA5B3A469C4D6B426A02B7AA4FF9E2
SHA-256:	753BA6FDC8F9C1DE1627D0ABBD03E97E2E97AEF3E5823A6C8C036B68D48C301E
SHA-512:	EE9FFC7C6B996B9DD9421E23444F9F3D72E002E6CD50E7816325DE7392E49240D6B239139D5C2C7F7FF01EDE0F35077B95C77C60995E94405A38E1E8F5B263AB
Malicious:	false
Preview:	JM..PK.........o/Q................classes/module-info.class.9.\...o....@.(D...= ..hP....n...yw4.`.Q..5v.^.+..#.b.b.Fc..!...=.....~7.;3.y3.f..K..&.t.....3..\.F.6...R..!Oa.Y ...<.5sRR.H.m.!.@.(.:.9M.P......h2.kT.IF\.xY.fN.f.X..z.V'#....)4...)N...$.q."+.T.z...Z4......Q......-2.....}.!.....VPHF....&N-#u.x8....g..N.[4:...UZ.kI...@..O=.c...e.R.....-..6.._.e2.i.2....7.j!.Lf~..V..a..@.~<E..U..Mr@)X..IL. Qa/.%.iZZ..n....Z.t/...ei...#^..p&5..P..2..FN)#..f.p.8I'.z.. B.R.j....?Qg.A...w...&......J..Ng4.X.....f.6.q..e.,.d.e.,....Jm.x/...~y...A.A....).AkP..)..JE..4.Rp.~V.)>.......2qI\...t.6.lU_@YL...5.q..(#_...).......q...W...M...L...:.....\|.....o6...$ ..!(..V..SeD..^y.ZC....Z.#..A'..31.mH.....%..(..TAu=.!f....`.h..H...e...q.$./..]{....M....x.2M...q.1@..KR.X....,.B.ed\ys..rBy$!.&.G..<.Y....M.h...S.A..0..M....s*...\.^e.kg...,j..........%$%......6..ZcF...<.5.....`0%)..)..3.D.k.`Y.....P.....@..........p....[..........0.Y.j....d...Z..U\|`83f.0W..Q.8..U..i....[.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.compiler.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	124409
Entropy (8bit):	7.718272830707501
Encrypted:	false
SSDEEP:	3072:1i6Z6wsvoYmg/SeP7rXuLU20fGqZLdlC8IvgvGR:7XsAySk7rXu+fGqZLdlWvCGR
MD5:	5A4FE8E78A6C9254B36919DA9CE7799F
SHA1:	27276BC48C907C856F0EB72CF6F3A48FA3A92E44
SHA-256:	44E1E786291E335C6E4DCC9B2EACA365F06EEB8534A0CF8912DAC550091C4F46
SHA-512:	5C8B22AFC7B07B8DC595E6998819A4544603B6A8B3100EA653F42826B340C5930A872C01BA90269A783FC955C7024DB26088D4333D22DE5A632B0EF4734D7CD8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.0..-....P(...P.. q.q@BB.?`R................av=3^.....;.3...e....A[ Bg.p.. 4..x:....{(............t.@+w.kO&I.\|...+..P..eh.J..f]..H..F......si.......l.(..j.&6..U...Hd.=.hMw/.......LY...UX.9.X.ma.P..Y..+&x.7fO.V....I.2!4.bb_...E.fz..E4;=^.%\|.2...7.........%L.e\5...-....U..v0.84z.......80...PK....mp2.......PK.........n/Q............;...classes/javax/annotation/processing/AbstractProcessor.class.Xit.....%{$y...N..e ....&.....8.1.N........D..3#..-;..JI..RJ..6l.F...ZJY....t.....R...l......9>.....w.}W........J.P.TQ.2..;.a.1.[..[.w..O...Lo.@ ^..F.a....P...#..e...v..&...w=GOx[.K.#P.Y.z..H..>)}..J.....^kJw].y..".b...@.L.3..xFrKZn....j..U,.B..".....~.....$..z.H.j..",Vp...p2y....L5v..^..C.j..u.....T.&P:..2.@u....q.C..CX..I.O...d.n..!.U.V .;.....Uh.O..o...b....K..A.C=...\..F...2..B..W}.W+U..U...k.....I..Bb..!..m....Qq.V..8n..*...u}. r..N.d..9...Q.V.yX'.8{......,......M..+..o.j.:_....%.7.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.datatransfer.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	51389
Entropy (8bit):	7.916683616123071
Encrypted:	false
SSDEEP:	768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
MD5:	8F4C0388762CD566EAE3261FF8E55D14
SHA1:	B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
SHA-256:	AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
SHA-512:	1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^#.j...R.A..qV.1o...p.....\|._.-N$.!.;X....\|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be..eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N......r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.desktop.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	12133334
Entropy (8bit):	7.944474086295981
Encrypted:	false
SSDEEP:	196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
MD5:	E3705B15388EC3BDFE799AD5DB80B172
SHA1:	0B9B77F028727C73265393A68F37FC69C30205BD
SHA-256:	BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
SHA-512:	CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S\|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z\|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.\|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..\|sF.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.instrument.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	41127
Entropy (8bit):	7.961466748192397
Encrypted:	false
SSDEEP:	768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
MD5:	D039093C051B1D555C8F9B245B3D7FA0
SHA1:	C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
SHA-256:	4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
SHA-512:	334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..\|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z\|.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......\|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.logging.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	113725
Entropy (8bit):	7.928841651831531
Encrypted:	false
SSDEEP:	3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
MD5:	3A03EF8F05A2D0472AE865D9457DAB32
SHA1:	7204170A08115A16A50D5A06C3DE7B0ADB6113B1
SHA-256:	584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
SHA-512:	1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm........Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h..^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz\|..^.........8q..{...}.G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH\|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	896846
Entropy (8bit):	7.923431656723031
Encrypted:	false
SSDEEP:	12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
MD5:	C6FBB7D49CAA027010C2A817D80CA77C
SHA1:	4191E275E1154271ABF1E54E85A4FF94F59E7223
SHA-256:	1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
SHA-512:	FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..\|..]{.........S\|...(cu/..i.d.z...[....'.M\|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.\|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..\|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.management.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	92135
Entropy (8bit):	7.945919597257173
Encrypted:	false
SSDEEP:	1536:Jxw6Uq67COVGkuLH5Sr6DPHoXsUJWLgUpDYC+ZJk3kJoPUFX:Jxw6v67bXr2g/WRVtwi0Jw+X
MD5:	22F603FFB69D73089DDE462D567E88C9
SHA1:	7ACF3CADC41F208280B8F115C2EE58FE16FDB538
SHA-256:	27047E3D872637D62DD251A1E7CBE0AE5F1DD1F0F275A06405E6C673421681C6
SHA-512:	AA7ACDB5DD69CE5C8C62E4A89F65F94DD9316F9364E30EBEB66A542FC418FC586EC41B0D13D41548EB05B4B96E22113B879D20B9F146B935D8B6CB3826E78A51
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.Q.N.0.}C..............J..U..W...%....G.....G!.......g.o..=.o./...qH(I...~,..... .>#.Y.$S..%Wi`..1M....'A...i.v{..ah..)..J.Q,.-....'.S..OR...i../.1..J..3s.....I..>*..7.>.....m.P....9.-..~S.n.5.R<J.i...17y...?..6.a...Y#..G.>........-B.F.L.D...5....GE.E..B.P....yJ.....A.........xMc..9.]..1c.E.n.q.]..b.e...&..\^v..Vm..M...g...=.-c...>.PK......a.......PK.........n/Q............6...classes/com/sun/jmx/remote/internal/rmi/ProxyRef.class.UmS.U.~n.YI......j.$@.VZ...k.64%.4V@.\aqs7nv).........?8~.G9.{.$1....{..y.9.9.....O.E<O#.!.I..H1.90.M.6.Q.=.u.!u...w.a(....5.hH..@g......q.<2\.t<nX..0m.mZ...}..&mW./V..y...!w.u.E"....pF.Y.c...d.]n6..:....:...x].-.+.k...L2..p-...........c....%..o8..\..%...KRi.a.O.#T..%"l2g<...(nW.9/...{....+.d..\n...M\c..q..).f..P....u.s-..P....r.../d0.[q...l...-..b...h.....9.,...o}.&.g....oI..:...0..\|d..KN...,K..:..bW`....p>..=.;..L...69......P.....L..L...?........?.k...?.%..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.naming.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	460349
Entropy (8bit):	7.928980735357845
Encrypted:	false
SSDEEP:	12288:y8d3lQXYWlLLH56T4J+1hdWvHBmgmhhs+RGJ1:y8d3RWlXeMqdWvHczs6o1
MD5:	B396D42998F877CBDE5B93A1B238B5C5
SHA1:	ED864130A63A807EFC16CE9F97F8C24750A14C35
SHA-256:	734130C3E9D7A12A75BBB194C9FD29DFC85FD802B42B3CCD2C617C86FC905473
SHA-512:	8E44D12F37DE7A1F7453299FA0A3ACC566C2959A1C482DA936108BFB6514650AA3E2400AC090B65F2FE3FA53BCFF4F676D129695B10334B4160B45EF3B440043
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.Sio.1.}..KO.f{p.Hi8J.-..DU.T...3..5.9...........G!f...$..J...g...........3L............ ..CA{2.h.R.V.(...V..l0...M[..oF"..1...\v..q..a...s9#.q..K}..#.eyh;>.^.F.Q..m...8(..<..AA=..XdX.q.p..L........ur....u......[.s}.<..ju...wU.%.C07..B.......42l....$..U$S...&...#.g.w....,.a.+....^...0S...u."m...ciK...J.B..H.A.\|.&........U.OZY%..c*j...W+.O.V.M...dG.j......y.r.....$.s....P...ab?n...UMI...{#.uwR.aC...w....e.>R:..LE.......z.(..l=....2.1Z?:...n...t~..;..-;{..Y...\|./.:..<.&...N.%....8.)..9..%\..,S...e<.[...?PK..._./....$...PK.........n/Q............=...classes/com/sun/jndi/ldap/AbstractLdapNamingEnumeration.class.Y.x..u........S.,a....JF..."#.h.$.X...v....5.1....PB...Ml -N...%...i.;.>..WhC.I...G..A....h..d.M.o.....s.....]..W^..........A.)..a.[bv\|{...N.U(j..n.BaC......B.F..BK81.J.[v.#.X..j..O.I;.v.e.=..o.....F.q.+.s..QP[E.,...f..w.Q'.0...v..... .l..s5.a.B0...R-.Nz+5.Jo`(..KG..".pX...K..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.net.http.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	718964
Entropy (8bit):	7.932673218886782
Encrypted:	false
SSDEEP:	12288:i0TENWrWZbbneYeeZXg4ao0K/3JCypyudOQjsDv+X/A4zEs6HtZrvZ:AA6Z/teKX50K/ZPov+Xo4zEV/7Z
MD5:	5A11C4A6D94E1C67F84D2D22B7012B11
SHA1:	273C3A253F6845441C6B4D0AA000BD0860574EA8
SHA-256:	AF1946B6683575D724430220DB7C948AF2598E69091F74459CCA1F97A15C2A54
SHA-512:	841460A10900517CEB80F734F1492AEEE83287ECB521BB5107BECA3684189521D56F9CD2B17A136C521884124CD1F307CE51F63DABCAC60247960BBBFAC046BA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu.MN.0...@..K!...8A.*......n2m.$v....b..8..IAt.F..x.gKo>..?.<..It..y...n........I...Ul.1+.5B}r.....Y..L.A.......T.x....J..:I........T&,..W.XI?.8&.T.r.f.....Z.....Ch..u..S....\n...5/.g9.....d:gc...t..e.<.m...F.C..C..:.=. .mA.M....M......(__~.PK............PK.........n/Q................classes/java/net/http/HttpClient$Builder.class.T[O.A...(..r..Q...^X....E....%D..vw..e...b.Y....?..e<;.(......w.7...?....(c....Z.+ .~..]..s#..........b...sN.._..!.=...@.8..T/......\|..P`(...h}..P.....D.........F.....n....F..z.7...%.a.rO.U/..Tk.#.J'.p.L..C.."....\&.....i.]N.....i..8..H...,..L..n.Qm....)..)o.k.b..K...l.6oq?1'^i.h....~..9........e....<..v....t.;u.m.R]...+Whn.8e..@...>b.v.2......g.;5.iz..).{f.;.:.lr.fj2L8...z..PDB/0.:3[.}..p:....z...j.k.4.o.D.\|E.?.."..zzcy.We.-..K.mI...]'U..8...V;e...&.....i..Uo..ioXm.^7....1....B......:n...[.oc.....,b..]L.......dp...>..)..cZ...%..../...~......s.^....)..\|.Y.q...v.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.prefs.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	54624
Entropy (8bit):	7.943156238505704
Encrypted:	false
SSDEEP:	1536:QAcQb2JQBFv0vQ1ffh80OUisaBL00Yfcfd8tjsH5:QqjcY1fJIUXCQx0lr
MD5:	224D8C26B9454FFE244D354BC030CAB9
SHA1:	E531A7BAF213D72964CE4DD83A11AEEAE5713F00
SHA-256:	43622935A7EF06E30D1BDA7E77CB76488DA9E721728AE0B8ACDB1F9C7B91C943
SHA-512:	E0754FFF5801CEB2B1512AD0DDDF0D74C4C2AE97EE70A467E7D83E3AE5870A6ECC6F250B849108923AA8CA94EA3505C4CC7C9BEEBFC192B2DFF1E99A943DCBB4
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]N.N.@.=W..K....--$.=;.......J.!3....r...Q.;.&.Y.;.qs....'.9..N..:.qV.u."....zS.......h...h.M.}g.u..w...-.~Q.C.....<D.p.o#^...2a.PI..{..T>..$..r...?.ps..T.U....YxVf......T..X.....\..5......J.).}tn.g...T...=......PK..t?u.....9...PK.........n/Q............3...classes/java/util/prefs/AbstractPreferences$1.class.S]O.A.=.nYZ.(....Rd[.._/%D$..R.h.x..C.\w..,..H_1A%>...Q..M.iL7...;.;g...?~...q..dmX.r.c.;...k.W."....-.#...4...<.J+.}.@..2..=0j..#o..`..C.p\|....C.i.\...k.Y...c..6..F.M.......P.p.c6..L.*......X.....f..%#..\.u.S.n.&....a...0.....>...... ..f...mr..D.w..l.2L...^.I..."../.bo..2$...t..&..F.'...2...CKDoy..h=....L.i.J..a....J.apGs...?J.....\0..;..p.G.y~.P.......F...0.<.)..].........C%.......x@t..Q.4..Q..RU4../BEU....m.\)...2T..w.......R.@..s4Z#D..Be.+X.;./4.......k..4.....Q...8R.W.a..r.v..3.~.m}..=...}..dt..#.P.!3...Ix!...D.T.......R.......L_.2.....<4.!<2...E..PK..]5\.H...`...PK.........n/Q.........

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	385108
Entropy (8bit):	7.9135425794114935
Encrypted:	false
SSDEEP:	6144:WLo6BW4jXxBTXH4nfLyHInEmCC+Z/GTdy6ixx7KoLUTzROUBczZoUDYbwyKdlO5k:YvxhBDHauHIEDC+ZOTKL1IzCzZoUDYbK
MD5:	C4BF3C85D5A2B5A2482D29682F937339
SHA1:	2ACCDEEAD4904C6EC919771CE49943C9D6E8A9E9
SHA-256:	25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
SHA-512:	51908DB9F980EAABB144C3BBD38563DF0DE3AD9AD286FD4D4F5C41B4F2D70CF278395E123D8C26A64742858A4B629902532C0AF097D020EDA92A7031AF586B66
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeR.N.1........E....ogX.n.411.../Pg..L.i....\^..>..Lwg.b'=?...z.........8eX.M6dO.K..cX.......J.T.....'.Q...).7..E..q...+.c.!..D.^..WFs,3.4.,O9V.....\9o.pt.....K..Z..'.+8"j...09.&.....g.......q<...H{UJ......Kx../6K.......z.].....C.g.Ka........\.<.!..dWq)..e)..Ik...t...T.+.J..F;S.m.a..4..g.>...Fd..U..C.<..Q....,..4...E.Wt.#..p!l.=....v=Qf..7...k.}T..........n..p.M_.V......F.<.E.............b...U..;.;.R^..;.AL.(...({....8Tw..PK..{;\l........PK.........n/Q............R...classes/com/sun/rmi/rmid/ExecOptionPermission$ExecOptionPermissionCollection.class.V.S.W..]..aY.....hQI".UAJ.V......k.\..f7f7......K_./}.C....L.38..8...C..7.........#.:.>d.....;...9y......\|!....n...2.^R...g3.=.>.3).4..6u..mZ1.vh.fw1...#.....kY[....5i..:.!A.j.....H.P)a..*ld....5.dB....i..J...v...W.)O/.-..X.$.ay......K?.2O0.1.[.v........U#........$.)n..q...Qh..lG=..:.M#..g4{.V...6Amn....H .le..hF2"c+v.p............e40.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.scripting.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	44965
Entropy (8bit):	7.9310029341229376
Encrypted:	false
SSDEEP:	768:T/6WAhx73PjgF6wN1l861Z/T6dKl4U1mQUva+qD160eYG3ichd66N3LgRBG:+73PjgTaK4U85i++1bmi+66N38RBG
MD5:	A64194B2F7AD00E12C9E5AE260B57B3E
SHA1:	2617AE8B733B5E7B31180A3EED1DDFFD1B5CF631
SHA-256:	BC08974AF0D13B1B362A651329036C24CC54028F1D0B3EB327350B51E2270FA5
SHA-512:	68FE47540C844FE28B92C0AE4E8FF5C77F60A4AD0C5F1F3857412DF36E11A6053697B823E7C3D653E012F1923502DBBAAA9B03803A24344DC5C384853A3D44F8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMNAN.@....PJK!9q@\|.YQ......\|`.,a!.E......x.....>x.....o.7H...eM.g.>..D....\|..I..W.y...c....".L.3.J..+j../:...(.D..v.c.'......:.p.+....67V/..]..aL8\..Rzi...w.G..+.z.........uM.......d.]_m.....c........<._.S6....I..p..i...PK..=..+....F...PK.........n/Q...............classes/com/sun/tools/script/shell/init.js.<.s....@47.]+.......K.......];i&CK.."u$e[.......AYI{.6.....]...<....^=.V.:.Z...G...>....0Q.u6-....AU..mT6..E...I..P..Z7.....}....z.............W'/^.~w..4U.4Z.j....Um..\|.Kx..z. .?....{....>.....U?g.....\.E. /.\|]N..\..h64....X.`.U..Z5.... .R..j...QU.p9-.]h5......^UI...k]vx....e....^.f.U....'.Z?./.j...s...V.c.O.<...ROTV_5{.\|p..i.~....-........v..v..+.).a......<T2....H.,t....6..l..9>X/u.64..n.O...s......Q.R.Z...j.g.r..G.....^O.&V.%.e."X.=\F..u].e>.e+........n?~T..,...,]..].-.:.0..................L.K..^...$..B..:........p...~.H.l:.M....5.u1k./-.7B.^.%.f.. ...w?....8...\g.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.se.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	2207
Entropy (8bit):	7.650310282866788
Encrypted:	false
SSDEEP:	48:pEEdhj3vrYL8RjLRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DjGqt:+EdhdKvJX/Agxo7RA1LZZAL4Gqt
MD5:	3B4DCB7D28ED3DA5F09ADE9FDE137D3B
SHA1:	0EEDA129FA837E4D5E54F678249C7265C96BE4FA
SHA-256:	4BD4726EB7772FD1A202DF3EEF6367ED66688E0603C4B970D22AC8EB560F2A04
SHA-512:	BBC8165555B54BCE7E2342CEE798F93245B0F5A4B6E9CD9CCBB28F7EF42E8B4E3DD729DB95E7B027CE955DB27FA3B8555D8015B568CF8672A4BEC9DC6028EC1E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classe..V.1....2.!.xC.&...A7.....=.68.4IF`..gr...P..k.9...K.OU.........p"0_..hh...\|.B..@P....h5..FbJ`..A....,..t....9,\|U........:.....F..X..&.H..X.Xf...2.I,./K.J.NN.....I....Be%...o8]q...Bg....].D`..:.A.x&0.1..B`i...N\|.K...^..`.:/#U..O.:.%v...."..e4..uv.-.E..+-q.k..}.k)RE...../~...zN_s._G../..P.D./...}]].?.....c.Gh.I.......X..M.;.-..s..f.0W.....S.s.&s....e.3..o...G._...PK..U.FO........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQgHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S\|t0...:..6x.}.;..i..D..Ye\|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld.....H.........H/a.(.sa?E...oR'G.!3......j...A..'.....V2..m..5H.....ex.z...m..........a.l.6..7{........v.3]..(..g.\|E.fg"^d..zc".-.dJ.[..M.6*t.uS.BKy...Ys`./.k.......yaZ..........U'.....&.n.&...P....F9..J.1bo.6..I.]%....x..../.1...[.u....ey...-.Ag$H@.BD....xHL.>..V...>

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.security.jgss.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	698330
Entropy (8bit):	7.957481640793777
Encrypted:	false
SSDEEP:	12288:vSE51vUGc5P3jM18B7OcsnbmTk2baTrPxLLu3S6qj8fM7vX:qE5t9UPzI4OjbmTk2GPxvu3SXj8e
MD5:	372B6F9949895C86164FDF3A1E99CAC6
SHA1:	B9D3ECAFAE368E7ACDADCC347DE6FFC08D031CE8
SHA-256:	934114BA650D81262CFE3CFBA0D5A190520C05CDDDCD9A7A875E3E1D951AD71D
SHA-512:	2DB6F0FEAAD1DD724447CE6E1E1CE92C5293AAB8A661031BB4B343564703BA033410EB0BE56B223F2F8901CDF158530503C0F5B6459D7918253C3AC7CF99F029
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R[O.A..."."..........P..w.LH..d.;l...lfgYy.w....G.g/.i.L2sn.d.......>.#aq..t$.At.j ..?.g(..a%.N".T.....I...a....;....._".H..R..V.C......iNy..@.I.G..,.x..Q...11O.H..a...Q....K..)7.u..p..:.K.IX._..."lLG3-.Xj...Q.v...)7."#u$F.......u.;...o..........a......3...}...]u5.jW...R#....;.&...P../...K...8...^._.z.$...`-p.<...Vg.'u...[..<I.+.[B.D......t.R0..(.c....^.../.%s.D....{G...-\.9...qd.7........S..B..a/..r!..^.v..\.v.B.+.7....;h.zu.m..+`X.5...#.........S}..PK..CU\.........PK.........n/Q............?...classes/javax/security/auth/kerberos/DelegationPermission.class.V[s.......,.....".f-a!..+.Ip.M.q....0...x..h...,s..Il..vl.v..0.I..B.L.-....C^...<'...T.....8..;.}.w...............`...$L$...}.Z...Y.\|;\.>f.v.9.W. .=W .....a...qm.X...T.........l c.].=.L..pV....?+}/.>..9g..m..P.TV..-..ZDj..@.@.^.B...{...K?......[.r....B.Qeub....W`.+.C.*.up.~..vb...&.......$Q^.,'XG...+......xD...0.(....\T.nxb.(...,;.ob/..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.security.sasl.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81698
Entropy (8bit):	7.940663737798511
Encrypted:	false
SSDEEP:	1536:PNkjPGGpYd4vOGnXOTbAuy88LVeMdC/FEM9ZndTL8kSCXWO5o4HMSKSg63WiWdYG:Jd4mIXpHdAVgkuO2GXKuHVWlZlV8i
MD5:	BDD7FCA80A0E7436DC46FADE0C8CD511
SHA1:	C491F4A649B8DB593F26D25133DD104D8985AE60
SHA-256:	F783A14F1FD9E804553F54E8B97E38A5BEB8C25ADF096FD380FC1BEE391153AA
SHA-512:	6DD0A97BC791E78C28E1D1D949911B94DB3E2B08E5055283AD0195E0897E7984FACB517FF8E6C7B6E78E310819AFCBEAC9876B0FF35370AD96539C3E8B28C134
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.N.@.=..r.h...-$........,..t[.7...?..2N....Mf.\....O...&4...C9V.kR..:...\,..W.....{w...2.2.u&......y.n9n..Q%...\_.Rg6j..~F......<S<.E..uo.G..jF....B..4a........;............{o.&K...S.h....P.J.....G..;..3..B..g.x.i 3Bk.b?Y....5P...q.">..q.C.+...E.6..:..l....gl.\...#.........PK..... .......PK.........n/Q............5...classes/com/sun/security/sasl/ClientFactoryImpl.class.W.w.......,lc.hB.b._.@.C...&26.6.nH..X.UV+.$i..6....> }.m }..b....9.9.I=).7...-.9m.W3........[.n.h.....G.7......HJ5."..Gu....0L..).ij....U..AT#(.f.#....Z.6..HV."....N..9.=.....d...g.....$..0....A... V..6/...B.9.....).......5A..:.`...Y)C3tT.u.....l..O`Ky.s....z...R.Z......o..o......`.@cy{.'..6.T....GX......4...?vpW..=..... ..a.1.;.Y..6G-..2.wX91.s.#..J...D$V..U..n.7.-EUA..Cw`.V.t2...V......U..M`}.'.v. .....wu.W.C.....R.a........W...GR.d.O.i.7j.HE!..n..CK.-#..../..u7.G..M.8.e...."...<.a....p.+.".G2j6{.G.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.smartcardio.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	58645
Entropy (8bit):	7.913344050895434
Encrypted:	false
SSDEEP:	1536:r6aikQmg/FHrHESArP6j+qjHQT3K4n5pBCZ9xkQ8AgIDAJ4WY8gOY5nIlSjI:e7mqECMbnVAXDq
MD5:	4C54BF6DD5C142E6C8C1A360C985167C
SHA1:	7449C89D087ADC871E26218F6AD82FD1FF5BC01D
SHA-256:	0AF33A68F7B71F12FA3B7F27BC69B80A86633F25EB82830076ACFC3170538EC0
SHA-512:	2C5050F04B4F7AD373CDD33B3874A38AA317C996DF27630D4AFCD6F2ACCEC6A5ACEE3ABADFCF8D0182104651BA68239FA13E4658398F9F92D0E1C6D4B4F4568A
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu..N.1.E.Cd.D.A..gF.t...$...i%Ef..S...........6i_.=..........B;W..H.....GB.b..$_".3]fLs.B....}t...=._.#.G@..[.FdV.../m..U....M....h..\......Aqj.d...\.Z..:..r-...O.....e/l)... .^..........?Lv@....\|..+Woq...\..S...].f.a.9.B.:{..PK..F......k...PK.........n/Q............#...classes/javax/smartcardio/ATR.class.Vko.e.~.t......R,....V.j..m.ta.e......v;....%..5.D.D..1A0.....\B..o..'..A.wf...J.0...y.s.s......2.."...P.a4...jOY5&z.....#.G7tg.@.+..".F............e....t%sK.3.X.f...V!....{...r..U.....V.+J..1..<...5.6.uX/.l;...m...Z..Yy..C.<o2..\.Ql.s.:c.......h3...e..E.2+..Z.=[g+..P..1l....f.im.4..sZw&9#M..iWv..#.....(..T..!..5RUG/..I..k...eN.......t....D&U.AJT;..d6...`g..d=Z]<..........lc.J..{R....WY....f.jY....D...2.Y.n....(.a.....j......[..b.>..@.#....hu..Y..`K.dQ.Q..7C..,...vD...0aa...M.............YG#J.+);..;.]....M..+....."....16.Y...,;d.3.Y...D...;..G.W....3..g.....VqX.[....5......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.sql.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	76011
Entropy (8bit):	7.806124696487568
Encrypted:	false
SSDEEP:	1536:WwNmF73X9Xw+OM8661csaSLwEqv4RO8zIYaHlrez:NYlpBj866taSLwEqB3DrA
MD5:	E910C6B0413AB8D4CD0A5EBCCDA387EF
SHA1:	6782B1D03ED398C4AA558C219294C6367F7C8479
SHA-256:	2A24C132034F0894A0AA38A2DFA546F6D20113783B791EDCC9831DFC144256FA
SHA-512:	A729C0449FD21D633E5F70B8FE98876E96FE7559DE0E4E137A55B329403B624D6F298B2D4BBA061AD4049DE224CC2A2C3B6FA2BDCB13430BE78E84992D537B2B
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.MN.0...../....@]A7l.;$$..I.eHb..m.=........Hx..........p.K.05.&......D....]l.._.n?........\|...s..A......_...C....(.3.0&0O.\dVD.6./..M+S.vD..!..\oe....g..#.....y...&..ID.BI.Bk."r%..x.....B...f.t..NP.........}.........~/l..s.g~..8.S..PK...p......k...PK.........n/Q................classes/java/sql/Array.class...N.0.."2............FH.h..Dg...,#s.3.j^..>..[1@....dY{.''_...O.0.P.....Q#\|u.. .....Bs.g.....p.e..........#P..9g...l.@..}.\|.P....,...<...@.+z.C ..h!.O[`..>U#.F.....Y..Q...\|+.h%K/(.....i.l....MGi...j...\."....-..~.T<......\o.q.y...d....d....a.......5....v\......2....)._....k.K.7.J...R...R..\.2.RP..z..P...T.&.U.+.-.4...Ag...Y\|..w..PK...?mb...&...PK.........n/Q............+...classes/java/sql/BatchUpdateException.class.W.s.W...+.k..8vl)..$N#._q.I.7qS.i.(vR...).F..JdI.V.(.\|5..\|.xf.....q2..2.e.7...x.7.x...sw..m..0c.....w..s..OO....$~.C.....-.=...X.......K..f...s.-.er..@,.R&Y#.26o.3....3..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.sql.rowset.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	190817
Entropy (8bit):	7.967262446791647
Encrypted:	false
SSDEEP:	3072:SiFe3M5fvodBY6aFvCLY3HQgZlTlJtlGwNa+Uk3/+y9L:o85XoHaRMCHQelhHlZVlGy9L
MD5:	435A6696E8BABB8D66B3D838FAED2BF9
SHA1:	4EB408C7D7E6A347CC6F331CAEC10DE7F55FBC57
SHA-256:	3F55459BE1A9E300D872F712039F975A3C5BCCFDC498CD0A603A465DE8633300
SHA-512:	D3D8D34400230FDDBBCDF469786869FCDF50491CDDF70B58ADCB33E959A5ED8649E374E714FFFFA7AA2D4884042F09B0FCB7963402B65BD48E1634D099E2B2BA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0.......hy.......{CB..0...I\...[.....G!6.E.Z...v......W8e.F.../.GU.ch.!.'>...,8.K.h5KDj!.P.\8g....M&...m....9W..1.m..:+.X...NlTi~6..i..u2\e.Dh..6..uq,ml1....x",X.5S..d.X...&.!...._-.1t...l$.!.R..8`...D{b(CA[.1..,.[.=.@$4{A.s....>..O.}....s`.....:...kl.......a.......ep....n..K..FY...q?..PK....:.:.......PK.........n/Q............/...classes/com/sun/rowset/CachedRowSetImpl$1.class...N.1.....K..RN=.(.$.e.R.....AE.....Wt.X.h.....V.D..E...UuvI..Ua%....o<...??..X.4....B/a.....RN..ja.....vpZ.f....-.z..y.W...3.C.B.F?lB..=q..UMgs.@x.aKRI.L....i.`.B..}..............jiwk{...Z.&.U.=.L(U..2.Q.c6..!a"..9...G.G..+o..L......Fi.O...o3...R...D6D.~.xl...r.aK...w.g.9a&v.....9w.By"}....'........\|..(...R..`.+R.j.pO.;./.......PF.1..4a..:..H.\.I[.!..e.JO.i..fmp....k..}.&..5..........t.{X.B.....k2J.hg.s..sZV..h...a.....*.y.h.s{])..\|Wk.1.5...3P6.=<~.=..1....-.".}.8..T........./k@./x<v...r@<J......E.............

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.transaction.xa.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	4035
Entropy (8bit):	7.63515724105447
Encrypted:	false
SSDEEP:	96:Yq0GYT9RMGlLOkhw8KvJX/Agxo7RA1LZZALaGXDHHs:f0GjlkhDKdNsAlsnI
MD5:	FF54FAF2ABD3B1BD2B868FEC043BB19D
SHA1:	C6EBE8364D84B85478C164A6A6A09FEB4394F6A6
SHA-256:	D73340591C1D956650175CDF0B12F5523EE5D5644ECDAF663DD7F44EBC28290E
SHA-512:	F6225B4F0FD673226F20D8BFC9A99851FE230C7DF59472FE07269B83A52F52E5878A39B9B2C55D8435E98C140F16BC383AEA01D4AEDED5BC4531084D491A3B37
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMMI..@..v..x......7A....(.L.....>.G....:tuWWQ....`.....z.C..u.Dp..q...<K".84..J."a..Bm2.c1!..#..YF..Q'4....$.6...r..2...B.X... ..S.[..2&8w...n.\|....(...w.....f...(._B.?8..j.<...PK..Z...........PK.........n/Q................classes/javax/transaction/xa/XAException.class..MS.P.....R.a@.?...(U....&..4a...7L(...:iq...p.q..?.?.7........>....;..r......J.....o.t=p+5.\....^S.....c......$..Q?.O...I...9.....E&&K.#....L...b=.+...81:..n.a.....d.[.#.3.y......U].^By.Z...J....{....}..ZG...ag2JQ..X[....#.d.C.Z.BN..^.R.....\.`.-.n:..;..n3J.k9y..f'4+..X.....8zA.V..v.4.V....d.).f..&.......ym..+..l....X......:Z%.}....[4..g.6/I.LC..h.....nf#...G....ms.G4....p.;,..bp.+4.......#...GX....*7...apUE]...(.....x...M/p..=.>.Z.<...pSF.;~.......x.?c...}..(..,..'......\|..^)e.w...6....a..>P..c.Y.z..... ..)>/..>..../H\|.\|I...Q....._._.....).!..xR..xJ..[.O........xF.{...?.?......O.....J<.^...X.8..J.R.k.m.[....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.xml.crypto.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	670979
Entropy (8bit):	7.887042011821685
Encrypted:	false
SSDEEP:	12288:aXgXoXuXOLj7awadMRn6HG46P4IN8mvyHswk596dQLreo7Z6AAb1yRvuASgS5Mey:aXgYMOLj7awadMRn6HG4y4IN8mvyHswi
MD5:	895377EEDFDE160D01971E53C5657F7C
SHA1:	8A3E4A11683A7F406DF57277921A9B5E49DCA185
SHA-256:	026D61591C17B3ACBF900F3EA676452CC668062116C5B823709AEABBF77AC7B6
SHA-512:	D73AB337D179B07DB5F01D58243578687A9E4323BCF6ADE8137E31D882099966EBC8C132CC3A5391A4C77D532B54C5354C6C0279CC24AC0970375B0EEA0EBEF4
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.UYW.P..F...6.....K..-.&(.((....6......7~.......[.....9'..............9..:].Prx...~.D.`..Y..z.^q...'A..Bh...q=K.3}..K....`.3..!....q.1...Y.vt.!E.lt....?.n............"..'.:.....l...M.%........KXH....z.........$......'..A..v/.p....4V..)q...0..I%?>..6a&.^..C.).5L.h.^.r...f...Y\..a.)h}......bJ..<&L4..m.cQIH.(a>9N..r..8..$.>.........I....~.2I.......'b....v$F^...0Fm.N....W.'.]$..b..G...q;.(.j?.0C.......0G....@...UE.../w.-.w'..e.....njX..."..@.P.Z-.2.?..$....}c!Oc..T.,..xOh;k.il..b.6.../...R.H..o4c.kse.v6R.D..U.q.v..[.+.z.?..<..>..T.{LX<"t..^.?.3.-L.N.+8{Z..X..=...5)[....J.......J.W.KJ.Qr..-..\|V.....].A.n@..na.wpW.>.#<.....t.c.9L.4/#,I....-......PK..v.G........PK.........n/Q............K...classes/com/sun/org/apache/xml/internal/security/algorithms/Algorithm.class...O.P..w.+t...(...0.I%&j2...@.F.._..M.v-io..+}....}..2.{W+HM4.Y.=..\|...s.o.?.............F.'IC'.=..qwW8....C)..N".4..J?H...\..X..@.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.accessibility.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	517331
Entropy (8bit):	7.932914811977659
Encrypted:	false
SSDEEP:	12288:3Jcwf4nlwkOnw0dGfGf2NNdGGF56ZwDcBy:3Jcy4nlenRGuf+NdPFke+y
MD5:	1BF162783EC1B1DE6BF846275CB30304
SHA1:	DAED3EAFA8D19CA690F8A46B55DEFB0FD5F55387
SHA-256:	BE8A7293DEADFF4410281D93A0B6E8CAF2ABD08486000F933E2B7794998B0AAA
SHA-512:	71000CFDE3B33D7E1DE2BE8F34D1A4451CA37DB7C7CA28B59A6F6C00A730E974EE9F0AE4868659B9BD47970FE70CD83A4F523AD0D03F70362C5C7BD7FD99AC95
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.@....HA>....M............}..].B.%....sy..\|(..S=.....g~3.;...o..qL...O..S..@.V!.L.\..........T.b.D(....3 .y:tM....~.].%2.D.E8..L..P...........6..z.}i.....!.g...}n.j...el.M.../......l...NcO.@.\.....+g(...K.[..E<....P....'B..b.l`.J.C.7..g.[l...,..)[...'.......WU8W.a....PK..a.-.........PK.........n/Q............@...classes/com/sun/java/accessibility/internal/AccessBridge$1.class.SMo.@.}..q..............RU....i..rA ......v......~.?.1v".R.QK..}.7..3......}..QC.C#.....1?.a.U...c.8..T..2..Q.-...c;.R}.>\|.x.........:1aX.5O#..n.....B.3Re...G.k.:..`..q.'.-TX..$...X..MC..0......fb...3.b.t{..FZ.}...6..0e..F..\d".$Nj"6.t.V#..~1..y..N.......}.6...O..+.3...9.../.e..+..x~: .w.;...K)...L"^.R....e4..B%..Qfo.;..;.....Ck_X.J[..R....Za.I....O.V....n....g%r.+.g:.p.l.....`..k.N...1'?............g...>...f)..Jq.T./X=...K.YEm.V.7q.\|.[d.+d.w+..#.z~.PK...G.'....h...PK.........n/Q............A...classes/com/sun/java/acces

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.aot.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	286933
Entropy (8bit):	7.911348853312728
Encrypted:	false
SSDEEP:	6144:vlan58OL1oHDUV6c+45ksJuLWjNAN3ZtjV5OyaFQWIWdB8VimLL:vZHDezuqcjOjQWIySs6
MD5:	CB1CFBA8201EE222C2D69845FC055F84
SHA1:	8C448B58260790B6B10231F0153FC7438B41F4D8
SHA-256:	DE900FCC734F2CE46175DFBAA4C26368452C6049EA96A35F1E27F5CD988C9D3A
SHA-512:	2B69DD8B25F2549C4BCD4F2F3E3FB21F0EB66FD8BCAD4CEC0F7B731317041BC01B8329644109C0823839F3BA78BE48CEB227C5CB958CA3101E24035C24FD15C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}..N.0.E.c...1.(.y..H..=;$$...b..IA..],..>..BB.`..G..~..\|{.p..P.&...)...?...9....}nR.#...3..?!L95H.QI.q.`(...s+..O....S..U!,.....)C..Rh.R.........0....')L.....0JI.R.#....P<Ib.%C..,....}eX$4......B...a.w.J.V....O..u.lV.(N..../".......HI.a.P.\.c~/...7.%L.....A.O\..8........a./.r{/SB.%.C.....!\|...#.....{.u.S7z...3;.......eT1..L..i.a..Xrz.k8...PK....h.x.......PK.........n/Q............>...classes/jdk/tools/jaotc/aarch64/AArch64ELFMacroAssembler.class.U]W.E.~...tm....b-.MBe...HK..l0..4j..a...M6.nPZ..z..^z.7............n.ml)x<........;......FPH...q....U`.S+..]/..W,;..L..M)..:t......i)o.....=.Z.8%'...If...M..0C.6..Z....o)..8^i$.oG...H.8.C._..........m2;..x.(e...R!..)...X:.... ...a.E..8.......j`...k..W.?..H..=j..:..e..l..-...W...T>..p"...^.).s...E...,e.......6Wr7......}..%.b.4^%.n...&3......6t.xMs.V,k....8+.V.\|'..d*.M).i...H.Y.>..D9.4......\|.c.N..x......:.tc+-...Li.SE......_...:]).s.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.attach.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	38562
Entropy (8bit):	7.938691448340528
Encrypted:	false
SSDEEP:	768:YFL2bxkq9mFS8C+9OwdExG3rjwo6LkgHVOImnz3E2/ElTMst5G:Qalkq9ktCCOwHwo6L91Dmnz3E6ElTltQ
MD5:	B1ECA358F4D3525178F96244F11344FD
SHA1:	EA84D813907BA33FB66E54FC0A8272230F7F6FCB
SHA-256:	178B1246FA90169F75CC8DED648A88276DD252A28A85F26676777D75D290BB64
SHA-512:	985D19030C00EAF12E088184745739ACA59797D6E354FD41B1483A231E66479DAC0260E1BA9A3A5FFE4954CD69EC8FF49ECAF7D14DF0C4333BC77B2790EAE410
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.J.@.=..&M.V..>v.\5..".r#.....c2.I.d&........TA....9.........1....L.(...".~4..U..$..gJ...E..._.g....".d..J.T.+...0....<.....3.B.V...zzy....9K...b......$."........N.Q../,...5.o.]6O-...DY..6N.>......J&,..).....)W..".#..#.E..K`...}.u.C....}K..e......D...6.....@.a:.qhv.}.PK...4..........PK.........n/Q............?...classes/com/sun/tools/attach/AgentInitializationException.class..KO.A..O..y........1.c\..b...6.. .qU...LSm....7.!...p..v.....TO.H....7.~...>.s..@..u.P...D....W.]z.4#..~..Y....6..(.-.k..Z..&.h.<..=/I.g.(L<i..v..#e.."-C} .....+..f(.T....1.&h.....f..6...P`&Q1aC.'dl..,\|'0.Lb.......k....(../........?...;.( G..8O..N.....M.s$.zcj.../.3.{...[Q...v.,...S.."o..g+..fp..Em~\|..K.....2Zg^p.wO!...T.2}..4.\WX....p.Qs.&.>wGj..r...'....zEy.....3..(wz.9..t>.n._..:?....nf.........9......1....J..\|.p...L../PK..............PK.........n/Q............5...classes/com/sun/tools/attach/AgentLoadException.cl

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.cryptoki.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	351274
Entropy (8bit):	7.9627246365800355
Encrypted:	false
SSDEEP:	6144:ulMVIrmuMtJv/bpPkLG9zDEUa9NcHCwegOkCh0Tmj3/pxk3UKFZW7dc:ul6tltM6xDja9CCuOkChC0BxkkKFZwc
MD5:	1327D707FBB8DF3EE0D70D15A9C0D040
SHA1:	C4659E3754C6FA51E043AF8154AF8A9EE18A6F48
SHA-256:	EF9D8D43781AF4C7A1952014806FD3E36036DF92D62E79A3C0AF021CAB6EDA50
SHA-512:	E67C3E11EA5E962345CAC9682BE0F66E21CEB754AAAB2B48EC504D5EC50462BE5A96F59E28F046F9D3565E6C27214BD1793D8354DFA13FD99A2783EC44AA3AB5
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.@.=W...G+..7.)N.n\..1&M......N3...\..~.q..Xp..>........W..L'.T.U..=..t'.N....I...,.BoT.\|4.M....!l.....Q.b...2..#\.I...\..-B...~p+}t...QR....5b.#2z..i<..n....,z}...pFh.4B...t....#..F.E.......;7cY.=.%..C>K.............[.9.t~wYg..{..s\l..hc.....PK..gz"J........PK.........n/Q...............classes/sun/security/pkcs11/Config$1.class.SkO.@.=...}T..P...q..u...%$H @.G....t....!3S....(.?..e.....tn...s.....w.5.-".....>.3...'...Q...?.a._..0...re/.<.....<..0....@W.....SCD........).q.u.E..Q1/..-..6.1.W..6.....fG.c..).r.R.Q.^.E.P...%...Gi...(....W..t....%....6&..a ......dPF.0.]..XW...-~!W+b.....x.......k..,......8bp.=2..0L...{G.....o..FH".e.3..E..}.v.......?..H.]0g.B.j..=.....\|.+...ok..v/.i.\.u...u&^.....K*..2V._...J...$..Y..Pj...-..^1._.l....fM&..^."..C_k.1M......,.t.h6K_.E. s_.>.G.Oi.O..(.hw.P..E....J..$...u,.p..3\|......{v!6Fd`.9...u.`..4.#>....r..-Q..=.~....:...DM.KT).0O.......EbM!}~.PK....8.H....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.ec.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	201772
Entropy (8bit):	7.9524710852936815
Encrypted:	false
SSDEEP:	6144:9qVHcUYpfJbKNaLV2ppHAVxWHj+f/ehKAqW:9icZp0yVOxA30j+f/eJqW
MD5:	263F17CDB67CA9DC7704B373ED4FFE6C
SHA1:	6F8E27D98F9187BF6A19A6C048E4C1E8AD43D2B1
SHA-256:	C35E8D06078F41B89D152DF528C0F577A65BEE1235379B17E0C5BC54867B80FE
SHA-512:	6C3689F290F6FAC4A090B6F01B7C2E70390F158F548D2E3F3F04F5383C895DA6F2D0092A254FE85D3FE0FA9BDA8F50DA72173ACC9A0AC99F590A22D6E370D3B3
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmOIN.A.}_.f...t....D.4.3!...U_R.]....s.....X.q..'.x/.O...'..\..s....M.n...........DO.r.Ef...%Byp'n..J.$NY..d.U...9"c.....1..&."...b.x.).h.z.....]...@.).<yz.pA..l..?...._......P...sJh..W....V&.v...\..n..\|[.!.\|...k..X.....x...A........z.../PK...I......l...PK.........n/Q................classes/sun/security/ec/ECDHKeyAgreement.class.Z.\|...?.$_2....`F.F..9. ^...@.!.. .:.\|IF&.s......wW.j.-.....El..V..n...]{............f&a2.....3..{<...?....}.k.....9.5.2..\|..+......h_$n7\`.-.ZV...."AA..`8../....@..JMh.Y.D4..kX......'.p.N:.iK....v.....+.......)...$bqo....cq.8`y.N..rn..D.9NPY.....]..x4..;c..e(70.D.*.I,.....4,n.2K.......q[w.NO.....32...........\.....f....x.'.......-Z:...w$=Yp..D..e..f../N..F..`@.~...qT.d..Y..0.e.{w.....cq...M#...1o.S.H...7...M..M.@....]...B..fg3\|F.O5......g..\.`..[B!.....i..2...k. ..Aj.E.R.....LX..Y^.(j.;...fnAY.p..qy8..o....4....\|2.S.7..5R..G.....S....8S0c$....C.&...%-.].\.98.D#...]V\.;F.V

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.mscapi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	78196
Entropy (8bit):	7.92845847050618
Encrypted:	false
SSDEEP:	1536:k2Na/LNYo4Z/rkUG3FVnJP1Uufitv3eQccdatnKdknGFe3mUsGwzMOpOICSCSKPm:Z4CQls2igDGFiCgtIVjqSi4Hh
MD5:	6F42045F475CC7E5AFCE90B03AA6ECE0
SHA1:	51D26AA2154B906A29A931151887E9EA5C11962C
SHA-256:	F35CBD067FA654E4782847D60E27BC6BB19329C144CE724836E11ED3024885BE
SHA-512:	630781278A0BD196D38765E37566E8704CD09EFB48E267EAF541AFF60D0B3585884F4F27E5F6C4A0E5AA1536B5CB1F84DCA65E02FD80D22F5AFF296D2E6DC396
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmN.N.0....P..%.'..:T.......J.....Tn....V...8..\|..I...J.....~\|........+5...@...[..'..r..K.r'.Z.h....v...."qJx..].0...J.^.S1:.....Sk6Z..K...F..b.=.O.....x+.^.`>..$..!.b....z...............8.w.p...b....Bm#...(..B.0...c....PK.........E...PK.........n/Q............4...classes/sun/security/mscapi/CKey$NativeHandles.class.R.O.P...V.v..(.. ..6..#AQ3!8.4...xW..P......#.A.y.O.A=....@b....{.......o...`.@.I.......vy....?....R.].W....V.idt.&..dX.z...........u..+1.o......x"b0:.p..A...%......K.d`..:.&.c.a."r......v.F..RK..)y..{...Y0h.`. .p}...E....}.h...Z<t....w\.....C.0d.b..m.b.Qf.......Cjc.#........:b...$.#.h.. ".../..H..G.e./A.'_...'.0........C.V@...fe.@.!k.d6K.j..8.....PE..0....!Y..3T)......+...f..I.$..M...J#.Z..?.#R;B..c.3,.. ..\|z.f.r..)...b.A....U.....T.Z0(>.]......g.......T..&..55.p....EuV..%..i]:.....:A..A..%R.....q.$4...\|..PK...S;W*...E...PK.........n/Q............&...classes/

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.dynalink.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	164226
Entropy (8bit):	7.892034326519069
Encrypted:	false
SSDEEP:	3072:WduPEhfhy9SH8Y4zuTV/9nrPcTYxt7qnbN6LjTjAW6+w0ghchJK44kupSzOxGwQJ:WduchfIgHAzuTdR4TYxt7qnbN63TjAWN
MD5:	5F943224E4AF329272D7FDC2066583CF
SHA1:	895810831A50558AEA8DE45E121E5166030B9E54
SHA-256:	AE6BB704E5073B9A0A72E767E7621077E78905799EA24493D23F11E41B6D8E83
SHA-512:	BDFC9110CE85062532C583920D2AB6D4EEF9345E87FE5C68264C3E83020705E3AD3C4ABFA248C4C3C59FA9718EFD288B19DAA78C684A856F847D5F6864C24015
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.A..V..Fv.....J.^..........e...7....G.g.1.0...JM...>..\.P.'a...T.I.Dh.....qBu....C.X..........B...C..Ze...e(..k.TS.M.P!xk....j...!H..$.S.......]B...y<xvO;.I.I.yh.z...3.C.1.X...{.nS..b.P~N2=.w2.....V...y...Dj.[./\GbJ....Y.....\|.la.r8...qd.5...ffs..9O.;.....6...R...;N-.w.U.5.~..O~.PK...?.y).......PK.........n/Q............5...classes/jdk/dynalink/beans/AbstractJavaLinker$1.class.S]O.P.~.6.m...0......B.7.b37.n]B..p...'.PZ.v3..o.V.c.......i0.....y.~....ur.`.k%d.U.S1.<..{.......@......G.p.`.:<.........m.............3.....U\|..Q@QAI.(T...83zq.q'y..I...U.-...%N..42...i..v.j2.f..3.b.e...;.....m3l^.<..I..1.......b.T0.0.O5.>..t+..N....GQ..**n.)...1.Z..nH..../.v...6.K.{..Ym...>C..{../..,6...K6.$vH.....j....=.ux.'f.I..;<.$>#..;...3\..A.'...Z....z..a..{-..CW......5.l.8y...j...j>.c.+x.\|..0._.Oy....=.V...(O.<.C.......h\|.;.Q......Z....7).!8r.g......J.?#.".0...P.G$...g$...K.Y.S....9!....hM..V!...\|..ZU<

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.editpad.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	7108
Entropy (8bit):	7.811258404475187
Encrypted:	false
SSDEEP:	192:Q8DM/XTGw6L+YSUUgagGBdzubltchdvvWKdNsAlsB46c:Q8DM/jGNx7agGKblGDGLAD
MD5:	AA734D758967C9CC99D97CADAF2CF600
SHA1:	C11F74087C937E8A29C7B8E9E796896D0D9359CA
SHA-256:	614B6DAD2877EAC8D0E1F7D29F2067356C3ACC3CAA40DC6DCA23953F416D79DE
SHA-512:	959EDABC1255EF215CD76F949FCD6B1809D9A8E01BB320165AF0E9462EBFE62646A6DDE9017FE55944B5B9036C2FAAD87064C2EE64B46EE80511A0C6761CE988
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMOKN.0..WJK...\|/.&....;$.X E....Tn.8..v.s......8T..y3.y.~~...<...[)^$..j.....,.Y...2....$.fw.M0....M..P...=.f...S......=B.\.8W...aT..i.t..;.....;.9+..L...L.K..H...B.qL..g(....#t.\.g.....0.>...l!.MX..L/DN.ld....l..o.@..jb..?..}.qh.....:..."..3...5p......PK..5^..........PK.........n/Q............#...classes/jdk/editpad/EditPad$1.class}RmO.0.~..........o.J....i..:mR.&@E..4.......].@.......vv.m.E..r~...{....@.[S......J..W.u(b.oy...~.q..P.2... @4...)x.^.'A7Is.1.EW.......?OD....O\|.QaX..>........t...[m(Jo.....x}.3.j..\|.....z.a.^..H.v..i.1.#..A..\d.C.j.vy..4...c...iQ.`..03.M.....`X.G.]..o.0.]...n.(.e].A.....I!.m....,.e....j...&.D.?..&.OJ....<.9V..}...J.<%@...Dh...j......i...k...m\|..W.\|F{..@.../.....`..{N....=Y...wp.c....gONI.._\|.o>...L...79.X#.`.5l..:6-nX.._PK.....m........PK.........n/Q............!...classes/jdk/editpad/EditPad.class.X.\.....e..,.X....&..B ...l,`b...CD...@6,3.;.....n....nz7..$.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.httpserver.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	102118
Entropy (8bit):	7.881915775504197
Encrypted:	false
SSDEEP:	1536:hA2EjV4dImyeS82MzTdgErULKjFp4Fm1CMfe1ChqmxrMylQEnEfc6o3zqZ1o:+2Ej5mlP5rUGjFp4FbMfe18r2TYMZm
MD5:	F4F26CF1AABC52F9C792551E45F971CD
SHA1:	98F52335B802EDE4918EBE4725E79BF59BD48029
SHA-256:	AFDA7A68032E31314698D506E38EE63682A506BB72D6620DAFEA6DA1578585A6
SHA-512:	820ACBB8CAC8E19383B5B5D93AA475E83186148022EFCC125001ED2A3CDE96B9F131D083300D62167687442865ACC79644E169553A4C749FDF0E43203C938124
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.N.0..../.M.3.8T......J..Lb..&..$...8..\|.b..PV...xv...w.w..z...Jt.b.....!...y...U.r.6.Fh....q%.Qf...eZ.........R..1:.....}W<K."....m...S.'.4:W6...;5...^......%..-.L9B.G<I;S.a..en...E~{....c-.a..1...G.....x>.....1b.."d......PK..D.......}...PK.........n/Q............:...classes/com/sun/net/httpserver/Authenticator$Failure.class.R.N.@.}..R.............CbH.$....n...dw.Wy1.x...(.tA.nx..7;....~}.\|.h.$...&...d..h..8tB...R3....&V...sU$.C..@1d...Wm.t.>...e"oc.6..ZL]..b..l..,.%.D..Y.....#r.L..\|.O.\..2.~....~..ICM\|.....}......H..HD.......r....]..Ku.Ie..N_....\t.WJNr...5..pJ.L..1..O.R.g.Iv.P.pr.o..5o0_tM....d/`.....M.........VZ4v...t4.2.W...tY.lk.{Q..Ic_W.p.}.G.ZZ..#..e....PK..1P..g...p...PK.........n/Q............9...classes/com/sun/net/httpserver/Authenticator$Result.class.P.J.1.=i...Zm...B....*..D.TP.{..n.6.$.......G..[_\|....9..I........).h&..h!../.J.B..y?_P...Kmt..h......N3...4.P.y.......CN&.L....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.incubator.foreign.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	67990
Entropy (8bit):	7.946352945303167
Encrypted:	false
SSDEEP:	1536:bUJtgSL6NznTI0AE1ZSxiubggeSqtx0xp/2hQ9rW76B93ap:bytF6NbBz1ZS3bggeSqtxq5/rW76vKp
MD5:	E9CBB864F1F0780B15F40963C426E6F3
SHA1:	F910917052336D532732647BCDB73D80DF612C62
SHA-256:	FEEEBA790ABE0CD4A36BBC68FE29185B4A152663ED5FC6B6261FB40E729D3B21
SHA-512:	DE83F8F52040E862A495881C59A5FAD444A012DCDCFE65B56896A079D6DE1B4668138F48C9E50E091BD2F83E11F090CDBC38E47FAD52186DC6ACCE6994027535
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMNAR.@..A...h...X.J.p.F..~`H..B..$r.].\|....dE...t.t....'..bBog...6k........w&.m..&.V\Z....L.sB{....4x&...g..a..R....D...W+.$F..]..%.s....a..WN..I...b!..R[C.....LJB..Mj..w....h...Q.g..y.o...p.U.%N.n....6_.n.y..PK..%an.....C...PK.........n/Q............2...classes/jdk/incubator/foreign/AbstractLayout.class.Yy\\.......p.0d5. faI..!b.!.D.".Db.w...I......R..6.Q[M\....kB..4..>.Zkm.Z.V...^.....s.af...o.....9.w.s~..._...PO.9..\.6.y.'.l.....ZpS][.f..%./.....BnUuW..(P.PQ...`.oK.?..j.P../.....u...hX.F[..P.I."..t....z,....F....h..7...i.QB(..Lb@.2..s..2..U..L...M.@..c".Bq,8.....Zo@o....UI..L}u..9[...Aph.h.....B+.P......m..B.!SL;.....s]P....C..J.'.m.G......34....../K..Q.R.X(.?.]...T,."Q..U.6..`...*..LX.jP.`...8.P..h...mZX?/....P........4..[&O9...Uq..'.i...!..M.-.Ia./.4,_..z`.O.W....d.BpN...w@..C...B,.+f...D....a......G...b...hb.....d:.4.z..F...X.Q.E...9FJ..ay..\X....-hM..@.g......LsV.....b.Z..eu..3%U...'E

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.incubator.jpackage.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	944571
Entropy (8bit):	7.993019507850888
Encrypted:	true
SSDEEP:	24576:o/LKQfuCSkRb5ZBlZQQILYqwjypRJ0lqmAp:4LKQmCj1lZQvLYqweh2Wp
MD5:	D202B393A656A5E8C68687B4D33F55C4
SHA1:	9B41A22AD8105D3CF3961AD8F4D6E750BCF291B4
SHA-256:	5619F01649B53255A0A3E68CFEC3A4AD2DE6200F83E347DFFE083F0839AC467D
SHA-512:	01CE53A2C06BCA793DB0AA9E7011A3D4C734EC1B4DEB289CF3E57973514DFE25D325C3C401798EE22CA06FEB47D643CCD73880F064AFF27449691C189C7D7AEA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.0...a+-;-...C....\@.....$.1.mjGq...\.x...1Ii..j}...G...\|{.p.2a.a.....M.D..%85.,..5..(]..DdB...j]<.".......OXa.. .....P.......rCiM.V.-!OX..o..K."....a...$.Bk..."...i........N...b..2.H....9L....8R.k....._..Yy.m3..N.]^....9B...^.. .J_..r.*3.Rw.+.2.J..3aU.........<;W..F[....<.-.../5....D.$#...y.......@....H.^l.~.10..h3...dF...i..{..^,b....... k.(`..)..N..~.PK..-O..~...H...PK.........n/Q............N...classes/jdk/incubator/jpackage/internal/AbstractAppImageBuilder$IconType.class.TmO.A.~.^{.yH..K._....."j.)..M.H,6!~..G.r.k......h..2..%"U?..d.3..>..........#........Y...x.z.F....nR(0=.....x...Z.R.2.eo..x.p...-3..EG.1...s..v..6}7..s....a.\|Q..`..H.&......9...C...{.....I.u..T~.Za(.....)\W.....Q.v...?.-7......6j....;.!..:.I.~.V..I......;.s.3.E..~.L..x.S.e....Gu..m:...X.".@........).q$.....:.`B.G...V3.K..i9.P).......a.fz..fS......N.]..U.Y...8.i.\.'.w.)MT....#\$...-.v......pq..D.U..Y.....L.jR.n

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.ed.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	7519
Entropy (8bit):	7.847897535550514
Encrypted:	false
SSDEEP:	192:5IDZZqI952/n+g5u2ssRZZl3ewqKdNsAls7+B:2DZP9HgAuHZo1LAR
MD5:	C8936F98B9091974AE938C3DA77A2F25
SHA1:	F5A9C8C0883DE8EA79C3BD9D8AC3F80C11320157
SHA-256:	138B3AEDC0F46E2CAC688CDB36B78E9B06D102E8DC9C3E6F8A7CC8ACAC993263
SHA-512:	BB4BB7268C81DD734DE01977AA2AFD1CB4301C09EDA7D1D6E396EB7E24034520F52AB4111B9722EC32FE2DAB158D21B5DDD4EC579FB29125BBA3BD91089AAC4C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.0..-..)}@.\...u..\.sCB..0.R..I...c.....G!...8..zgv.3....'.[......Ol.RtA...Be.M.F.Y(..\..)61...Z].).\..n...uQ.....]....je...=.u.1...{y.J...y".^..#.....u,!.CX.i..l..\....I.s.....M..&zin..@.....<........E.P...@:...8.Z.FH....PK..........Y...PK.........n/Q............;...classes/jdk/internal/editor/external/ExternalEditor$1.class.T[O.A......R..!.U[n......5@J1....``.%.[..JM.....h.Oj.5...P 5n..g....sf..y..@..a...._A...c..MU....MWyY8...]o....'.Z.ua.'(0.Dd...AD..Aa...v4....t.......X...O<3..N...H."..#.N...c.:.....Q.:w8C_"{.....0...D..>.f.?.".p..;......B.i.......,C.0i.j}^A?..y....PX.D.\|..0..T.....v.i..'..r...E...kp=...P.t..X.Xq..@.E...S.'R3L$...d..?g.)...0x..U..Vt..e...4K.kO.w.Am.&>I..We.....!.n...D=."...A.{.y.c..~......z....=.h..%m....5]3........X0<;..?..k..T,.\|:{..i..[.Y.J.:.].{9...d..n..X[..Y.b.a...P.v..]Qw.C9n;.tD........6.1H.DW'..toL........$...B....k.....U....\|./.B....".H)

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.jvmstat.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	90538
Entropy (8bit):	7.8478943536932055
Encrypted:	false
SSDEEP:	1536:3fa+mzmuYgDlJR3aOy11mrrGFHz6FH2TD8YR7IactS5HK/6YVGz2OMPCzn3/PQPr:v1mzh9vX/az6FH2TDjIStA6gODz3/P2
MD5:	2F1AED1638554EC6D6479CCFECE4F6FE
SHA1:	767011B093A860A269947435B42A0918A031DBCB
SHA-256:	1CD4ED9D066D1C5D2B8E179DED7024F2B52FCF9364F1C0765C5D579FF73CB2BA
SHA-512:	987952BF02E87A4011B77A25CF3811BBB91FA0C166F3F7BD31C83A705A821685252F4F9C280AC77834EF6AE8BD57D96A467E8D2873BE1B8ED898F18AA72B195E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R.N.@.}..a....`..`l..\rAB . !.;j.......c.\|..> .....2H#.K.U...k..........a8Ua+..(k...0..x.(....K/..3.xq.j#..>B.c....,.[...qQ!8....,2w1H....e!3..&.v..d....O.#.....U...T.7.D..#.....@$.&../....M...-K.$..r.U+..v1E..>{gBK..!.0F...f.....4t0G..+.i.0..=?..0c.....v....D.E......o...>#.B+..w..\..B.R...NJw...dG.F.F......lE..#.si.#.Q..k].i........?`.^.q.....A.rc...9..a......g...G{/.....uFx.1..Uf..#.....l.?PK....vR....d...PK.........n/Q............1...classes/sun/jvmstat/monitor/AbstractMonitor.class.TKS.P..n....$(".".G}"BE..3u.8V..F..J..&I;:...n....3....(.sob[..7.'..{.s..._...X..\|.......w.W.xA/..[..#.0t%..,3...L.....).Ca..+..A.h;../.).l.W..c.9g.}g.Jz.`.H5..e..K..GA/....J..FR.H.....Pp....n.z.,.......L#E`..\.%..JG+[)..w..X.o^V0.+.A.rxX..c.vvB.s.Wg.!.m?._....N2..a..dL...3.p....v..].....3..%9.(b../.HUi...ik'3....w.E.).dlV.Y.z.g..i.^pM.........li....].X.A......h.3S.(aM..7)..P....v..a.%..N.z(5.<g.......ig..[

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.le.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	424947
Entropy (8bit):	7.938896145421226
Encrypted:	false
SSDEEP:	6144:kDK++kib1+dsmo6Asyn7XP8VClZe/vgPpHH8qUINO2QEnPyf2rQ5ASe:UrwbQno6AB7XPgCn/Bn8NMfQIy6Ke
MD5:	4A46A0B3A85C592A5CD1A875C466E386
SHA1:	9863CCC4CEF7FE3A46FB9A99CB367346B8872D3F
SHA-256:	05EB47739AC18826EA713F68E0611EB59950255AB002FE3CC7CDED75A9CC2464
SHA-512:	9D1B7EF66CD98A22C3A6E160F315263643F444A86F8C237C98E1FA6101A3A607B49266E085D45AF9F8A1FB232DB85248C046DA22FF2B6B679656EF6CD8C71DCD
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R.N.@.=S(n......P...E.%R/.}..J..?..7a..E.....C?..B.a.VBib.sv.3......?.>.P..`j...G.."l.C..:W.f.L\|..:....na.......}.6g.,+.l,Ckb-'.2R..7_.i..L.B..W"M.Z...x.N....(+..GK8.L^$.@..3G.Dd...$.....[..e.2......{...&.xN.-r..xI...N.cs.W.J9n...y..j9.0?...C.......4M.....i...5~e.C...$.l......}........N.X..{... .....E~.....+..f..P.W..q....@x}Uf+x...U.....7.n9....;...u...y..5.^......g..qp...-PK.....i........PK.........n/Q............9...classes/jdk/internal/org/jline/keymap/BindingReader.class.X.xTW...,y.......)....iM..2.......\x.yI.&..Y..wk.j.R7.......m.. ....k.k......of2Y@.~....}.....s......j...k.g.2..Vk..NX...v4.P..O.3.....~.....7.eR..PW6.....x+P..@..sP..5.-.Of.T.J...Pxk"......#.h.+....sl.....hWvpP.s{N#.....Yz5..'.+S)k...Y;....,.!.(....p.......sF.8.&h..sL..<...kqa.i...t..Iv%.....r.5....*.K.,...t...x..c.5.~v.65.L......yXL..+.).>w.....\``....^a..HeT..L..M....0......Q.}s.4..".M4...M....Q.,,3......@Z.......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.opt.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81856
Entropy (8bit):	7.846420334642564
Encrypted:	false
SSDEEP:	1536:11nsYEHYbC3DfjgQb6r1sPX2ShUVu4J6FI8pn2aGZsUpCi7Lre7jDZXG3tQ9D:1BsYiQqDMriX2PVuM6SGrOLsK3UDZXMM
MD5:	E47B28481EE70BB515D1ACFC17C9D84F
SHA1:	5BD36C3121AD501400D8A92546DA6A72FCDC271F
SHA-256:	545BFD82162D6262FE190F86F86DD497E1665235EE2D1129CD5D5E1AEA908C2F
SHA-512:	2AEA39B26710427B528BBEBAF3A88DD9D6CC8ECF350E99E99FFD7437729CC234D958601FAD30AB844077FC190190E2DDD3E90528B56FEAC451065F459CE18800
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu.MN.0...Ai.?($P.,z..T.n.g....0.)N...........R....od.......&t3..F..}s-.a......l%q.-Tn..nU.h...{q+..!...O..^g+.".......&..J...D....W.U.~%.Rb.MC..:......]./.6..>.?"...Or.....x..R...Z...Xf..n..a...Q.cD<G8..~rSQBP...~..N.......PK.....S....x...PK.........n/Q............8...classes/jdk/internal/joptsimple/AbstractOptionSpec.class.W.........N...X 4....d..,.......$..V..N..vg..Y.......-.m..j[j.-..V.O~>../....{g&.}.6~..{...\|..s..\|.........@.B.x.a..mj.....:F....\.0....)..P.(.qA;...]#.......kX.#..P8...9f8....1O2...........[.,.....@.Z...X........:......9U....A.4.!.......]..I ...6HS...VB.h..Q.I`...a..NI...a}..nV.....U.._[i^z.UE'..h....'...W..z.T..;..3....O\ Y.<...F.M...1..m6....Z.5..z.......m+E=..N..'.\Qw&...[o...6.[.=..c.i...X..RB..Uq/.9.~T.......>..U.}P..\?...Tf..yR..#....X........Z\|.F..\..<./.u/.....]...\|....:...\|1..n....cD&...D.)UG.de:k[.I....x..8...xL`g}Q.P=...\)......=.b...M.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.ci.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	441292
Entropy (8bit):	7.904078584539265
Encrypted:	false
SSDEEP:	12288:xL9PUt54BixmIWVjQgCjiub1RU53P8tP9:xLhJgxmIUcWuxv9
MD5:	E46EA1F70112D65C273DEF5E61194944
SHA1:	A0545A8DE36BD509813D6E0D0A0FAB9C400494F4
SHA-256:	08738A27A0B852F2F928066F40F28B0ECF3B7AE383BE8670BE40EC51E3F322DC
SHA-512:	E7486E285DDA9376342303901C2C97216071E1512A7AA9E6D1AEDF3DF8D0639FD2F74F0B00028E9B2B186633C4FFB04B0D02ED25B7573903E114F052E8253C2D
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}R.r.0.=.mC...z.PJ..h........t.I.w!..mdul%...]<..\|....4!.~.........?....a...2.8..* .\. OUG..N.3.'..j..:.0B....{.F..cC..J....s..a...Q...f.@."#0I...0.=..../.>..e.........r.\|v.@@X...t.&,........+..1i;.e.wK..pf.N.M&p.0..(....X#,....y.2i.u..0VZ..ccM..l.6....>7.o...N+.....v.o...&..5.j..@in.V..a..ea.^....!..bjXo....)a...6.\|o~f..E.(.O\.Fd...8R...8..EV-.].7...A...&$.C..:.......}.GX...pF.Mu.....6..=..B.V...&x.........].....oPK....V....x...PK.........n/Q............)...classes/jdk/vm/ci/aarch64/AArch64$1.classu..N.@..a...:.(G..r.@.....c\Y..%x..C;a...i.k.3..01>..jb.1<.....?#I....../........c..X,....Y.v..z..C..p\.i.D8.EKl...k..)c.....9....(X(r\.g.HsBDn}v.YZ2jO1...~..7.MA..].....m....x...%.kY.@....."...8....*..P..........t...;UUk..u_..Z..H....g...I.6.8...^..(..u..&.R...M.amd.....L...}m.q.k#..w ]...q....(a.{..&...{..p......+C~....O..vt.....?..fcOF..3tU.+.....O.Z".C.....T3r........\..@.~..)...,...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.compiler.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	6393414
Entropy (8bit):	7.903376019710367
Encrypted:	false
SSDEEP:	98304:6owraaSV2UUIicONZ4L/LgvXXtasDSECRrs+b5Fr4zvFTTJNzH8mQ:6oWbSPCeL/svX9Nwxs+b7r4zNplG
MD5:	9F834ABEAAC75525F0FCF228B7A60574
SHA1:	179F4A4E8E30686AD80582F3A0A1E1F178E50BA3
SHA-256:	8B66F9D8245ACAA5E2EF406C443E33D1FA9D3ACDCB6FC93A439C4EA1FCB15442
SHA-512:	81976CB0DC4FDAEF67BCE6276123DEF0ACDFA98B6ADDE9EF4350A018D03C57E3B3F0F8FEC5451AA34AACEF802476FF6561E8161DC9AB1F8FCDC077FB7C872035
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.\.x.V..ym.6mS.^...m.&e0.N....I......X+m%...L...\|.....zL=f..]...yz.5..n.}+.v....Q.}..G..l. .e.P....r:...l...1...^..4m_..au.;.N.bZ.].;".X......G.X6.......aY2..e...pV.2'..aX....`Vl.q.....D..Y.....G:n1. 7...3[0]..$..@8..te.2.,m.D.B8....Y..XM.....x......K.O......R....+39..S U.D.?VD.\|0..K?.J...\..p.C...Gr.....cg.h.c...e9.....[.l.H.x.i..T1.'.#.U...i...\|..mG....\...EI6:5..e..2......).(..nQ..8..X........~.....\...Y.......9.c.....pP.L..C..p..%...X.,..!M... g.H.2..\.U$U........d...g..2.E.'.![q.).2mz...m..D..bn$..oK....J_......./E8>.Is\.<....Z.m........y.2..cQ...)....N...4z.<Z.b.J..0.$.Px.#:.Zw.2......G..L..\R..2.Y.#a/....\T....:..:C..C....S ...k..Q.y..\|.B......xsC...Sd....6..eY6..%.(.:.%.8...p...7)..wqD...'I....K....i.r..i.p.U....L.',.!+=....\{..r.Q.R...x>.1..B.:.....AB!U...X.4z9.ZJ....H...Lz5/[$.^.pb..J.U.*H..>...&...F..h....K...\.o.....+=2.-...oMVO.'.ir......1]...@..h

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.compiler.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	12298
Entropy (8bit):	7.8734358073542
Encrypted:	false
SSDEEP:	384:4sWbgcyF3vE5ImBmW6oJ4+cbE3Rcfd8wxmy6zvXLAD:4s/cs3vEGmBmCKBP9Z6rQ
MD5:	34DFDC94E39761FC9E046893E561D671
SHA1:	A15D2FDDC81E8055E85289E409EEDD31B73DEF4B
SHA-256:	05334CBAC51A75673F23943BA026B79672440C477A0E69608FEA456C02A36834
SHA-512:	CA394A70EFE1AA102B2C01DD1CA6749009953B66FF5F426A50CFC9FEEB1452C756A72654A839D01F202A4BBBECD54CF6B4638EFC1F5AE0CDA1E41D7D0B3C1983
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.P.N.@.=W...)>v.\1....N....F:.B.C..l...~..e.. $..M...s.._....qJ(I.O"...W...5...)'.....c#t.#6.l..8..f..<.R..E...\...!.+.x..<.Jo..)....VUM8.B...D.(.j...\"T...}.B..X.....i\.{..?G{P.o.}....{.A...M.b.....m.s.O(..D..-...eW...>.\|0.....p<s..C....W......[XJ..H.m...b.b.bq.F.YN5.z.......G..a.....7PK..../.+...,...PK.........n/Q............Y...classes/META-INF/providers/org.graalvm.compiler.hotspot.management.HotSpotGraalManagement./J.K/JL.)..K..-..I-.../)../.../.... y................<^..PK...:.Y?...A...PK.........n/Q............_...classes/org/graalvm/compiler/hotspot/management/HotSpotGraalManagement$RegistrationThread.class.V.S.W.....C+..4..&.\.1......b..0.$...f.0..t..A..jn.....MQ...>.U..T.%y.C..}IYK....C...x...\|..v.......t...X%.?..#E/xL.v~.v.,H7.<m.sX..?Pv.xn..h0...F.u..I;...\z...vV`...u...mqk.t$P...N...C.......x.S.tN{.,.3^...J....h...tm..Wc[@.....r<.......u&.A.@.......l.p..6..4......xb....Ml...Y9!..4..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jartool.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	194472
Entropy (8bit):	7.970641034460952
Encrypted:	false
SSDEEP:	3072:MgedXNLqa3FbTV5vUwRraR677wbxsv1EGo76TIObRkax7vJk4VsDkT9hym9oAlzK:bIXFH31fvYRe7wbY1pH/7vS4okT9IAZ6
MD5:	325C9BAC6B43ED148BFAB975BA7EC749
SHA1:	112602CC92CB5706740FE8E470245CE5131ADD46
SHA-256:	0DD5B5ECAB1D3C4227330FF96B2CD0782BFF4C1DA082DD5BC667C693143454CB
SHA-512:	15DD1150F5BA2634EE32016FF470C5BDB6F51FFDE32E7A94265CC2298ADB1777526C907310086B5940762F78D317A051C927DF2D69D03F0CF2B35EA68B3BF61E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU..N.1..Qd./...x..V........@...lM....sy..\|(....4i;.}..L.......CB}i.,V#....Dh...\.$3.h..M...(.....6..:.Y..%.].g..><B...Safu...U....yyK.O.....>....$.r&..r>N..\|..M:.E.0.S..:..C.)WM.Y.HY.]..a.gi..sB.h..c.})>........L9Bc+L.....^.$2k7....n......G.......Y..l.B..Tm..\|.=\r.`..^.-.1(..?PK.....k........PK.........n/Q............-...classes/com/sun/jarsigner/ContentSigner.class.QMo.1.}.l.%..Z(....h{...J..R....N..&.v...V.8!.....U1kPKO.....{......9..6.X@#G..&Z..\.JQH;...V..zo......a.E.r....s.Z.E..m......D......k.M..FV.N.b(....`.g&......~.. .N.d_FIx.}.....Q....v..$.?.P.$.gC.....U.M.)..R..b.8..W.....or..Q..c.....k..D6N\|9.......J.6.)7j}S....O...M..G....C...l.Z.e......{...NO.8..G.t..h..).B......=.;........+]......l......2.},3.al..<......O...y..g.=.x..#l..PK..aHL.........PK.........n/Q............7...classes/com/sun/jarsigner/ContentSignerParameters.class.R]O.A..C..Zi..T...i..`B..n5.4...x.n..4.3..,...}.....w

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.javadoc.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	1211177
Entropy (8bit):	7.944554747269419
Encrypted:	false
SSDEEP:	24576:c4xHrlw1+43XYwN5YYB8d9PBEJAqxM6EClnYCRwQz:t5B69YYOrPeJfMrypz
MD5:	038AEACBF82A840FB86C19767F657F72
SHA1:	7883E63F46B7CB0847ECA59BEF4DF7D8A3EC8D72
SHA-256:	1430B8D1685F5DE76F26C54B56C81D5C1069358CD4709BC3DCB6FFCCB0913264
SHA-512:	154779EDA97F99703796A169D00BB37FBF46C4D1ED87F9954943860828FEA6DE3CBC0D282511977C0E5C56C084E801C5E736CD35A41AFC448E2B192F2EF5DA95
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.R.@.=-H..J........E..^\|.\|......dX.\f+........,;..X..IUz.O..3.3....o...-a:1a...NO.."t...&.%s...NC...'L...=..0...+"..U..!xM\...R.{.$,...9....[C.u.\..,.<~).N6K..DfQ9.p...^...Y.r.w.........]B..S..:.U.....V.....[i..\|...k.,47..A...X....LX....V.k#.....&+.."s.b.p..I..)a.z.I.:V....LuM. [...To/.hq.k.f.\s....uLv+.j.oI..\./-'..LP&-d.MZQ..Q..x3..~>.f...%L..&\|.2..}..0WO.e.....8.Y_......"..$<..n....>...<..M...._U.g...U...^..a.}.=./.g.+..a.YS..yx...,.!GV....o~.PK..~.AI....k...PK.........n/Q............3...classes/jdk/javadoc/doclet/Doclet$Option$Kind.class.T.O.P.=o..t2'.CP.!.(u*l.....l.....V.XZ.u\|.b..@F"D..o?..GQ..l..}.s.=..u_.}.. ...!....+}..1.^C..c.zQ.L..o{n..6.`.TD.e....J.b..0Y..........Jqi..}T..Tk+.5.9...I.9S_?-......(H....\$.....-s...^...>a.pIFZ.0.S......;.../.f.S.e.l..........\@...........v......Q..Gc.......M.6..SZ..6P.....5...e.....U37.....$.~..5L.n.l..HJ..m.3...N.7]...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jcmd.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	148116
Entropy (8bit):	7.957089717075174
Encrypted:	false
SSDEEP:	3072:ep6J8WzaQPEnQilSKrKbu4orXtAw8BEI6KyVmX632j:c6eiOPObu4OAw8B7B/N
MD5:	7FE2728D9C5445BD2E8BCE58C8EB596B
SHA1:	DC5E88F003CE98F92BBC47558BEB041FD42316E9
SHA-256:	6E07BA1C7EF067AF05AAA9B6C5EBA558C9B7C110BE19A4B8CA92750718FFD195
SHA-512:	55694DC5A5F13F82C5E2E411BB17A5CF46B350A0CB4C25952CD35B57E98B6B9AF0652DEE4F4B365401E0DCB4AB6F2C873E6F8FF015D178E211B6655F025C5040
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]P.N.0..C.A.RvzoB%.......ILI..U...~..>..B<.B$<...c...?>..c..Q:.c9..7..c...7.K......*pPc.Oo.kwJJ.'^.ul<_+....C...G8Z...g}9:U.....C..-..rKd2..9v...f........<.%9.3.l..U.....mS..,......a..4...-..ppB....!.%..,...Y<..L...x..Lf.e.&.^..P......o.p...qN..;4......q.9E....I.......8.e.s..PK....Z.........PK.........n/Q............1...classes/sun/tools/common/PrintStreamPrinter.class.T.s.U...vwo.l.Q..V .....BM.R..`.Bkg:}q...b...l.8.....o<..Kp.w..c....%..f.3.{..\|.9.g....O..q..1...S..=....p.;..{......0H....u...T..D.+..m?....NV..ww,HX.l...\|..9.QV,.....m..q..../.g.,.8..&.fF...J.I..a..{.F.o.../.Y)T-..#.)..o.....R...-..E..m.I@..Y.p.'$r6N.......`.^.do.]/K....3JQ.kD-_..>4.t.n..w....i.l....[......o....~..=...s..Z.DQ.U....(.,+].1%.Du_.@-....;[~....&k..6..8P.....(........c7.y[......a.......6+\.\|.....z.F....&..R....f.......r.l.9....P.v..)X..j.z_.t..8....0.)qQ.....7. .[.7..W..0j5j...(...W.9.....T?.B}.\|..+..Zc...o..}.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jconsole.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	471595
Entropy (8bit):	7.927361107640658
Encrypted:	false
SSDEEP:	12288:5l1yr1oJ6u/7xwGw5eHlUisCEtfyyVTJtfp:dI1oJb/7xwG4WlUibry/D
MD5:	8154E711D750D204E5358034800D4FCB
SHA1:	1ABD5BEC7F082B1A9183D36A298173A28BA37B40
SHA-256:	A00EAFECFB99C1C63FB7B33A5EE330680888215F55698B03CCAA340D74F2FA97
SHA-512:	20EF0B9A80EA8FC122EB5E5800E6CF0FCA70E95C08567675D8E46A37926B9D11C835CABCB7874F553092D34CF93CA2021DD671A437780D028A32461C736AA7DF
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classm....A....j.T1...o7.%..K......cw..3.3..s....J.L....o.\|...y.x}.p.}.D..~&..W..a..#..'N..&...+.U&.J...qx......#..Q..wR..av..JX..R..ElT.`bxF!.......S..qm.4..9..#r!MX.)..a.....5..n........SiD!y.v.rm.a.'L..O=..._=..".n@.K"t.G.UB. .u...aE.g..u.......?.<.......jp..q.....q..0..s....<ON.^..\|.....Ql...c.eT1..>'.lz.x.y.x..e....K...f{.[Nb.....'PK..>..e...i...PK.........n/Q............D...classes/com/sun/tools/jconsole/JConsoleContext$ConnectionState.class.S.O.P.=.u.V.2'. ...6P.T.X..1ud...%.O.V,..d....D.F.g.(.}..0.1[.w{.=.....~......CE...4....Q.x..k.~.x..^>y!.9..I..cGn....9.0(.I..2.z.R..1,.z.g..i..h...iO....EB....K...1.,.:.x^{S1.....!..........w.....g......TC.a\W1.1..$.....g.....{.....g..q&`F-..1.2....8.M.bH-....0../VV..4...b<.L.\........2..B.s!...(....d...N...vZ..G.._..z'......V...c.....]`.\..%}....."\"_h.B-.^<...!/..o..53h.l.+..vU..".;a..#...S..F._%..\.1...."}.a....}..Ll...Qq)...x../.7AV

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdeps.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	747316
Entropy (8bit):	7.912940714319912
Encrypted:	false
SSDEEP:	12288:C73JYuZSRMmg+2l8ZUAKJUUvF9MnHczIf+z71M5Ns9ey:wZS5g+JUAOtrMni571Wsv
MD5:	29D0A4D06C197F265501AAD6BAF45E62
SHA1:	83E71B0BEF3DFCB56F3E2476B1CA53A16ACEF850
SHA-256:	A9775CF5EC65239428BB5C55BDC058BB60B8CBB4F5C0B4B070D413708EAD81E6
SHA-512:	F58B00D9D151AF763B8FCB95008E154D8506023C82490714E1D23228177283643C5B1A1EF2BC52565A651A87BA9200899F2ADEF02D8BEA7E5916CA7ACFE03595
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuR.N.0......-..... ..G..HHH..&1(m.Tq..\|..\|...X..-..d{wgf.#.....8..a....H...!.@.B[..'A.U..[.d]..#......s....f.5.$R......H:..vgQ+........T....R9......E.`....1F...k......:....B......v.6..#&dZ....!.i...o..0..X .j..l....w.n..).dja...O.".KW.._....-.9.;.k..n.....L.,..-...M..c...!.a..Xx...3.6..0.:....5,.J..Q6...0..gU..........]^.9...l".......4..e.....p4..Y..;oV.Y...e.U.kt...B..(p.`......PK..f`......C...PK.........n/Q............6...classes/com/sun/tools/classfile/AccessFlags$Kind.class.SmO.P.~.{.V/n...A.P.M....9!."q...O..Q....d$B4.>....^j...&.....y..._..0.Z...f.-=..z..^....{.....g5.......C.#.4CjM..J.A.....vu.......+.\.n..'u.r.D%....Y..Q...2__.}X7....WW1.q.#..q..l/...Q.X;..-.....s...a'qS...4n......i..C..8.{..ZO.<..S0...7.^.A .g8.`..Xq}7.2.k....z.)..?.A6..ANdE...b...}...x.a.....Z.Ks..\...v..{k.J..~...(.....V...1k.Z....h.%GY.m.V.i.....tk..O...,+.;...j....l..K...(hIi...7A.).0...../....[Y..4I?Yj

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	873528
Entropy (8bit):	7.899120036221473
Encrypted:	false
SSDEEP:	12288:va0YbDnpUDzGiOkyBcWLuexX9B5QjTQyJ9S38DMZz6zb2lPT6kax8uMCIJuTNDt2:i0wzMzrOpCWLgXSMYOzUPTtZVC71c
MD5:	70EE207E89DDCAEBBDBFE57B7274DB71
SHA1:	CBAEAC1512A8ED53D391BDF008E3490B5B19455E
SHA-256:	35C6FA0FF16DE8D51DD51448BBA85A3B43CE32E7553779B30A3AD71EEF8F3353
SHA-512:	61E299B33D34239DF362591CD2A5D37EA94F1811C80D44733CF9D536089431443FB19911D7B608D3F1B48C597CD4FB559A88A1D07B26B751168194B54E7F0E2B
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.SMS.A.}..J...("..`v....,.<..P..6.$;.gv...<...Q.....Yq.=...........7..p(...8.S-Q...!.Z..]9..^7...8.1+0.8..A...NC...3Ux.~!.FZ).....K...0kQ`...!).,.U...,'n.l_%2..6./2..)..<o.70U..l].....' w.;..Sa.`un".U..,....KK>..T..Y&......I.F.@..:>6.6.Zp49..%.....F;.&k..&.yx,.7-..hVh.;%.j..?-..M.(GG:M.......U.!F?..F.t.....k...f...U..U..=.z..#...jsQ..._V.....r......c..<....z<T+.4..J.L`y..X.lM....%0..g.....x........r.}.0....MwV.]rv..._.f..'.%..gx....5....l\....f.f...a...~.PK..............PK.........n/Q............4...classes/com/sun/jdi/AbsentInformationException.class...N.A...... ..Jclt........`66....8d.5.c.Q.}.+......-l.w.....b..........MT.H ...C.i...r..jlu..&..bH...a.!i...X..e..i..../.Ys2Xa..zS+..5.I.x......O.f~.....u..P}.;a`g.........n$R.V........x#.P.....t ..>p.S..!q8.^4..Z......4ix.Q....{.?..Rsw.f.j/v...0T.C..U...0.l..sD.QL.g`O..H....&J..."l..Ci..@..Z..7f..$4Hy..s....6..[.g..PK.....LM.......PK.........

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdwp.agent.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	127873
Entropy (8bit):	7.995171911648754
Encrypted:	true
SSDEEP:	3072:BJ/WTQagxB70gu3KeURn3xm1aJr2lUdrwEfNQT0:XWSBzean3xm4JcAr3Y0
MD5:	62D094CAED8190D1752D97C6EF9DF7A5
SHA1:	6351CB0057606D2B44B8AED4AF01DB32FA9079D1
SHA-256:	27CC1468B8BA7A78E5DEB2560CAD5D6CEA1D4FE63EED380C80D90A3481F30BB0
SHA-512:	EEE33F1B646AEFDD6F52DA3CB8CEEDBCBD26091BE328A8BB441DB94846CBF25BF163DC478B562CCAAE923EDDAC5583F8ADE8E09FA7B84DCBD9A3B190AA8BA7D1
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@.D.EA~..[0.D.w.J/08#..1\|d.\x..e...o.].y.......K.3%.T.q~U.....X....H.%..3...0%....Y@0{.......uRuq..8..t.~.._8."...m.\...y&v.......}.`u{.Y7u..-F..\|.PK..b..C........PK.........n/Q................include/jdwpTransport.h.Yms.F....q>....'nR<...C..G.g./.C:..qRu'.O...{w.....i....s.......h...0z......{....3..{w......<3.....r..>..w`....q.)..z.ioj..c....=.....9.N.GW.d>..;..S.9.d.H]."..w).QA.5.F~..l.L...dC...........P.n..<&.Ga,`......=..!.%qiG[z./.G........LfwS{.\|h..A....8..A.Q8yd~gu.jQ......k.}o..t.........n......^..k=_*....Q.p...q..N.'...e..l......G.[.o....C.e;.9...YlS.I<ET....r.+.p..pC..4!.F.-.(0.".B..8.cL.O.M..@..\|...>...G&.....+.7$..3.+......p,.\^.'.4#2.Q.l{j;.......F..c.f0v...[<......O?..sk.N./...g\|2...`.p{.f$f..\..s..<.o...7..Z.V.......6...`4..1....K.#.....u..%..u#=.......)..R.[:L.......L.....M.D8D..$.....X..h.]a..+..`....v^{.o..^......#....z...=..;.{~.....G`/^`.........G...FD.T@@.0%SiE.}

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jfr.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	534760
Entropy (8bit):	7.936953895862843
Encrypted:	false
SSDEEP:	12288:vtLqgAzEIiaPQ0NSuKWTdJLwUa3RPM71yj9aAP4E4:5qis+QdFw93RSyI8w
MD5:	6687450EE0EFC3CF002A404A31F0CF0B
SHA1:	2A3AF738821E03C7CB80D73F0051775D6A2DFC60
SHA-256:	BF4CE18BC133EECB6E0D7607553C0B911D780A430948B804F3BC9040ED0AE73D
SHA-512:	BA8E24DAB000C7A8C5777481679470C620486A1E394AA234B1B3E5F15A08C68FE210B489205736BC17CB642BA52BD0DEA46C1D3AA32EA278C7E23838E74AAB50
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmQ.N.@.=W.d......Q$Q_\|...D.`l.l.S...o\|..~..e....t...r.d......{\.r.k...i.....Js.n.. .m......$!...v....f...2\....h.P..r(U.k..)-.HO........+.J.......oB.}.q....@[..<....U.. .;...8.#....Z.k.. .T.[7...H......O..j......L...\|Y.!......(.cB...x.\|....z...aD.'a.......".......Lw.7.c...%.F.......~.e^S ..C6...;Y7y.N..s.;(.".<.%......m1........PK....^.W.......PK.........n/Q............'...classes/jdk/jfr/AnnotationElement.class.Z.xT.~.I&gfr.....EFD...EAL...".b.H.........o..[.V..l.w..Z...d..u.n.v.[....^.vw...Z.....dnA..<...?.............h..>.Pd...%..[C.Bu.PlK..[....d~$.I-..UO_..^.>..0.#5yo.u...uUo$a5.c..`juS....[^......#..........[...S.T$.[.....UN...c..4.X.J.B.5\|...(T..mb.....R..[.....Si......).L5.b....`b"N.Y..D2r....h (.=D.JDb[..#1+..d...`..6x0._.}..j......Y..J...V..j...O_.t.51.3..........e]..O..p...M..9.A>....%...)mh.:1..\.G.cz{Tu.X.8..I.}](.k-....H...0..&....g..C.V.....O.....)?...f..L.3.@&....R..pqV..d

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jlink.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	410728
Entropy (8bit):	7.940858294306596
Encrypted:	false
SSDEEP:	6144:Q0N3mgGVIQyaTOMi93AcpXpRfT+JjHS4W6dTL/doNBnUCNllxPZ+6UOP15If:vHKPXOMozpjsHS47RLF2BUqlTZ9UOof
MD5:	6B537512C2F426FB7D0EA53B2C9B88F3
SHA1:	52648A05552B27E9F7E8FFE39EC12688DA901E16
SHA-256:	09E7D2A027BDDD185DF18CD8D7042B1C6464664B82F798FB7DD81205E16B8A98
SHA-512:	E51CAED2A7181D2A275F34093F45E1C727196B30DFB26B16BC0439E7C449F98CD65F257AE6E3DCDB1BF55390CC876EE644F6BB9C16E06052DB56F07AA297F2CD
Malicious:	false
Preview:	JM..PK.........o/Q................classes/module-info.class..YW.@....Be.heS\.W.vYTd....B}.6C.4............x...V<I.....s.;w~.....:.1..M...4N....`....g.i.JM..i.....Ye.\.:...jM.yU..`....M..;.n....S-.R..B/.X.4.a.\O.....f..V.A..e...jN.0.0.9..-.0..&.R........I...-..oJ..Y)f.I.~ .&.v.....'...G..<.)..:RW.T..9o.g.tJ...TGR9......=.1....x.v.9.J...8....K6vD...`..},C[..M.^.#. .+.%2.....j"`.0,.e..~....j\..(*.4..W..#.r..td._;`..-F...vD=...V...k.d>..<..f...../1,E...D!...}.g..A.6....U..Z.r...'..SY..C:}..q..!,.L6..s..7..#...5.4u..d...65..Rk..85\..fZ[n......8.5.R...S.....P........P#.lF...N.....?./m.....=E...SDWQ.TP.n..rJ7...5.G.....\.....^../...~.....2.,r..4...g...M..yD~@..M\x...}.B...>..L.x./..o.`..X.2V.....O...........;.A..0H\.#...v./PK...D..........PK.........o/Q............+...classes/jdk/tools/jimage/JImageTask$1.class.R]o.@..k.8..ICiCK!....5 .K....p..D).O...8q}.v...g@B.B...(...!..nwFs7......3..x...R:4..H3.'....#k....m..<..jaH.p.&"..J..u.~7..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jshell.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	663529
Entropy (8bit):	7.949945206904611
Encrypted:	false
SSDEEP:	12288:tLcJdcxVT6CFASpD7Qzw8EunjWLmxQ2jWE+6pyTACA4oqu:lcJdcn6KdY9iTop3CAvZ
MD5:	5914B236665D99E5E396D3C727ACCEB2
SHA1:	6610D9A8F450DAC3AEDB06306AA0F99224D13F8B
SHA-256:	3A73276654319554366BFB46AC82BC1D6F2C93989D9DB2104EDA519BA310D654
SHA-512:	A4ED568482BDDAE0A06A530555ABAAEA31987674693ED34FD460C8960CDD29615984174A85D60D324619844CB80CF86B9CC310132ED6D763311347B5149A7F75
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuS[S.@....\......6)J............].m..I........(.M;m.&._.\|g.e.......>.+.\[..u..i...6B....2....J...\T.f6.~..dX%G .L.$TA.#...{p.V&.3....Z.70".]....\Q........@\...I.xX......8.I;..4..M.......\..4L..U.yk..2.]......T.._......w...RQ.....;..'....0.\....q..Xgp.\|.t.a}....@.o:.VGF.$....C}l...L......Ov-3...]R.K+N...:..6J.......4tu.....sY..[.7..~.(T.qM....P..0..H.c;.=R.n..}.t...Q....Hi..q..Xd4...p}...6....0.....G..\#.A.w.r.=...G..,>...r/,..X....,z.......>a.......m......:f1O.5.${.+.l....PK...`#I....!...PK.........n/Q............<...classes/jdk/internal/jshell/debug/InternalDebugControl.class.U]o.T.~..6..tM.....h7..#..6.R..k.I.5%]..p......i.BB.!n...._..n...@ .@.7!.{N..6.4.............~..@..:..!h.Z...e.I.,....[..1.NXe.dPc.\|..h.A7...a\|kc;i.=.M;..m'7.z..L...aMW.S....e..e8..\U...H......w.tK.....#..........R......3._.d....v........C..;e.[.d..2G+.j..]....s8O.s.Ne.3\.@;&...WD.Z..v..E\..Qu."3Y..N....#

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jsobject.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	3098
Entropy (8bit):	7.5832881194591995
Encrypted:	false
SSDEEP:	48:pCDh92jG/7jnZhQyhuW0KjhRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DVGOveUz:QDhLQ2XKvJX/Agxo7RA1LZZALCGOveI
MD5:	E495331A4B7EFC861687151B3647CCED
SHA1:	2EC5BE517CD31D9FBA085EBB432DAD9BC7D2186C
SHA-256:	04F7529F454B7B3DE70187C4B8457EB1F1F81B4F38F64B4509B5CB733AA80CC0
SHA-512:	C2A85AEB8B01FB37CD82235FF55D1E766FF3F45B6B4BA93A51A60D0D2A1DD19C2F95FA40B640BBA75D284175646CCCD3F5920DEF420BA7C4824829EFCFA54A39
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMM...A...~..._.A....D.......,......(1.".....\|.......G....G.NWA.. by..V..El.6f.y(....1.K83J.x.F..).J.;....:....T.":.M/..B.s.....m.........(.......&7../Jh.."Zv.P...[ts_B.?.s..:y...PK...5.........PK.........n/Q............-...classes/netscape/javascript/JSException.class...NB1.....DP..7.0..;1l.$..B..e96Z.=............d..H$.q.N.o.i..o..'.B8.H.Q..+..A..B./z..<yrd.(W.b.J+S%...M..Y.L....0...!1c.$ay.....G.jK..#.4.#..l!..T.k...)_zJ....y}uvL..a.....4E.'.[../..u..9ro$a...<.uZ......G.....S>a...=\.......}....D..y.<U.XjL.cylb.[.p.1......!.0../<...>..s.4...$.c"H. ."..%.....H..F........O.v.....!52.(.W......t.0Y........l\|.PK..k1bUt.......PK.........n/Q...............classes/netscape/javascript/JSObject.class}..N.@...@.XA....t....\..7F.L.....R'8.....[.......2..S..L./...............<2.2..........!.%C.-\!....VOE...r....:.}1..U7P...P4..o&.>..C.lz...,_.....G.0....5HG...i....p.....h-".....c)<7PQf

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jstatd.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	33913
Entropy (8bit):	7.925452325822178
Encrypted:	false
SSDEEP:	768:UBjs99RXqRNMZEJvWg/hm6LY15x/C0WcqutzJuUyS5m9u8ynj:F9EWoJYNC0F/z8UJITq
MD5:	C40DFD30EFE94EB2E213E0B12215B482
SHA1:	AC7B8037B7FBF1BEC19AA62E9792598E6CA6CF72
SHA-256:	A4D36A1A5112F9F3E793BBABC690255962ED8894519004E7EA28F17C3AC39A32
SHA-512:	0522C1A23A4CBBE4CEA61EAA443ACAF2FBEA09F1EC657CACF254489ABDB36DCD8617C586431304E25D51253A1625C088C36AC76EA0759E73F0720A82866958CC
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.P.N.0.......^...C.V.... .....L.VN...........Q.')U.8`.;...h>..?....Hd..y_..Y...;.^..P...i.L.D(.o..7$.."..e...D..H.+.H.]T...9W....%.42.....fWgt#e..b..........Z.j.......I...e..Y...p...Q.y.$..s.....!<.[.../..9.N..B..Q...4.$....36..,.^..rCh.D...$..Y.{.9%."..8.y.......Y..s..h..cw.\{Opn..WQG..\|..7PK....`.5.......PK.........n/Q............3...classes/sun/jvmstat/monitor/remote/RemoteHost.class...N.0.E.i.#...@J6xO.TTj.D.lX.`.G..b7..X..\|.b(.......^.g.....3..G1"._XQ5....qV.W.Z....^.K.C.6aP.F...3qu[....!Y...vBW. .......x.j.jmgy6.sgarB..T.A;.cl...mZ_..%..6t.Q..w.>..._ YA..2.'...f.tS..K5.s.r....s!..lq.-..F.U.U....ao...o......V....PK..&Q7.........PK.........n/Q............1...classes/sun/jvmstat/monitor/remote/RemoteVm.classe..N.A.....A>.....\........D..x....fg...".....e...i.k...<.....B.pSm...B.u...X...N?.....a....)..i.9..-..e......t."$....yx.n.>..B.p}..-..".7.c=....dN..{...i.....cc_.j..q[Z7....\\|{\!.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.agent.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81621
Entropy (8bit):	7.930307384934393
Encrypted:	false
SSDEEP:	1536:b4z1HiSObJI7P6ahupea/dABbwU5wkwoKlzX6juezDDW6zrV+RZwOZjO2:b4z1HiS0OyCuEjchLoKlL6juofKxNz
MD5:	1A0F24297CFE2D15AAB00F31458640B6
SHA1:	5F4D91F26DCAE7AB0FB2B0FFE69C610E6B6AC273
SHA-256:	6BBE768A88034193C63670B2C037A7C229155C08275A69321A09715690422855
SHA-512:	27EBD97ED0E9C0BC9D29DCAE5837A0B478DFB7404233131E11AD46128FE110EF3D371AB5EAFF41EDC9D503BA6509FA61C8AB8D1536DAE7B5100087AD9233C1C7
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.1.=W...2#..c.Rf$Q7..3!...L%3....%........A...{O.}......=...T....#.&......c6g./.'~.....7Vd...............,....C...............F......`.8...:....2....r>...4w.Oh.p.v.....Wi..P.w.GRh...C........9.B.....v..(..k..?..+g.F...M.....g.."..\.>K..%...S...x.=c..g.h..2....c.P..xl....(.bl.-..Z.?PK.....3.......PK.........n/Q............6...classes/jdk/internal/agent/Agent$StatusCollector.class.Xi`\U..nf.7..$.iH[.%.).L.L..@b.M[J....i..e.%....7mcQ6E@D...EE.VQ.@.).V.q..}.}......d..$..}..s..s.97O>w.1..EA.....H<i.fR3"..."k..^.+.P..'....k.CK.E....QK..#..[k.<..>.~.yy...'..e.FL7..Dy%.Q..VE.s.B..n.4+..L...L......i...1.u..PQ.y$,`.?......)...t....L.u...B.jvxg.......@..h..&..Z.Z&x.m$q...)Ko3RQ..L%...kc1S.d.h.B..T,....b..u.8;.5....K.....A....T4a.@%.....:.k.....U.8.F6w..i.P..j.P.B.@.....8>......$E..V......z2.2...$:#4.7..T%"Va...J9.D#.<.ZJx....H.7E.&]....'...a.xT.qY....\|..+%..U..C........K.g...q...;.[.n..L

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.jfr.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	35841
Entropy (8bit):	7.895920206921998
Encrypted:	false
SSDEEP:	768:01aLV2OeSrEWXZIj4RiHRdIuRK4jpg9I6app5uU8OIW8Gp9xwFJ2I6fJZdTX:01aLNLq88R7qRQuUT9jp
MD5:	2AF6A1F2D4FB1FA1AD0E8150892C4A12
SHA1:	2A1DFA6D16CE9ED226BB541AF3AD11E8466D205B
SHA-256:	3E223217F96935D6890A6E3BE53F90BE5E52CE6F691844AC53A40CD64481FCFB
SHA-512:	E0CEA8C7A25A86CB61512186D78564AD9CE08B3504D677BA4E797C7FE542B0DABB4C5DEB4F06702EDF449B7531AC4B665BC3B278E92E888E04EFD3CF41F0A982
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}PMO.1.}...7.....^....7..H.z.Z....t...<...Q.n7....t.}..i?>.....P.T..yO.r@.V...l...y.."&.G\&.\|.].....w..3..K.........B&\K.vP&.S....E..FV.Nhl..h.........R.].W.C.L..Fw..V+.p..%..3.?...%.........}@.<......y..~..5;..dadcB-.....P_...u.cQp=...\|."...wpl...&..Z...ll..D..O/.c.!NlO.T8.j./PK...}..'.......PK.........n/Q............2...classes/jdk/management/jfr/ConfigurationInfo.class.Vis.U.=/.Iw2M..... ..!!.F4A.........;3.....8......}.}..Xe.H.....7h.....U.o.$3i1V.^.....=........O.P.j.!.a.(\4j..m);3.wh.I..5...oR.nj....Z.u."....&..F.sm]^f..).l..2.....w\|.....45....M......\|..YX...jI..3...v2...aO..O.._.Pp-................9../...R.PF.Eg{I.e....&...CNJB/..BB.).....V.[=.;.D...fq..B.8G..v.i..,!...7.&......".f.d.....;.........s.d4. .v\k`...p.B....Lj...I.9v....^....o.....4.....EAv..ia#nP.M...wX..UM.}+ko"f`K....Xa..D....v......);'.#..,tc..:n....rq..T.X.~...r..Mv..aE....Y..}TNP,..w.:.$t.a7.........p..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	69486
Entropy (8bit):	7.914145548898423
Encrypted:	false
SSDEEP:	1536:wQk+DDx0BvxFbTf8sCDrGvo9SFOwliS7QWAfRbfjM/Rd3N8CkQdyyFKLpW:wcDSFbD8s+A54E6fMH3N8CkQ+W
MD5:	295ECFC1A63647735DE3918D7B61AD15
SHA1:	7EAD8158CC54073AD4B5594446FC1275989D750E
SHA-256:	032F0DF66BD529D7D9838C9A0A76B7B825430EA2089B9C732B86F25EBC99DEA0
SHA-512:	52EDEA1A5315D5110B9031A0BE23C3952311BAC1FBFEAB758C59F89F1BABD3256C19D713FB3473CBB9F3498B2634883E3E57E55B7679B9392570779971619DD7
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}P.N.0.....]...c/M.D.p...C.H..&q+..]9I{.wq...(....a....v_._....:..>.j....x...l...E..%Sl.%W....:..W......\.......7...q.X.N.....K..&.[...m...A..A..l...N8S..k.s.K.....{.J................$d......xdf.3B{#T.7....z....T.....;...U.[..K.../.]..}.\|.jh.t8{.PK..s...........PK.........n/Q............7...classes/com/sun/management/DiagnosticCommandMBean.class;.o.>...k.Nv.&F....\...<.........}........d..\.x..Sjb.;..#.@VbY.~Nb^...RVjr.;..#.,H.......d.FF......T..TF.i............ ....$..8.PK....`.........PK.........n/Q............B...classes/com/sun/management/GarbageCollectionNotificationInfo.class.U.S.U..nH..... ..6.6,.X...4....K../.fY..d.I6.u...h..>9...XGf..........7.....B..R.d..{..\|.9.......0...\|hQ.W.@+C......n..+..0..3-.ah..g....._JW..%...4wM76....1....y=.F..T....'...^vJ............U...T.....n.U....3..v1^.X.".x.(...O.R....P0$J.v.uS.b.`..$..!\|7..._...>.KD..T1(.J..c*...."......i..1$<.e.,^h@]8'..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.naming.dns.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	60084
Entropy (8bit):	7.94170672965016
Encrypted:	false
SSDEEP:	1536:Ko+W+rGMpEXYiqAD+gL24MrD9OYvVng1y3iX2r:L+r5pkYit8PJOAVntd
MD5:	29EA5E44B576D8EDC8334535ED8152BD
SHA1:	3D42D41A1E32054DE879F95D3E8D26EF2C7D0A66
SHA-256:	004819FB8B5C46995DEED0477F074CB15DB7862E4C4A83B5FFB891D4FAB700CC
SHA-512:	91546F0FE574F78CC02A7E285ED981129EEB5F2077AF970B6B620DB739CCF105ECE333DD6C9E13150CBAA54D710EF6FBAFD910EF68091D4F6D72DCAF9C4D8DAF
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]OKN.0.}....C!.f...6...KP%.HHp....mb.8.e.s......$T.Z..Go<_.....qL.fV...i.b..a..`S.&....1#2m.&..."....?..w..S#5.r....c.<m...Se.g.T..._.&<D.pZ...0.j~gt.EzcM...D......N.g.[..}{..G[..T..........g"Q..k.'.'. ...H;w#...%...i!D.7..~.-_.....:.=~l]Wh..>.~..^=.3.~.PK..<..........PK.........n/Q............;...classes/com/sun/jndi/dns/BaseNameClassPairEnumeration.class.UMs.T.=.O.bYM.$v...i..v.......K...=a.NQ4..-e$.........`..S......f..;`.?0....M:YX...{.=....}....u.1p...8...[....6....-....%..U...'1...EE.....h~...M[.t\|..[u.c...m.^..v,..l..f..0_....e....@W0.....b.a:d...v..[.........g....1.p. ;."..C.q7-.......aN.q.Y.`H..b.h.~...J..T........q.....TqJ.=....g.,..P..3...(...1.....1:6}..Ke........}.u..5[..~..<.x.Qq..CR4.lt}.....n.<..!.....<..(F..$........_.-si..bX...}Ug8.;p4.#fA...e.@..U.v6,.....k..u..{..M.....^...I.!.8...V..Qj6C..F..Z..<R_...G..a.W3.C62.0d...a.....U..+f.]gP..J....$.CJ..h..Q.-.>

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.naming.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	18962
Entropy (8bit):	7.879095599349228
Encrypted:	false
SSDEEP:	384:JEJj14/v6ubRBwV+mtm5VpVAlF+D+6XZsLA2:JE74/CMemx+lgS6XOt
MD5:	F11E5D65863146758D0650872CB3A164
SHA1:	0E5EA724EB4EC991DF4FC7626DDBFE77FF313EFB
SHA-256:	9EE120517DD4F711C5C3662ED77555059861291DC78CF349615F0A51BC79A7E7
SHA-512:	242A225DEB9A88FF208511F772F19BA691EAFE2CF42597FA29A9D27B07CD7F5C7C5D5CA1B1B1DE381D8705E9F4D6751E7084A17642A56CB1802E0B3C9CD0E962
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuPKN.0.}SJ.-..O9......%R%.H...IL.6....v.s......8 ...<3....?^..\..MuT$b,.n....D0./.0.G.@.T.80..P'4.g.$..F.NYV(6W.dVfF.2...G.......)>.v.x..3.k.q...Oh9...!..h..e.]+.K.\i..U>.a...].....W..#t.uaB1....._..W.-..<...W...."'..REz..y...n...O..(..........z.R.....5t....r.b.{..8tu5.up.G.PK..e:..".......PK.........n/Q............8...classes/com/sun/jndi/rmi/registry/AtomicNameParser.class.R.n.1.=.l..&..BJ..P.. ..R!P.O.RQT.....v.....(<D....G!...6.<.s<>s.._.........TC.M,`..<._D..}....e....J+..P..:.Q#.z.$."W..\|d.z.'rYG.F.f.7p....<..:..m.K......3.J}.....8.NL...41v....I.,..B,{...;....g.Gw~..\|..w...g..V...oWA..$a)QZ...D?.L+1....U.<K.../....KX.yDx1g...5...Xz..'D.&..9et.....U....Bm7.f.....M.{.Gi..9......2X..0.;...G._T...3+.b..3.S.).....Q...yN`....!.2...A...g..v..>...+..R.s.ix..k\|..8...5l\..(.@....)..Q?-[_..x.Z.z..PK..............PK.........n/Q............:...classes/com/sun/jndi/rmi/registry/BindingEnumeration

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.net.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	16691
Entropy (8bit):	7.835716025973249
Encrypted:	false
SSDEEP:	384:X35ZZ+W608/ykiL+E3OgSd2yDLDoWlgv6LA2/c:XpZZ+W6zzPn4y3Dn750
MD5:	7B3BE04EFC27E0560C20006170E899DD
SHA1:	8FE7D7B4A04DC3F1A31F97CC17BAB31A94EC42E7
SHA-256:	6DBF1422C48BA474C70426686229DF1AD32A20582EEEE1E5D79F288933CFF20D
SHA-512:	E64FD473691976F4DFAB2001D15C7D72F2E64FB6F126E41D906A11BDDF600D0E5ACF6ABA54B0535DFA12104EDAFBE4309CF22F4A64BCE3EAC33DE6D949A97B80
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@.D..E.....g.D.wgb...a$(0..l=............z..O.k...X.y$.09I.Dp..;..'.g.....`...%..yE...a~.P.a....yFh......P.[.O.U.{......._....E...H].......+.].{.=.'h..J.C.v........=..PK...y[.........PK.........n/Q............-...classes/jdk/net/ExtendedSocketOptions$1.class.V[p.U...-M.n..-.r.R.....PR...46$..E@.....lw..Il._.~..8<..."......_}..~...Q....nz.I..3........k.>...>,@.......a..3........O.n.xa&3\.B3....[34.....=.............j.........G..]}..{.....0-..yU.R.Um.=..a..)#....I....b.z.a...i.........9..J.K3....X..R...a.T..]aG.Phpt.p$4...`X....W1......p{LS..C.V)X-7.....U.q.e.P..7.........$3.;....K...v..`..^.7......!.6...1.Os..hW......!....#2........D.......]..A....\|.D.d.).E&.L'........=7....=.i.\..Pp.4\<c......J..u!.7]gL.........uc">.....".......h.W..V.=.-..4..15.ER.q".....f....a.,h.=-.g........F....f.W3<d.IU...qZ.B5.!..V.O.K[...~0.y.%....U.[.i..4..0...fP.~..Z.K{..b..F....I.....c..._....Fdk..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.nio.mapmode.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	7.585716552925947
Encrypted:	false
SSDEEP:	48:pIVaWgvq2vIt8Fn3fjPRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DHGavq5:Kavqbkn3jKvJX/Agxo7RA1LZZAL8Gav4
MD5:	6580F1626A2C55DA21AC50143B4C92C0
SHA1:	A28A5BA9620948355E0CCC9637C740963D3EDA92
SHA-256:	624B5898A3FBCD11E6E6D681871B9E8B307684CB068C6F17E66B7A637D7531F5
SHA-512:	820BF4E3A1BFE0711F1D52FFF9755B0D16C36E0B50B5E2D11D1FE90F906DACDF3453084BD1EA0E776E3084386ED39CEBF9E1922B53F82B0E03FEF00B224DF3C5
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.M..P.......C[.&...I$l..GZ.'....,...kK...s.sr.........e....&{....."~..;..,.%..YQ1.Fh.S6f~M=E...B't.$..L....Z..N,.P.e..`.... 2.Y....../.$.E..8.Mn@...`...0....z......~...fU...PK..I..........PK.........n/Q............-...classes/jdk/nio/mapmode/ExtendedMapMode.class.Q.N.A.}...."......9y....d.D...i..6........L<..~......R.U.......7.e...B.A.......x.^(.w.h. !d..V.>!..u.G.y....p.+..t"#-B.....>&R7e.D.t..0\|V=8.......u.B..-.V./..Z.0..T(+_.Z.g9.a.U$,...o..6.~..U%..FR..].._T-..R"dVL.WZ...D#....Dx)"e.~2...... ..r{A._P...if!......1..UB..2v.HX..6.,..~...>.+<t....9..f.vl&e.......l...ly.m.&70....`...s.....C.pz..0f..mR..v.~.Y.\|...`.U.?.PK..8.~M........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQgHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S\|t0...:..6x.}.;..i..D..Ye\|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.sctp.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	23570
Entropy (8bit):	7.699516108218091
Encrypted:	false
SSDEEP:	384:/FWdT63qGA2s74PPf+AfdgcirNa6hTbdJ3ZBR6ZhF62WmhSWDdulpLAEU:/c63qXDMvfLirFXd6Z2gDdufS
MD5:	7579F5E9191D26076513F0D62BA63763
SHA1:	A983D608C3087FFDE4E1A2F76C4072766CB52763
SHA-256:	6BE9DE8083B09B782B7520691C2B1B9CD8796ECCFA3101A205853CD3CE22FDF0
SHA-512:	EF643B3E4252448E6AB98CFC2F7309A0D41D53EABA8B3DB4AFA86BC09EDA1EDD49750AE5763E542073B142B40F9F541570655FDFB841709797D59433CB09997E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@...&.x-].D....S..... !.e..sY8.C).................B-T^\|..?......,..N(..iq>va.....k^..::...WN".P"..../....[s-....K......i...BB..,........i+...<u...z....!...$s.MS.(.\.q.%.....S-gX...W..PK...0S[........PK.........n/Q............:...classes/com/sun/nio/sctp/AbstractNotificationHandler.class...n.@...M...J..CiS(4).....".@.R.V$...ico.....7.^...n....x(.....s.....g.ofl.........4b....`.I..c..k]n....0.C.$-....\|.p..XH!...d.V....}K.....:.^p....p.]:<_.7_...3.j.....1l..-W9.Pu[.#ip%mkp0.E.........m...5i.z...N......l.w..#....P..2..s....t^.......J.^&.l...`h.Zg#...G...z...A.0..\)ntz.R^..L.a.....l[\....i.....#d.k..W.R..b....R.."g......TL.....+.L.]..3.~3B.!,s..0g/uD..y.z.\...z.`..L..5{i.!..ja..WV..\|...tM..CC0...!v.7Gs.....:..F....$..F.+...ed..}.E.Y?.s.q.....\.u.K.<.d.n.&.{roi.'.....!...Z...@.[..m.}.+.C:K>%6.Z.D.`.\|k.....\..l.e...37B0..2.Gd>.!...2.........i,.aD....#..V..PK.....}[.......PK.........n/Q.......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.security.auth.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	75417
Entropy (8bit):	7.957051837625358
Encrypted:	false
SSDEEP:	1536:rLd/gr4QC4zcxQiwrk+79xRDxqWXp4kE/eoBtAi939FMp0t0NmwELQxqbJs8hneK:ejouRxH9qWXFEZ0is85rgyn
MD5:	24AF92517AC1A65B436D2FA612EC7003
SHA1:	32F019F2D9057A52EE79A603637753918991E193
SHA-256:	8D2196DFD3096919F43852D654C99D3D52CA37A58A311A540CE6A14D367B1482
SHA-512:	D4FDC8A4300591297595A2B7051F9ABB41EB5A833E813508160779EDB45FA7C1BAADEEF81B768F74C457C719B7C2987C601C64AC920C8FC18F37685772C908D8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.P.......@.....b..D.w.hL..8..z....^v<.....2.."..@.............p.CB.....{.. B.O.h..F(..g#.V......)B...81N....6..3..3ft...-.b..d..YBi8....td.....:....F..\.......-'.5.......s4h.J\x.wn..f-.~....H8...y.4....8...o.cu.q.."a..'..........1nN.f...I8.i.5..6!S....W...7.7........!a._h...]....l.5...}q..&.{M..8..._cZ...[T..-E.,....9.%.`..(K~.{.....s.Ws.~.PK......n...#...PK.........n/Q............@...classes/com/sun/security/auth/callback/TextCallbackHandler.class...O.A........."...C).M./x.....F..&...uC....n.?.DC..?.?.8{-5.5.3.3..........XqQ@.A..-...C.E.PF.b.{..C(..6....j.....f.HU.%.....P..(.C.a...w2.*q.XA.....j.&<..#..@f./..R...!..........r..Wq.3.f=..=..M..~......;._..J.......]...v..L...%..)a.}.....e...$.}3...h.g....u,.w&.........4.....%\|".C>.Y....>s./..p,..@.S.!;+<.6..u...(........O..\|.{.W......Jx.z...y#...![.....b[`[m~..v.z..Qn..f.>..J...=.c.=a...X.h)./..PK.....`....`...PK.........n

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.security.jgss.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	25069
Entropy (8bit):	7.861186641428454
Encrypted:	false
SSDEEP:	768:dGve+SEzoJirQXHxGTjCsxc0T3iQCVSJqdSE7g8gGuICe772czgyO/CS:d0e9EzyirQ3xGTjrxViQ0kQg8gGuICeu
MD5:	0818A0480E8735784DF484F633893DAE
SHA1:	B210BB4F8C1DC9EACC0531D645CF77A5EF80E30F
SHA-256:	6193B8935293735A0E075950A43AC9C2FED9EBD333CBC5CA2ECF3508E550FBFF
SHA-512:	9F881002F03343453B7903B6471ADF42F4769E61D26F7AB4AC31524484FB201FE25A9FDCCB90D03B337C42EE8B3072EB2A845E3DC3ED854E39266EFF19E55D1C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}P.N.@.=...S.........Wn\.MH......A'.P.;....G...&$N2g.s.g......=.......M. B..aGl....m.<...v.Hi.J.Mn..{B.xb..<u.9N.c. \.I...Qr...:.^...Lr.MBK....0.L..}.....L....aX..g.X.>.....~.'?v..g..B..y...0../.W...2c^.....xeY....:L}..c.........E\|.SuNq.....P;:....k...]-.R{.3]SQJ.....PK..D... .......PK.........n/Q............:...classes/com/sun/security/jgss/AuthorizationDataEntry.class.T]O.A.=S...../.....RYQ...b..M.<@0..3......Yb.%...4.H0!>...wv.@.F.:sg..s.=.w..:>.....bh..O..M...\|..6w6...0%C..Xr..A....-..I.".3.].....f.Y.jlo....[.g}..r.y...#.C\V...+&.v..I\G.!.^`h4m...=S..E^.v%..B..b...C...@Z..$>...{...V..@/....-.0$E.P.66......S.H.r6.)..v.i.a...;b.uL..Zr.,_rG...^,..^.GB.E"Z.....d9.M.[../.t..&..g.s.2..,".-...D.m....M.\1:.wB.3J.f.F.]..4...x.X.T...3..8j...J_z\|. ......<......S..3...wwD.).v...U].I/.9F.K....*..N...O..@..%.........bI.o.s.+..L..f....i..W..'....8....._..:.O.i.f...+uU.1....l.)5.d.........z.N

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.unsupported.desktop.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	13963
Entropy (8bit):	7.775458355384311
Encrypted:	false
SSDEEP:	384:xzRgcWBxiV8wXQMbX9Z0aIg40ED5rfPLAJmnhB:xnWBQLz9Z0aV40EFfPFnhB
MD5:	510CE41F524D16C86791C0064A589E7B
SHA1:	78ED6092E0F150A94460ADDEF8CAAD601AB5ABBC
SHA-256:	AF7E7BDA39FB3EA6A8C41669DBB86B41B6799E7EFF379CE757981E5B956BB24F
SHA-512:	20B6517378381D379A052997642BF23B5B057EA33C2E0BC962AB6B64E989FDAAA4CC3F02BFD7560D26189E55C7CDF13555BA272C476AD984CD0F913730BD16C0
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuPKN.0......J..V,....a...R%...M.&.#;i.=......NR....G3~..\|{.p.3B7.H.8R.....~.l.W.0Z.....Y.M......\|4...-.fS..&v..p..\........+..h..e.{.V...z......P[.Ym07z..i<........4K<...']..\|....x..&.../b.J..R...2'.]..k;....{.^..(.>..p.j.......UBk.w...1N...:8..F_PK...E..........PK.........n/Q............A...classes/jdk/swing/interop/DispatcherWrapper$DispatcherProxy.class.R.n.Q.]....X.E...R.h"...&....i.m0..a.D...A.?......?..2.3PQ...k..._...h.QD...r.. Ox4p.6...izA"U.5w.8.....Q$Um.y.....\|......Vg.\|..b...%X..@..M_0.7.N...Kv.Y..5..R.e...B.\`..z.y....pS...U.p.Un....}y.HX.;S1..A z.l.%\.p..U...y$.0p.:.aDX..c..%..j.....0Hk{..Z.m/.c..!..]I(u.@.....:...+...~W(O.dN...d..........`..C..=O...Gv_......0.eZ/.@../.X....4...4@......e.8.......c.2l...WP....9....y...2.`...;.`K.^&.......:..3......<....\|.....gX..0.B.a.)Iu.8!..&j.x>..r.>...#'......v.v:.R...oPK..s...........PK.........n/Q............1...classes/jdk/swing/intero

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.unsupported.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	17477
Entropy (8bit):	7.858834131732098
Encrypted:	false
SSDEEP:	384:WssxVkcgUhibEPAZowuCxykS7ug+aM2xbWCwRNXkoYufro8LAC:cekAiwuCxyvugjMqCCwAuzo8p
MD5:	76B5BEB2F821D1CADF6FBC86B4AD3EA4
SHA1:	353EB41AD10248539929CA4D4E52099C2233798E
SHA-256:	E390AE217A83C38651EAAAE4BB00941F53C3E06C70F5F6E335713333432BEA27
SHA-512:	A48301D836C6865B210FDA8D5252611E39C9BCB30A0E328C96A6F934B169B5FD31CC3ACAF0438DF85F1F4B846F1A1FDC815043C885072396F88018BC6DDD212C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classUNAn.0....!@.M..S$.K.!U.0......\yW.}@.U.6......._.......&....K.+3.....v..0?.#s..........=.._(MSX...LQ.Z.....4.9....ZY..rL...v...3B.f\[....7........#.KK.^.-o..#..J.s.K........#.>..\....>..n.H.+.8....B..N.7..}.d?PK....q.....<...PK.........n/Q............1...classes/com/sun/nio/file/ExtendedCopyOption.class.T.O.P...^e...8......."......,....?...b..#._.$@4.~..2.....bc...{.w..........,..0$5....b...c......VY/..{..{.a[Q0.$..a.Z]..oll..\}U.3<,. .p...Q...X.ea+_d....X......n.0.5.t...\.U.U.T......k.a{..pKB.n3t...z...f]_.a.K.X..j..i..]..V.....0.A.H..7.H.[..%.w0,`D.].c..-.R....K5..Q..q....F.T$G..$p.F....i).\.@8J...-I....)x...~.a.....R.d.y3...H....S.c...R..^0.V.2...`X.Z...;..I..kb.}.f..lM5K.cp.&a.R.:....hP0...^.*.......e[<.l....h.X.[w.....\...jfs".).x...f}.(..y...]w4.....n>.m..iDz.@`y._.@l...t.i.D..St...?....t.C.B'.....'\|..4..xR1..g...q\|..~.V...S.xz.zZ9.{......).......9.qt.../B.N.p..Yr.Y...5.$../.p

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.xml.dom.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	42290
Entropy (8bit):	7.301009409584117
Encrypted:	false
SSDEEP:	768:GyvMIZQqx6mssgRqwShvKe8l5sFCIvV9XaK:GykJqxdevm3ptRaK
MD5:	476A6F2B11BB60D05012AD03D982E3C1
SHA1:	2796654C41EF4AAA09D23450B3F7E616E63ABA33
SHA-256:	905C70A0DD7FC8C9F4547388EB492992B43D26FDC3D6808D9A4DFFFF577C3FAC
SHA-512:	EBF7130DB716B4FFB5C4F2951E16464A683E0BB5B65D633B7F13EFEC69EC570D9B34DB1E7902761402A9068E0EE7A0F7EBAFE0BD96648BE9CFD993BDAF420E17
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMN.R.0.=W.G....K..TFt..3....6...8M...\..~.C..wq.........x..._.d#.,_....0n.l.?..,.....%..."..w...#U.Qu.G.b.Ct...B....MU./)t&..O..I..~p....z...k.`D.:j.......)c.Ka.=....xy..B..G..0.a...U../....8............]...e...9.8..?..S.u}\....PK...F3.....r...PK.........n/Q............%...classes/org/w3c/dom/css/Counter.class;.o.>...k.nv.&F....t.r.d...\...b}....."v..F....D...t}......F..........."F...M.......tkF...2......T.78. .(.$...+8..(9.-.,..Q.d..#.#.3..0.......r.;....@..@.....PK..............PK.........n/Q............,...classes/org/w3c/dom/css/CSS2Properties.classu..x.G...`.S..N.qh..M. ...bc..):E.P.w..Z{..=[2%@B...{..z....{...3;...w...y...von../..K=.;...y.U.3.3s...L;...f..V..'.4.4..x.....L.G...c.E+.x#......t..M.8.T.4.$.:r.#d..;.[...C;-.K.8..5Z.N..\|4.W..9.;I..&....l.......l....Ig..8......\...Q.D...\.)...G..)..U./g6E..a..'m!g4L...r...#9...n...U.R0.w4{~K.&.....4..P..A0.w..=Y.S.........x.1.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.zipfs.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	102661
Entropy (8bit):	7.963859985844485
Encrypted:	false
SSDEEP:	1536:kipzltxqDIygENgDWnkIgwqZOQqcK4kLvPx0aKeXCCIPuV/ingD4IJT8nYjIrSb0:kipXxgIy7Ng6kqr34e7Kw7Kwtmd0c
MD5:	0FF732511F74426FBE09EEC982ED56A2
SHA1:	D06B4A0E2745AF3C47E51721347852827EE18707
SHA-256:	9DB03AC8466E45B2FF32F419686E9B44286B2B29A7FCF2B1C7DBC0BCD46C927B
SHA-512:	E0A5115D5683D2E68E5274D77D007C35ACA02C137D8D52461889289282797ED29F57DC5FE1D604D0B09EE11F4152C7AC168CEF7BC681A8890DF1589301784E05
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classm..N.1...UdD~D..;..J.l.#!...J;..L'S~"+.....C..h4.I.{..n{>......!.S..K.Y.".....s.Q..\/...Q!T{O.Q..M.ef..........Q#<.2 .]..s+.\L.....m.6E.:...[.....M.....)..e...Z.b...53..8./....G..L...T..{....k...m..p.g.....a....M.....3..PK..........K...PK.........n/Q............,...classes/jdk/nio/zipfs/ByteArrayChannel.class.W.w...~&....E@Hb..$.0.....M"...jB..U..N.!..ev....V..e. Zmm.....,9m.i...?...C.{N.=m....I....{......>..y../.h.%.e.V.6..mi..k.;.5fy..Q....J..s.{G.[I_C..c...B.-.:".nPB9.N.%]'..<....nr"..gq..g..!.....#X..e..r.5.j.B.5.S.m....3...i...<s.g.t.+M..1.!.X.`..v....UXE.#.Q.e..eq....VC8mf....:.....Yy..@#.4TzT.:.i........d..Z...6..N.[6b.....f.-....l..f,G.[.l.e.rR.....)Q.@.P.P..+W..I..`.......r.t}.T.....D).A...-..L..V..1.!...,.3.Y...w.$.....Gp#.I........nE..N...v...DzM...M....x.%..u......'....N....R)..K..s...G.=k.d.9c..r.....J`r.V].n.H,r.].^.[.;.\|.d....Rs$m..U$-.=..}.6.y4.xe2..[)..3E....(...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1039136
Entropy (8bit):	6.580236835541948
Encrypted:	false
SSDEEP:	24576:fXAsqzXlKZSxpJUlwtC/jCQ6tGh91Ds9H2LUVMhmP3oRaEt:fX4zXlnAlwtCbM891YVH6
MD5:	5E807B5DAD1B6C81982037C714DC9AEF
SHA1:	2B818F50C0CE821CD0278C714E57CB591B89B715
SHA-256:	AC94FBB73EBD0CE13AEA7C1AFCBA0DF9A646CBE5795E804FA0C0AC4EBA259E16
SHA-512:	665EA8069E8D75089EF9292DD6F07E19FA7F7FA1294D44F45D017BCED0D16C8281260BCA4AC7896ACBB0DFFB483BFB13BA4298D767A4BB1A91D9FA437D6BECFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......9.}...}...}...t.[.k...........5.w......i......w......y......x...6...m...6...\|......z...}...L.............\|....7.\|......\|...Rich}...................PE..d....9:.........."....'.....v.................@..........................................`.........................................P...P............`..@........j...... )...p.......`..............................._..@............................................text............................... ..`.rdata...c.......d..................@..@.data........P.......2..............@....pdata...j.......l...6..............@..@.rsrc...@....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\sauighfs.rar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	414734
Entropy (8bit):	7.999579684529074
Encrypted:	true
SSDEEP:	6144:wytwDdC4Dwiq2WcsTtzOcXhTbmsCLJEOggUH/FtYSeWQXqmjY3lm:wSQ8YwLh1O+TbmsCugUH/JeN6mjP
MD5:	F5A2914DC05AC8B460D345F02D20B4AB
SHA1:	C6484A6F0F3D1DF45A87A9F7318A2A7455935680
SHA-256:	B86BD3C5B4A7FDFECB317B17E55587226351356BC12A9CA30C6360B16CEBCBEE
SHA-512:	4FBE0252CBF08989869C4646C4B80EA3209D3CF78D71D38D25502F5B314EDB855AE14F425439A8E816B8FB675965DFA11B358995A66C710F53B8F0EB5EAA7B70
Malicious:	false
Preview:	Rar!........!.....Eqvj0e..5t>z.!Y..?,)Y}V.........E..Ysas...9n.....^w...#.L....4...Q...9#.\|....w\.F.....u.........Fd.^.:.w-!.=(..E..H. t..SV..).....N6:-X...~L....C.D9g....Z.. ..........lc..6...d... .....m../;..o.o.....ZVf......t.&.m.q....t8....T.].Xf../...\.bVp..V.y{.....4{.OQG.k.f........{#Q....V7.v.F.....y.I.9..C.l.G...f.$y...=;..;..UL....)H./fT..#.....].{.;F.<\}x.f.o...2.r..=t...O..i?.YIU..}.i+N..`IP>}S.U.z......b.bF.]...$..).8..\|.TS.d.ot......X.<..........c.E...I...<.I.-....u<...&<...e^..ZW.gP2....a..:.0k........o.2..};j..Q..R..;.._...._.A.g.k....!.e.....Y......x....Psz..H......"S..0..Ez_5~...u..o..n.b.zp8.F....?...EDX7..I#G.e.......gl....P....2.V.......b.S ..z.T9.3.\&h.....J.....h.{m......v...v.../.,.9..U ...V...y.z...............0.".b...i.]L..p.....r..+T@.Wc..(G."+.......((.@i...7..{.......Jh.S..7..w...._...gX....(.^.N...G/..v[........d.9...f...XP2.J.{....a...k..........&..n@./.6.8.i!.n..NaXla.31.q.....w.7.B.... p..8.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	984312
Entropy (8bit):	6.338396454828307
Encrypted:	false
SSDEEP:	24576:ee3xAibB85Z1HrWtB8z1L1OBJB5zzz3zzzozzz3zzz6O:lxAibBEZ1LWtBzxDO
MD5:	37CA63447784D68545801EB2F9DFE1AF
SHA1:	4575FA78C6E54480A1F2DA51082BFB9538649DDF
SHA-256:	31F5E43E9283CF2469D8B3E51E7C28C132C6ECB0DAB855DF52CBF21D5394AE0B
SHA-512:	49A16F4ADE2A434D0E502571E077529CAB54BC98BD4D3EEC45C86A9CFC9623F6830F4046B94730517C6706FDA71C54490EB5ADA538A157D0CC90DC413FA008C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.............................................@.................................... ]....`... .........................................B............ ...(......D........:...P.............................. ...(...................h................................text...X...........................`.P`.data...h".......$..................@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..D...........................@.0@.xdata..p...........................@.0@.bss..................................`..edata..B............f..............@.0@.idata...............h..............@.0..CRT....h...........................@.@..tls....h...........................@.`..rsrc....(... ...*..................@.0..reloc.......P......................@.0B/4...........p......................@.0B................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\71da1f76509d9c721d84655251014c87_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	59
Entropy (8bit):	2.219411074181711
Encrypted:	false
SSDEEP:	3:/lGlle2QwXln:8A2ZXln
MD5:	62E024FE2476732F71542D38DDF3F263
SHA1:	304A79B7904E2E1017AF6BC24461D2D7B4EDBDE2
SHA-256:	A05BE7F1BA1635E6CB5A46F778B93A0CA8FDDCD60C0E91BE3A9E86040DB067A5
SHA-512:	33162E2CA0135E03436491349B6DA65660B5D0F295B97E5243F4A4E380B51D7D6F00AE51CD48894B4149B6771C8E193E70061A190B6ABFC8B1FCAD3AFE084A7D
Malicious:	false
Preview:	........................................Advanced Installer.

C:\Users\user\AppData\Roaming\Microsoft\Installer\{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}\icon_27.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	175255
Entropy (8bit):	3.85622158771748
Encrypted:	false
SSDEEP:	1536:45DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPU:45Dt+e7GVBFvvMg0Vj5Ho4CIDPU
MD5:	333EE8442C6101D0CD9C874D0AD83EAE
SHA1:	22278A01E88B826B16D4936FA254E457B9ACA059
SHA-256:	B5FDF4A4143964A46B7F2BBD1357D075C786F7AFBBA0BE3DD7B2623F379271BF
SHA-512:	04F3BE053ECB44B11FE9ABDE941BFD367B17C0532B2C634FC42AF85CF1BE68C0F495B13F4B3CA35A4DD9E4535629EE1A615001A244DC1B68C871AB364A0A704F
Malicious:	false
Preview:	............ .A4............ .(....4..``.... ......<..HH.... ..T......@@.... .(B../&..00.... ..%..Wh.. .... ............... ............... .h.../....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yt..}.....8....H$EI<$Q$%..:.Hv,.Rly.......#..N6...v...dm.....%.2e.<.."-.$x..A.$@..\=.w...68.....`..}..7.X.U...[..U....A..A..A..A..A..A..A..A..A..A..A..A..A..A..)Q.l7...MM/.Q..J)[Q.0........e..u;l...q...X"....v.nj.hV2.j.IR.CS<..C!.O..iY`..f4j.....Y..w.....c$........HB!.....e.A.h...+L...4{i,f,QU.A..D.Z`...R..b..B-B..qd<.b.D...$......E...NQd:..D-..S)..5..Q......e..Y...E.....Y.LZ.E"..D.\5>..4MZG....RJ9..WW..C!....=....y..*.I$...HX..w..E..A.(....E..pl8....F]....16......M. .v..D.......Xm-.,..{.Lw,.+.e.u.z.....,......$Q.......?u..E.h#..".^.P<....K...4..D4..;..g.q....<--/.55....FF.?..K}<..n.....e.UQ.._......y.e....zj..[.....@.hn..,Z.....48.}..%...b/..v..>..t.ow}.......=..A.A.(.MM/.p....~.......R....r..g.]w..7........Y....3(.(.y...7lM.S.(..;:.......

C:\Users\user\AppData\Roaming\Microsoft\Installer\{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}\icon_32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 96x96, 32 bits/pixel, 72x72, 32 bits/pixel
Category:	dropped
Size (bytes):	74814
Entropy (8bit):	4.157215135011018
Encrypted:	false
SSDEEP:	384:2y2eKfQdkzvDKIeTzumt2yr8XbAVzpEoYR:23eKfMkjBozuI2yr8XQze
MD5:	346BAEB443ED5807042532D5A8CBEE66
SHA1:	9DF37248D164B816E0060FC61DB52968E5753644
SHA-256:	578D9022F7CFF1B54D354757D9A49859A65B168F6D9D42936317D893E6106940
SHA-512:	A51DD07A8E8D1CD4F2ECEB6869438F1EFBC030AF42C9248769A82B85307BC955FA06A0A05328C406F94541B1C238A010B4612744ECF22984C9FFDF1F9651B71D
Malicious:	false
Preview:	......``.... .....V...HH.... ..T......00.... ..%...... .... ............... .h.......(...`......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6b85d1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {9ED1FB04-2953-4096-9113-EE8E25C60EEA}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 14:37:02 2024, Last Saved Time/Date: Thu Dec 5 14:37:02 2024, Last Printed: Thu Dec 5 14:37:02 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	56197120
Entropy (8bit):	7.979385153160636
Encrypted:	false
SSDEEP:	786432:U+Mh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZL:UB6FnkF2d6VXXtzR5mgvkz1d2x5wKkL
MD5:	1F3F76A13D8E6ACF1D558A8E4881D0F8
SHA1:	79547BE133BB2324B747ADB207506B5442A2F245
SHA-256:	0339FED5C288BCC81B2C228B4B10924317BAE6C529D9AC17B8007F0285B06295
SHA-512:	CA0AB83C049246645F38F65A3021A310B3D8B97D00D71C951211D89B7F764916BFD2FD765EDAB6FC6E734397F4CDA9338A2EA44407AE978DF783923674F6321F
Malicious:	false
Preview:	......................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?......+...,...-...$...%...&...'...(...)............................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0......................................7...9................................................................................... ...!..."...#...$...%...&...'...1...)......+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

C:\Windows\Installer\6b85d4.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {9ED1FB04-2953-4096-9113-EE8E25C60EEA}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 14:37:02 2024, Last Saved Time/Date: Thu Dec 5 14:37:02 2024, Last Printed: Thu Dec 5 14:37:02 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	56197120
Entropy (8bit):	7.979385153160636
Encrypted:	false
SSDEEP:	786432:U+Mh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZL:UB6FnkF2d6VXXtzR5mgvkz1d2x5wKkL
MD5:	1F3F76A13D8E6ACF1D558A8E4881D0F8
SHA1:	79547BE133BB2324B747ADB207506B5442A2F245
SHA-256:	0339FED5C288BCC81B2C228B4B10924317BAE6C529D9AC17B8007F0285B06295
SHA-512:	CA0AB83C049246645F38F65A3021A310B3D8B97D00D71C951211D89B7F764916BFD2FD765EDAB6FC6E734397F4CDA9338A2EA44407AE978DF783923674F6321F
Malicious:	false
Preview:	......................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?......+...,...-...$...%...&...'...(...)............................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0......................................7...9................................................................................... ...!..."...#...$...%...&...'...1...)......+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

C:\Windows\Installer\MSI90DD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI918A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI91C9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9238.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9297.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB0BE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSID1F3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSID242.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380520
Entropy (8bit):	6.512348002260683
Encrypted:	false
SSDEEP:	6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
MD5:	FFDAACB43C074A8CB9A608C612D7540B
SHA1:	8F054A7F77853DE365A7763D93933660E6E1A890
SHA-256:	7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
SHA-512:	A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIE0AB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	787808
Entropy (8bit):	6.693392695195763
Encrypted:	false
SSDEEP:	24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
MD5:	8CF47242B5DF6A7F6D2D7AF9CC3A7921
SHA1:	B51595A8A113CF889B0D1DD4B04DF16B3E18F318
SHA-256:	CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
SHA-512:	748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEA9F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	256864
Entropy (8bit):	6.8622477797553
Encrypted:	false
SSDEEP:	3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
MD5:	E0BFA64EEFA440859C8525DFEC1962D0
SHA1:	4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
SHA-256:	8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
SHA-512:	04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIED11.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	275154
Entropy (8bit):	4.599719655057463
Encrypted:	false
SSDEEP:	3072:jV9/emZyzT5Dt+e7GVBFvvMg0Vj5Ho4CIDPNe:jV9WmZGTx0RFvvMg09DPNe
MD5:	7B07FD9F929DA1B61200A9FDB47198AD
SHA1:	BE287D4660FCEB2D6032C7CF8FE92347830ABF99
SHA-256:	BC9A3E0997D9ADDE8A647DE4E2C9345E8088F9B578220598CE75B752BBA87BD3
SHA-512:	3E0D13C328909D5B7E365254F24FBE4320EA3B1BA455F2124B7F62AA0BABFFE62C15A284BD3616AA46656D942952AB20AE1BC4AA2A7CC0E7BB31EC1470B4B632
Malicious:	false
Preview:	...@IXOS.@.....@\|>.Y.@.....@.....@.....@.....@.....@......&.{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}..Ifid Apps..Setup.msi.@.....@.....@.....@......icon_32.exe..&.{9ED1FB04-2953-4096-9113-EE8E25C60EEA}.....@.....@.....@.....@.......@.....@.....@.......@......Ifid Apps......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@(....@.....@.]....&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}8.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\.@.......@.....@.....@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}).21:\Software\Grovi Tend\Ifid Apps\Version.@.......@.....@.....@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}H.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll.@.......@.....@.....@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}C.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe.@.......@.....@.....@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35

C:\Windows\Installer\SourceHash{64A66691-0BFB-4BF1-954B-C4F25AD46FBE}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1625932204254368
Encrypted:	false
SSDEEP:	12:JSbX72FjFJAGiLIlHVRpMh/7777777777777777777777777vDHFnUH5fp3Xl0i5:JRQI5clUZh6F
MD5:	AD7936AF502638CF85220B7E50E91ACF
SHA1:	97A0DCC6EEE955C77F0A314F0BA68FAE688E0636
SHA-256:	0C3813D54A1A7616D07641CB426B8AF56BABB30B03EF0438ED2265745E5B2848
SHA-512:	D81AD7BC7FC3D415E00BE049C58D653D76BA1D6B620AE3176BF90F8BBAF039DCB1C6AD8B774821D48112C938EFA3FCECE19C440B3AF767C850761ACDFC2F9579
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5531607290802252
Encrypted:	false
SSDEEP:	48:y8Ph9uRc06WXJanT5EgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:dh91RnTWgcP5rQZlC9WX05rM1
MD5:	9B21BA4CD47B99CB3C2ADF92FE966D81
SHA1:	FDAF4BD5ECDB4EE4B9B73E0F4A96DD2A330FE145
SHA-256:	0A7B91CF3AF8F3F806523AE30510F5854310C19FDA900E7BB416B227C0C9B263
SHA-512:	7F20645CA5B53CF6B74214AFAB255F4CB9E4224F0935891FAA82622CD13259D4F450D8E37337A1F4DA0B79BAA07BEE01BE87B46557E61EF34EEA6AA2ACA089CE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362967492888657
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauS:zTtbmkExhMJCIpE7
MD5:	18F0C45C095CC9EF5C80B77A23C590F3
SHA1:	44109B921C047B4C453D19B85468E973E740D51C
SHA-256:	D0E1E24A0B51377ED5705D70EC2DACDE13A926AC7BF832257A70AC4F45B5FBA7
SHA-512:	87B978AF9D2291D7DB94D56A2F43B37264C6A23F5B37002301A850952E0B339E19788E4C93AE749D0853479BF6D5C7A442CE298A77ACC814D1D87C30E8AB9F47
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF051FABF19EFC7282.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5531607290802252
Encrypted:	false
SSDEEP:	48:y8Ph9uRc06WXJanT5EgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:dh91RnTWgcP5rQZlC9WX05rM1
MD5:	9B21BA4CD47B99CB3C2ADF92FE966D81
SHA1:	FDAF4BD5ECDB4EE4B9B73E0F4A96DD2A330FE145
SHA-256:	0A7B91CF3AF8F3F806523AE30510F5854310C19FDA900E7BB416B227C0C9B263
SHA-512:	7F20645CA5B53CF6B74214AFAB255F4CB9E4224F0935891FAA82622CD13259D4F450D8E37337A1F4DA0B79BAA07BEE01BE87B46557E61EF34EEA6AA2ACA089CE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF09C934CF70B1CEF0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0DC12C2A09191783.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF221109474698ABB9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF23B0A6C629804651.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3EC7492D769267C8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2456949116439096
Encrypted:	false
SSDEEP:	48:9mFu+M+CFXJpT5vgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:QFuRTZgcP5rQZlC9WX05rM1
MD5:	924D0ECF7AFAF4963CC9F69EED098581
SHA1:	1378A26BC8A52EA57E9717DF5058F3779F7767C0
SHA-256:	E9B3228A38D5DDF624B5A384C6671D13141AAE3FD5015BC1462DA8DCF41643C8
SHA-512:	AE99AF590ADE18656D5C1A2BF0EC0E6E7FCE213547CAC8393CC8A082B18D83888F8193FBA0574064A8D83DF97585E1E4057E8CB0811B1EAF3CB51E14B4791867
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF49DC11F283CC2ED2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06930748596941258
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOMOfRGs/8EaQyVky6l3X:2F0i8n0itFzDHFnUH5q3X
MD5:	1B7EE4EACCB76E2D3C1520F9EFF53099
SHA1:	047A10206008CE74B8DCFD1FFA5EEBCC5BCAFA97
SHA-256:	CF137B3D9D83E33CC7C6AD6B1B452ED2C4A7CB44D90447C95E30FAE4AC8B9B46
SHA-512:	41DBD47BCF65CA3A320290FB568F0F5EC75CF1141D0724473F4F0361BF2D9DB25E4D8973DE6EB1D884D47A28E3E6F615661748051F4B22AD38EC104F5DFDF658
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5E9D9845B78F3BEF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13297161639954114
Encrypted:	false
SSDEEP:	24:HBAzETxQoXojADsipVQoXojAD+QoXojADsipVQoXojAD2AEVQoyjCyJVqewG7R8P:izETSn5S+nwn5S+n3AE+lCyJMWXnQI2
MD5:	9D3E71DF8ABB23D04ED6AB93F3A02A1A
SHA1:	7F69C3BB1A15181EDC95D10D23A3929340CB6737
SHA-256:	3768B4CA22D37EDFC17E12A4DB8B7F42321EAD3015AE156F795AB0144497E114
SHA-512:	02AED9416D6B2EBB1CC89E6381C1F1B79125BB2319ED5ADD04126AFA8A895FF1B84D3AEFEBC718F9CABB3372F203731629F9E99F1489571E21925E89CAF7E32A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7191937CDD41FDF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5531607290802252
Encrypted:	false
SSDEEP:	48:y8Ph9uRc06WXJanT5EgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:dh91RnTWgcP5rQZlC9WX05rM1
MD5:	9B21BA4CD47B99CB3C2ADF92FE966D81
SHA1:	FDAF4BD5ECDB4EE4B9B73E0F4A96DD2A330FE145
SHA-256:	0A7B91CF3AF8F3F806523AE30510F5854310C19FDA900E7BB416B227C0C9B263
SHA-512:	7F20645CA5B53CF6B74214AFAB255F4CB9E4224F0935891FAA82622CD13259D4F450D8E37337A1F4DA0B79BAA07BEE01BE87B46557E61EF34EEA6AA2ACA089CE
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD092E1FE7A2C0DE0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2456949116439096
Encrypted:	false
SSDEEP:	48:9mFu+M+CFXJpT5vgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:QFuRTZgcP5rQZlC9WX05rM1
MD5:	924D0ECF7AFAF4963CC9F69EED098581
SHA1:	1378A26BC8A52EA57E9717DF5058F3779F7767C0
SHA-256:	E9B3228A38D5DDF624B5A384C6671D13141AAE3FD5015BC1462DA8DCF41643C8
SHA-512:	AE99AF590ADE18656D5C1A2BF0EC0E6E7FCE213547CAC8393CC8A082B18D83888F8193FBA0574064A8D83DF97585E1E4057E8CB0811B1EAF3CB51E14B4791867
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD4DF07CAE6161815.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE5D70B032B07E197.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2456949116439096
Encrypted:	false
SSDEEP:	48:9mFu+M+CFXJpT5vgIDPn5S+n3AE+lCyJMWX0n5S+nTTk1:QFuRTZgcP5rQZlC9WX05rM1
MD5:	924D0ECF7AFAF4963CC9F69EED098581
SHA1:	1378A26BC8A52EA57E9717DF5058F3779F7767C0
SHA-256:	E9B3228A38D5DDF624B5A384C6671D13141AAE3FD5015BC1462DA8DCF41643C8
SHA-512:	AE99AF590ADE18656D5C1A2BF0EC0E6E7FCE213547CAC8393CC8A082B18D83888F8193FBA0574064A8D83DF97585E1E4057E8CB0811B1EAF3CB51E14B4791867
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {9ED1FB04-2953-4096-9113-EE8E25C60EEA}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Dec 5 14:37:02 2024, Last Saved Time/Date: Thu Dec 5 14:37:02 2024, Last Printed: Thu Dec 5 14:37:02 2024, Number of Pages: 450
Entropy (8bit):	7.979385153160636
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	Setup.msi
File size:	56'197'120 bytes
MD5:	1f3f76a13d8e6acf1d558a8e4881d0f8
SHA1:	79547be133bb2324b747adb207506b5442a2f245
SHA256:	0339fed5c288bcc81b2c228b4b10924317bae6c529d9ac17b8007f0285b06295
SHA512:	ca0ab83c049246645f38f65a3021a310b3d8b97d00d71c951211d89b7f764916bfd2fd765edab6fc6e734397f4cda9338a2ea44407ae978df783923674f6321f
SSDEEP:	786432:U+Mh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZL:UB6FnkF2d6VXXtzR5mgvkz1d2x5wKkL
TLSH:	1CC73360B596C537D66D11B7D529EEEE423F7D220BB148DBB7E4392E0E348C09232A17
File Content Preview:	........................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)..................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T13:51:51.464918+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.7	49740	172.67.204.246	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 13:51:49.905656099 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:49.905690908 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:49.905982018 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:49.911148071 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:49.911159992 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:51.128652096 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:51.128748894 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:51.407289028 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:51.407305002 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:51.407687902 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:51.407751083 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:51.464725018 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:51.464798927 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:51.464843988 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:52.482357979 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:52.482454062 CET	443	49740	172.67.204.246	192.168.2.7
Dec 6, 2024 13:51:52.482485056 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:52.482520103 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:52.576817989 CET	49740	443	192.168.2.7	172.67.204.246
Dec 6, 2024 13:51:52.576838017 CET	443	49740	172.67.204.246	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 13:51:49.579297066 CET	52433	53	192.168.2.7	1.1.1.1
Dec 6, 2024 13:51:49.897841930 CET	53	52433	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 13:51:49.579297066 CET	192.168.2.7	1.1.1.1	0xe2b7	Standard query (0)	search-keys.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 13:51:49.897841930 CET	1.1.1.1	192.168.2.7	0xe2b7	No error (0)	search-keys.com		172.67.204.246	A (IP address)	IN (0x0001)	false
Dec 6, 2024 13:51:49.897841930 CET	1.1.1.1	192.168.2.7	0xe2b7	No error (0)	search-keys.com		104.21.42.101	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

search-keys.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49740	172.67.204.246	443	3964	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-06 12:51:51 UTC	197	OUT	POST /licenseUser.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: search-keys.com Content-Length: 48 Cache-Control: no-cache
2024-12-06 12:51:51 UTC	48	OUT	Data Raw: 54 69 6d 65 3d 30 37 25 33 41 35 31 25 33 41 34 38 26 44 61 74 65 3d 30 36 25 32 46 31 32 25 32 46 32 30 32 34 26 50 72 6f 64 75 63 74 49 44 3d Data Ascii: Time=07%3A51%3A48&Date=06%2F12%2F2024&ProductID=
2024-12-06 12:51:52 UTC	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 12:51:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HdjRSPsJHHmyPKzlp5BQRlG8FfrU%2Fy6oCFJqgOv8eTDdN7fzubrYn8ahySQK81ZdZZBRLoQtFXC7VSuR143gC2SvSGU8QEE%2BX8%2FsubmXk2aLyk5HWkRr3JwPdNnthUB57zs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8edc68e7aabb41ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1753&min_rtt=1731&rtt_var=665&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=905&delivery_rate=1686886&cwnd=207&unsent_bytes=0&cid=77327532a3ee67a6&ts=1366&x=0"
2024-12-06 12:51:52 UTC	7	IN	Data Raw: 32 0d 0a 30 61 0d 0a Data Ascii: 20a
2024-12-06 12:51:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	2
Start time:	07:51:27
Start date:	06/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
Imagebase:	0x7ff7c3bf0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:51:27
Start date:	06/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7c3bf0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:51:31
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 2E9040404F635EED2642FA0606A59337
Imagebase:	0xfb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:47:08
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\pssE113.ps1" -propFile "C:\Users\user~1\AppData\Local\Temp\msiE101.txt" -scriptFile "C:\Users\user~1\AppData\Local\Temp\scrE102.ps1" -scriptArgsFile "C:\Users\user~1\AppData\Local\Temp\scrE103.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:47:08
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:47:18
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"
Imagebase:	0x7ff718250000
File size:	1'039'136 bytes
MD5 hash:	5E807B5DAD1B6C81982037C714DC9AEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:47:18
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 070D1B50 Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

$q, xrefs: 070D1BEB
$q, xrefs: 070D1C3E
$q, xrefs: 070D1C32

Memory Dump Source

Source File: 00000008.00000002.1549718097.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: 6f0fe3583dae7f3e12742c2ddb8b9961a89856568aa7537ef57137ab4110180e
Instruction ID: efb0202db9d0922bf1612d8314f380d0d6b9a4c3cd97b7d0b4d2d2ee9e00c129
Opcode Fuzzy Hash: 6f0fe3583dae7f3e12742c2ddb8b9961a89856568aa7537ef57137ab4110180e
Instruction Fuzzy Hash: 476148B170430EDFDB258F69D85076ABBE6EF89210F19816AE845CB251DF31DC41CBA1

Function 070D1B35 Relevance: 2.6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

$q, xrefs: 070D1BEB
$q, xrefs: 070D1C32

Memory Dump Source

Source File: 00000008.00000002.1549718097.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 7198738829800546c40bf9e419f15261a147c8a17428ea4b4bf44fa0eb1d53c6
Instruction ID: 47f3da993cea8e112e723d75ca99fd62a4857ddaa7f4c2214f3d84932661c47b
Opcode Fuzzy Hash: 7198738829800546c40bf9e419f15261a147c8a17428ea4b4bf44fa0eb1d53c6
Instruction Fuzzy Hash: 8E3189B0A0430EDFCB648F15D584BA977F6AF41220F1A9266E8098B251EB34DD81CB91

Function 043C8478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e166c1fa51f4811094160476edd223f2fb2a8ca01bd4574f0b1005977243f0b2
Instruction ID: 3e568558c1d80d2e1717e7a99d8624d08fb3200c22008ade66737e2a86c4d0d1
Opcode Fuzzy Hash: e166c1fa51f4811094160476edd223f2fb2a8ca01bd4574f0b1005977243f0b2
Instruction Fuzzy Hash: F1A17B35E002089FDB18EFA5D544AAEBBF2FF84351F154558E406AF664DB34AE49CF80

Function 043C8BC8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a87a73a065e3a622c782b81591d90d6c7fe22bc44efd53ee8fcff32086e8937
Instruction ID: d96464c27fb8945a64ef2f9cf6c895786c86fc1b5172ddfba285b1a735186eb2
Opcode Fuzzy Hash: 7a87a73a065e3a622c782b81591d90d6c7fe22bc44efd53ee8fcff32086e8937
Instruction Fuzzy Hash: 3171DF30A002098FDB15DF68C880A9EBBF6BF89314F14856ED415DB691DB75FD46CB90

Function 043C8D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7685a227602708296ed924542fd35e9cc9ee8999367426b12a9752c1e4a266bf
Instruction ID: 2701345bbd0d33e0dfa57fbe51b2a8a23c34093e4c63b1503b44a4a088bf700b
Opcode Fuzzy Hash: 7685a227602708296ed924542fd35e9cc9ee8999367426b12a9752c1e4a266bf
Instruction Fuzzy Hash: 16713E70E00208DFDB18EFB4D444AAEBBF6BF88345F149429D415AB290DB74AD46CF55

Function 043C8959 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab89098eb559f35cb43e42d484ece032d03f404e7044a8dacc6f77ff894ae556
Instruction ID: 1c82a5e943f6e91652cc73b07686a71de5162cc253d3dd15fd46952b29c436df
Opcode Fuzzy Hash: ab89098eb559f35cb43e42d484ece032d03f404e7044a8dacc6f77ff894ae556
Instruction Fuzzy Hash: 7F419D35A002009FEB19DF34C854AAE7BF6EF89751F185569E406EB3A1DF34AD42CB90

Function 043C8BB8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eef339db518eb7f15d1c6ecf796490f6ac6363663d3e8491bb9661d4704ade1
Instruction ID: d03a83b835ad197703fe9aca0378a8ebb994909f983075b40fa21ab3b893eb43
Opcode Fuzzy Hash: 2eef339db518eb7f15d1c6ecf796490f6ac6363663d3e8491bb9661d4704ade1
Instruction Fuzzy Hash: A0415C70E002089FDB19EFA4C84479EBBF2BF89305F14892DD415AB290DB74AD46CB80

Function 043C3D10 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8a145929c762d003887925973158989942d23d010b87c3ca8edd7dcfce5953
Instruction ID: 22e3a091933cc3d6894cad3f83e99e825084700cebf7f0fa92e49ec645fd9e22
Opcode Fuzzy Hash: 2a8a145929c762d003887925973158989942d23d010b87c3ca8edd7dcfce5953
Instruction Fuzzy Hash: C0411875A006099FCB16CF58C494AAEFBB1FF48310B258659E815AB364C736FC91CBA0

Function 043C3A80 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf88d6ffdb443ebb1f83c4428bca6b6aaea99bd7a88df29233b9f6a6ce3e4cd
Instruction ID: c6e4ff58b1f070dc2dd24743f18eb3d82a4a5f7fd9f85a5b49210f4d8a8373f6
Opcode Fuzzy Hash: daf88d6ffdb443ebb1f83c4428bca6b6aaea99bd7a88df29233b9f6a6ce3e4cd
Instruction Fuzzy Hash: 71314030B08A018FC394DB389060629BBF6FBC7340359D9ADE446CFB51EA24FC469B65

Function 0298D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544171552.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f735f95c80a62a9a3480b2baa2a65e6788deec1f136d1baf76f0ea2a0ddcc4
Instruction ID: 7c284915fa57a8b5b3984fb3a0def1a099ae83938c363fda6eadb9277a63869b
Opcode Fuzzy Hash: a3f735f95c80a62a9a3480b2baa2a65e6788deec1f136d1baf76f0ea2a0ddcc4
Instruction Fuzzy Hash: 8601F2314093449AE7206E35DC84B66BF9CDF41229F0CC41AEC480B2C2C7799946CAB2

Function 0298D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544171552.000000000298D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0298D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_298d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3925137ff417c4d46271add8a937c251358a788376601712a51ea5c1563e54f
Instruction ID: fa210bde965e6b27ac3b86f6cf8ddd5a3abf2d60474eb3718c5581e1f6c0879d
Opcode Fuzzy Hash: a3925137ff417c4d46271add8a937c251358a788376601712a51ea5c1563e54f
Instruction Fuzzy Hash: 52014C6100E3C09FD7128B358C94B62BFB8DF43225F1D81DBD9888F2A3C2695849C772

Function 043C88ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56cc62903cdb6ef0b3acb9697e5e26f3d0f5d649e85683bf0eaad2131a24812
Instruction ID: 1c1100c8f2139b33b58176f3017d06ff9bba43101144987049e3245087dc7811
Opcode Fuzzy Hash: b56cc62903cdb6ef0b3acb9697e5e26f3d0f5d649e85683bf0eaad2131a24812
Instruction Fuzzy Hash: 78F03034E4030ACFEB14EFA0C595B6E77B2AF44340F108A18D1029F694DB78AE498FC1

Non-executed Functions

Function 043C1D68 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1544677711.00000000043C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_43c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbf4e26569b8219921758a134c1d290dbb93a389e4b3725c49e63cc49a51cb3
Instruction ID: 812603cf4cb2642ac5f30ccf003e98a4cfdc32d6c8d1489e36f3e1b68abb0529
Opcode Fuzzy Hash: 1dbf4e26569b8219921758a134c1d290dbb93a389e4b3725c49e63cc49a51cb3
Instruction Fuzzy Hash: E141E14244E7D21FD307A73869A52C5BF70AE53068B4E83D7C1C1CF5E3EA49494AC3A2

Function 070D1658 Relevance: 10.3, Strings: 8, Instructions: 269COMMON

Download Yara Rule

Strings

$q, xrefs: 070D169C
$q, xrefs: 070D17B4
tPq, xrefs: 070D16E1
tPq, xrefs: 070D16D5
tPq, xrefs: 070D1837
$q, xrefs: 070D1690
tPq, xrefs: 070D1843
$q, xrefs: 070D166A

Memory Dump Source

Source File: 00000008.00000002.1549718097.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d0000_powershell.jbxd

Similarity

API ID:
String ID: tPq$tPq$tPq$tPq$$q$$q$$q$$q
API String ID: 0-1696293005
Opcode ID: 1b9047a2f394cb615661d8eb78a11cfc4ab7125bf58983a0655985ea81ca760e
Instruction ID: 1cb1d6b8a6aab170c9239915b9a4d2bef6eb962ac8fa41b13ebce5d8f734e19e
Opcode Fuzzy Hash: 1b9047a2f394cb615661d8eb78a11cfc4ab7125bf58983a0655985ea81ca760e
Instruction Fuzzy Hash: 3C916B71B0434A9FD725CB69D80176ABBF6AF86220F1981ABE445CF391CE35DC01C7A2

Function 070D0898 Relevance: 10.2, Strings: 8, Instructions: 179COMMON

Download Yara Rule

Strings

$q, xrefs: 070D0A62
4'q, xrefs: 070D0947
$q, xrefs: 070D08EF
$q, xrefs: 070D091D
$q, xrefs: 070D0929
$q, xrefs: 070D0A56
4'q, xrefs: 070D0953
$q, xrefs: 070D0A3E

Memory Dump Source

Source File: 00000008.00000002.1549718097.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q$$q$$q$$q
API String ID: 0-2370149875
Opcode ID: 8a1033bf7646f3fa9d2b151f4951c7764716130d6718f537f8a53cbe159270e7
Instruction ID: cdd05cbcbf0c6de89f5dc2e40f1f6e1b97f8df71ae9e7d40032ae5f69d13e26b
Opcode Fuzzy Hash: 8a1033bf7646f3fa9d2b151f4951c7764716130d6718f537f8a53cbe159270e7
Instruction Fuzzy Hash: A751ECB5B04316CFEB658A6A980066BFBF6EFC5221F18817BE85DC7241DA31DC41C7A1

Function 070D04D1 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

4'q, xrefs: 070D053B
$q, xrefs: 070D051A
$q, xrefs: 070D0526
4'q, xrefs: 070D0547

Memory Dump Source

Source File: 00000008.00000002.1549718097.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_70d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 71a39ef92913fc0e247b2e69b1280aa47dd389344f271d91aec1b02d430f6e0e
Instruction ID: f27e64f0696c6ee32d4b186d9215c47e029c3ba87509a08c9d2043c65a9e83b6
Opcode Fuzzy Hash: 71a39ef92913fc0e247b2e69b1280aa47dd389344f271d91aec1b02d430f6e0e
Instruction Fuzzy Hash: 8B01A2217093825FD726133838242965FB65BC3550F2E41ABD855CF29BCD188D02C3B3

Analysis Process: openvpn.exePID: 7692, Parent PID: 2980COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFB1C88CD30 Relevance: 276.8, APIs: 134, Strings: 23, Instructions: 2015threadtimewindowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32 ref: 00007FFB1C88CD96
GetProcessWorkingSetSizeEx.KERNEL32 ref: 00007FFB1C88CDA6
CloseWindow.USER32 ref: 00007FFB1C88CDAE
DrawAnimatedRects.USER32 ref: 00007FFB1C88CDBE
FindNextVolumeMountPointW.KERNEL32 ref: 00007FFB1C88CDCB
SwitchToThread.KERNEL32 ref: 00007FFB1C88CDD1
CloseThreadpoolTimer.KERNEL32 ref: 00007FFB1C88CDD9
UpdateResourceW.KERNEL32 ref: 00007FFB1C88CDF2
SetProtectedPolicy.KERNEL32 ref: 00007FFB1C88CDFF
GetClassWord.USER32 ref: 00007FFB1C88CE09
GetModuleHandleW.KERNEL32 ref: 00007FFB1C88CE11
SetHandleInformation.KERNEL32 ref: 00007FFB1C88CE1E
SetWindowTextW.USER32 ref: 00007FFB1C88CE28
CopyFile2.KERNEL32 ref: 00007FFB1C88CE3F
GetAtomNameW.KERNEL32 ref: 00007FFB1C88CE4C
SetFilePointer.KERNEL32 ref: 00007FFB1C88CE5C
SetMailslotInfo.KERNEL32 ref: 00007FFB1C88CE66
PostMessageW.USER32 ref: 00007FFB1C88CE76
GetProcessHandleCount.KERNEL32 ref: 00007FFB1C88CE80
SetLayeredWindowAttributes.USER32 ref: 00007FFB1C88CE90
GetFileInformationByHandle.KERNEL32 ref: 00007FFB1C88CFED
IsValidLanguageGroup.KERNEL32 ref: 00007FFB1C88CFF7
GetProcAddress.KERNEL32 ref: 00007FFB1C88D006
ReOpenFile.KERNEL32 ref: 00007FFB1C88D016
CreateCompatibleBitmap.GDI32 ref: 00007FFB1C88D023
SetDIBits.GDI32 ref: 00007FFB1C88D041
GlobalFree.KERNEL32 ref: 00007FFB1C88D049
MapUserPhysicalPagesScatter.KERNEL32 ref: 00007FFB1C88D056
CreateMemoryResourceNotification.KERNEL32 ref: 00007FFB1C88D05E
Wow64GetThreadContext.KERNEL32 ref: 00007FFB1C88D068
UnregisterWait.KERNEL32 ref: 00007FFB1C88D070
SelectClipRgn.GDI32 ref: 00007FFB1C88D07A
SetLocalTime.KERNEL32 ref: 00007FFB1C88D082
SelectObject.GDI32 ref: 00007FFB1C88D08C
SetDefaultDllDirectories.KERNEL32 ref: 00007FFB1C88D094
FindFirstVolumeMountPointW.KERNEL32 ref: 00007FFB1C88D0C8
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFB1C88D0D5
GetNumaProximityNodeEx.KERNEL32 ref: 00007FFB1C88D0DF
CancelWaitableTimer.KERNEL32 ref: 00007FFB1C88D0E7
HeapWalk.KERNEL32 ref: 00007FFB1C88D0F1
Wow64SuspendThread.KERNEL32 ref: 00007FFB1C88D0F9
FlushFileBuffers.KERNEL32 ref: 00007FFB1C88D101
SetFileTime.KERNEL32 ref: 00007FFB1C88D111
FindFirstFileTransactedW.KERNEL32 ref: 00007FFB1C88D12F
GetSystemDirectoryW.KERNEL32 ref: 00007FFB1C88D139
SizeofResource.KERNEL32 ref: 00007FFB1C88D143
EnumResourceLanguagesExW.KERNEL32 ref: 00007FFB1C88D161
EnumDateFormatsExW.KERNEL32 ref: 00007FFB1C88D16E
GetSystemDefaultLangID.KERNEL32 ref: 00007FFB1C88D174
DeleteProcThreadAttributeList.KERNEL32 ref: 00007FFB1C88D1ED
GetLongPathNameW.KERNEL32 ref: 00007FFB1C88D1FA
GetMailslotInfo.KERNEL32 ref: 00007FFB1C88D20F
LoadPackagedLibrary.KERNEL32 ref: 00007FFB1C88D21E
ScrollConsoleScreenBufferW.KERNEL32 ref: 00007FFB1C88D233
BindIoCompletionCallback.KERNEL32 ref: 00007FFB1C88D240
GetLongPathNameW.KERNEL32 ref: 00007FFB1C88D24D
EnumSystemFirmwareTables.KERNEL32 ref: 00007FFB1C88D25A
DeleteProcThreadAttributeList.KERNEL32 ref: 00007FFB1C88D262
FindFirstFileNameW.KERNEL32 ref: 00007FFB1C88D277
CreateFileMappingFromApp.KERNEL32 ref: 00007FFB1C88D28C
GetFileInformationByHandle.KERNEL32 ref: 00007FFB1C88D296
CreateEventW.KERNEL32 ref: 00007FFB1C88D2A6
GetThreadUILanguage.KERNEL32 ref: 00007FFB1C88D2AC
QueryMemoryResourceNotification.KERNEL32 ref: 00007FFB1C88D2B6
SetConsoleMode.KERNEL32 ref: 00007FFB1C88D2C0
GenerateConsoleCtrlEvent.KERNEL32 ref: 00007FFB1C88D2CA
PathFileExistsA.SHLWAPI ref: 00007FFB1C88D32D
GlobalDeleteAtom.KERNEL32 ref: 00007FFB1C88D36D
HeapReAlloc.KERNEL32 ref: 00007FFB1C88D37D
TransactNamedPipe.KERNEL32 ref: 00007FFB1C88D39C
ClosePrivateNamespace.KERNEL32 ref: 00007FFB1C88D3A6
ClearCommError.KERNEL32 ref: 00007FFB1C88D3B3
LocalFileTimeToFileTime.KERNEL32 ref: 00007FFB1C88D3BD
GetProcessPriorityBoost.KERNEL32 ref: 00007FFB1C88D3C7
CheckNameLegalDOS8Dot3W.KERNEL32 ref: 00007FFB1C88D3DC
MoveFileTransactedW.KERNEL32 ref: 00007FFB1C88D3F6
GlobalAddAtomW.KERNEL32 ref: 00007FFB1C88D3FE
SetCommState.KERNEL32 ref: 00007FFB1C88D408
SetDllDirectoryW.KERNEL32 ref: 00007FFB1C88D410
GetThreadPriorityBoost.KERNEL32 ref: 00007FFB1C88D41A
GetFirmwareEnvironmentVariableW.KERNEL32 ref: 00007FFB1C88D42A
UpdateProcThreadAttribute.KERNEL32 ref: 00007FFB1C88D450
SetConsoleMode.KERNEL32 ref: 00007FFB1C88D45A
FreeLibraryWhenCallbackReturns.KERNEL32 ref: 00007FFB1C88D464
GetCalendarInfoW.KERNEL32 ref: 00007FFB1C88D47E
GetTickCount64.KERNEL32 ref: 00007FFB1C88D484
GenerateConsoleCtrlEvent.KERNEL32 ref: 00007FFB1C88D48E
FlushProcessWriteBuffers.KERNEL32 ref: 00007FFB1C88D494
SetThreadpoolWaitEx.KERNEL32 ref: 00007FFB1C88D4A4
FindFirstFileA.KERNEL32 ref: 00007FFB1C88D58A
FindNextFileA.KERNEL32 ref: 00007FFB1C88D604
FindClose.KERNEL32 ref: 00007FFB1C88D611
OutputDebugStringA.KERNEL32 ref: 00007FFB1C88D9F4
FindClose.KERNEL32 ref: 00007FFB1C88DC0C
RegOpenKeyExA.ADVAPI32 ref: 00007FFB1C88DD67
RegQueryValueExA.ADVAPI32 ref: 00007FFB1C88DDAA
OutputDebugStringA.KERNEL32 ref: 00007FFB1C88DFC9
RegCloseKey.ADVAPI32 ref: 00007FFB1C88E075
GetConsoleHistoryInfo.KERNEL32 ref: 00007FFB1C88E1FB
SwitchToThread.KERNEL32 ref: 00007FFB1C88E201
CreateTapePartition.KERNEL32 ref: 00007FFB1C88E211
HeapReAlloc.KERNEL32 ref: 00007FFB1C88E221
UnregisterBadMemoryNotification.KERNEL32 ref: 00007FFB1C88E229
GetTimeFormatEx.KERNEL32 ref: 00007FFB1C88E24D
EnumSystemFirmwareTables.KERNEL32 ref: 00007FFB1C88E25A
lstrcmpW.KERNEL32 ref: 00007FFB1C88E264
WaitForThreadpoolIoCallbacks.KERNEL32 ref: 00007FFB1C88E26E
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB1C88E276
GetTempPathA.KERNEL32 ref: 00007FFB1C88E2F1
CreateDirectoryA.KERNEL32 ref: 00007FFB1C88E39B
GetLastError.KERNEL32 ref: 00007FFB1C88E3A5
OutputDebugStringA.KERNEL32 ref: 00007FFB1C88E748
ScreenToClient.USER32 ref: 00007FFB1C88E954
LogicalToPhysicalPoint.USER32 ref: 00007FFB1C88E95E
InitOnceInitialize.KERNEL32 ref: 00007FFB1C88E966
GetThreadErrorMode.KERNEL32 ref: 00007FFB1C88E96C
OpenFileMappingW.KERNEL32 ref: 00007FFB1C88E979
IsImmersiveProcess.USER32 ref: 00007FFB1C88E981
SetVolumeLabelW.KERNEL32 ref: 00007FFB1C88E98B
SetDoubleClickTime.USER32 ref: 00007FFB1C88E993
FlushFileBuffers.KERNEL32 ref: 00007FFB1C88E99B
GetVersionExW.KERNEL32 ref: 00007FFB1C88E9A3
InsertMenuItemW.USER32 ref: 00007FFB1C88E9B3
SetProcessRestrictionExemption.USER32 ref: 00007FFB1C88E9BB
SetMenuInfo.USER32 ref: 00007FFB1C88E9C5
CheckMenuRadioItem.USER32 ref: 00007FFB1C88E9DD
CreateDirectoryW.KERNEL32 ref: 00007FFB1C88E9E7
CreateIconFromResourceEx.USER32 ref: 00007FFB1C88EA06
QueryThreadpoolStackInformation.KERNEL32 ref: 00007FFB1C88EA10
IsProcessInJob.KERNEL32 ref: 00007FFB1C88EA1D
SetConsoleTitleW.KERNEL32 ref: 00007FFB1C88EA25
ExitProcess.KERNEL32 ref: 00007FFB1C88EA4D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C88EADB
ExitProcess.KERNEL32 ref: 00007FFB1C88EE29

Strings

File Content: , xrefs: 00007FFB1C88DA61
Software\logoq, xrefs: 00007FFB1C88DD59
bahu1a34LOqTfuv, xrefs: 00007FFB1C88E246
VUUU, xrefs: 00007FFB1C88E163
VUUU, xrefs: 00007FFB1C88E0E3
VUUU, xrefs: 00007FFB1C88DC82
logoq, xrefs: 00007FFB1C88D326, 00007FFB1C88D516, 00007FFB1C88D634, 00007FFB1C88E337
hIS2xn1fzb7nCoF2RQbIL64Bi, xrefs: 00007FFB1C88D270
VUUU, xrefs: 00007FFB1C88ED72
ios_base::failbit set, xrefs: 00007FFB1C88EA8E, 00007FFB1C88EAF2
ios_base::eofbit set, xrefs: 00007FFB1C88EA95, 00007FFB1C88EAF9
ios_base::badbit set, xrefs: 00007FFB1C88EA82, 00007FFB1C88EAE6, 00007FFB1C88EB52
ySHHAUv88yeikhFN, xrefs: 00007FFB1C88CE38
Kb3Vt3sWfrUp8i4G, xrefs: 00007FFB1C88E23A
VUUU, xrefs: 00007FFB1C88E13B
ZaE9OieL162PfNyC9SR, xrefs: 00007FFB1C88CE31
r3f4yhK3J5swA5VJdbX71E, xrefs: 00007FFB1C88D1C0
CRC64: , xrefs: 00007FFB1C88D8C0, 00007FFB1C88D941
kjsS89kaCJuxT6mZKl4, xrefs: 00007FFB1C88CFFD
CRC64 (Generated): , xrefs: 00007FFB1C88E624, 00007FFB1C88E698
VUUU, xrefs: 00007FFB1C88ED92
2pn5PD2g3tAbI2y4EH, xrefs: 00007FFB1C88D217
CRC64 (Registry): , xrefs: 00007FFB1C88DEA9, 00007FFB1C88DED9, 00007FFB1C88DEF5, 00007FFB1C88DF1C

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$Thread$Process$CreateFindTime$Console$CloseResource$HandleInfoNameSystem$DirectoryEnumFirstInformationMenuPathProcThreadpool$AtomAttributeBuffersDebugDeleteErrorEventFirmwareFlushGlobalHeapMemoryModeNotificationOpenOutputPointQueryStringVolumeWaitWindow$AllocBoostCallbackCheckCommCtrlDefaultEnvironmentExitFreeFromGenerateItemLanguageLibraryListLocalLongMailslotMappingMountNextPhysicalPriorityScreenSelectSwitchTablesTimerTransactedUnregisterUpdateWow64$AddressAnimatedAttributesBindBitmapBitsBufferCalendarCallbacksCancelClassClearClickClientClipCompatibleCompletionConcurrency::cancel_current_taskContextCopyCountCount64DateDirectoriesDot3DoubleDrawExemptionExistsExpandFile2FormatFormatsGroupHistoryIconImmersiveInitInitializeInsertLabelLangLanguagesLastLayeredLegalLoadLogicalMessageModuleMoveNamedNamespaceNodeNumaObjectOncePackagedPagesPartitionPipePointerPolicyPostPrivateProtectedProximityRadioRectsRemoveRestrictionReturnsScatterScrollSizeSizeofStackStateStringsSuspendTapeTempTextTickTitleTransactUserValidValueVariableVersionWaitableWalkWhenWordWorkingWritelstrcmp
String ID: 2pn5PD2g3tAbI2y4EH$CRC64 (Generated): $CRC64 (Registry): $CRC64: $File Content: $Kb3Vt3sWfrUp8i4G$Software\logoq$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$ZaE9OieL162PfNyC9SR$bahu1a34LOqTfuv$hIS2xn1fzb7nCoF2RQbIL64Bi$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$kjsS89kaCJuxT6mZKl4$logoq$r3f4yhK3J5swA5VJdbX71E$ySHHAUv88yeikhFN
API String ID: 169062426-433100944
Opcode ID: 5aa731534f81a9b32f1978e43f5c580aa286ebe41ba9f63b346d54a35cc8b58a
Instruction ID: 22f24dd67a2a2409d21bf6b34862c4fd82251d1bce13373ae15891e0e45a415f
Opcode Fuzzy Hash: 5aa731534f81a9b32f1978e43f5c580aa286ebe41ba9f63b346d54a35cc8b58a
Instruction Fuzzy Hash: 6F13A4F2A18E8286E725CF34D8983FD37A2FB94768F604136DA4D46A99DF38D545C304

Function 00007FFB1C885550 Relevance: 214.8, APIs: 96, Strings: 26, Instructions: 1323
memorytimethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32 ref: 00007FFB1C88559C
CreateSemaphoreA.KERNEL32 ref: 00007FFB1C885680
GetCurrentProcess.KERNEL32 ref: 00007FFB1C885686
GetProcessTimes.KERNEL32 ref: 00007FFB1C8856AD
FileTimeToSystemTime.KERNEL32 ref: 00007FFB1C8856C2
GetTempPathA.KERNEL32 ref: 00007FFB1C8856D4
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB1C8858A0
GetMaximumProcessorGroupCount.KERNEL32 ref: 00007FFB1C8858A6
GlobalMemoryStatus.KERNEL32 ref: 00007FFB1C8858AE
WriteConsoleOutputAttribute.KERNEL32 ref: 00007FFB1C8858C7
FindVolumeClose.KERNEL32 ref: 00007FFB1C8858CF
SetFileTime.KERNEL32 ref: 00007FFB1C8858DF
SetConsoleMode.KERNEL32 ref: 00007FFB1C8858E9
SetStdHandle.KERNEL32 ref: 00007FFB1C8858F3
OpenWaitableTimerW.KERNEL32 ref: 00007FFB1C885900
SetConsoleDisplayMode.KERNEL32 ref: 00007FFB1C88590D
SetThreadErrorMode.KERNEL32 ref: 00007FFB1C885917
EnumTimeFormatsW.KERNEL32 ref: 00007FFB1C885924
RtlCaptureContext.KERNEL32 ref: 00007FFB1C88592C
GetVersionExW.KERNEL32 ref: 00007FFB1C885934
IsWindowUnicode.USER32 ref: 00007FFB1C88597B
CreatePopupMenu.USER32 ref: 00007FFB1C885981
WritePrivateProfileSectionW.KERNEL32 ref: 00007FFB1C88598E
AddScopedPolicyIDAce.KERNEL32 ref: 00007FFB1C8859A3
InsertMenuW.USER32 ref: 00007FFB1C8859B8
DebugActiveProcess.KERNEL32 ref: 00007FFB1C8859C0
SetFocus.USER32 ref: 00007FFB1C8859C8
GetCapture.USER32 ref: 00007FFB1C8859CE
TrackPopupMenuEx.USER32 ref: 00007FFB1C8859E8
GetClassLongW.USER32 ref: 00007FFB1C8859F2
LocalAlloc.KERNEL32 ref: 00007FFB1C8860A2
GetInputState.USER32 ref: 00007FFB1C8860BF
PowerCreateRequest.KERNEL32 ref: 00007FFB1C8860C7
ChangeTimerQueueTimer.KERNEL32 ref: 00007FFB1C8860D7
OpenJobObjectW.KERNEL32 ref: 00007FFB1C8860E4
PrepareTape.KERNEL32 ref: 00007FFB1C8860F1
SetProcessRestrictionExemption.USER32 ref: 00007FFB1C8860F9
GetActiveProcessorCount.KERNEL32 ref: 00007FFB1C886101
ReuseDDElParam.USER32 ref: 00007FFB1C886116
DebugActiveProcess.KERNEL32 ref: 00007FFB1C88611E
GetNumaProcessorNodeEx.KERNEL32 ref: 00007FFB1C886128
GetConsoleScreenBufferInfo.KERNEL32 ref: 00007FFB1C886132
lstrcmpW.KERNEL32 ref: 00007FFB1C88613C
OpenSemaphoreW.KERNEL32 ref: 00007FFB1C8861C8
GetPrivateProfileStructW.KERNEL32 ref: 00007FFB1C8861DD
CreateThreadpoolWork.KERNEL32 ref: 00007FFB1C8861EA
FindFirstChangeNotificationW.KERNEL32 ref: 00007FFB1C8861F7
WritePrivateProfileStringW.KERNEL32 ref: 00007FFB1C886207
GetLogicalProcessorInformationEx.KERNEL32 ref: 00007FFB1C886214
IsProcessInJob.KERNEL32 ref: 00007FFB1C886221
SearchPathW.KERNEL32 ref: 00007FFB1C88623B
SetFileAttributesW.KERNEL32 ref: 00007FFB1C886245
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C88624D
AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C886255
EnumTimeFormatsEx.KERNEL32 ref: 00007FFB1C88626A
CreateRemoteThread.KERNEL32 ref: 00007FFB1C886289
DisableThreadLibraryCalls.KERNEL32 ref: 00007FFB1C886291
GetDevicePowerState.KERNEL32 ref: 00007FFB1C88629B
HeapAlloc.KERNEL32 ref: 00007FFB1C8862B0
CopyFileTransactedW.KERNEL32 ref: 00007FFB1C8862E4
GetFileType.KERNEL32 ref: 00007FFB1C8862EC
FindVolumeMountPointClose.KERNEL32 ref: 00007FFB1C8862F4
DeviceIoControl.KERNEL32 ref: 00007FFB1C886318
GetCompressedFileSizeW.KERNEL32 ref: 00007FFB1C886322
GetStringTypeExW.KERNEL32 ref: 00007FFB1C886337
GetNamedPipeClientProcessId.KERNEL32 ref: 00007FFB1C886341
Wow64DisableWow64FsRedirection.KERNEL32 ref: 00007FFB1C886349
FindFirstStreamTransactedW.KERNEL32 ref: 00007FFB1C886363
GetConsoleProcessList.KERNEL32 ref: 00007FFB1C88636D
OpenProcess.KERNEL32 ref: 00007FFB1C88637A
EnumResourceTypesW.KERNEL32 ref: 00007FFB1C886387
HeapCreate.KERNEL32 ref: 00007FFB1C88680F
GetLastError.KERNEL32 ref: 00007FFB1C886830
HeapAlloc.KERNEL32 ref: 00007FFB1C886862
GetLastError.KERNEL32 ref: 00007FFB1C886883
HeapDestroy.KERNEL32 ref: 00007FFB1C88690D
SizeofResource.KERNEL32 ref: 00007FFB1C88696A
WriteProfileStringW.KERNEL32 ref: 00007FFB1C886977
InitOnceExecuteOnce.KERNEL32 ref: 00007FFB1C886987
CloseThreadpoolWait.KERNEL32 ref: 00007FFB1C88698F
GetSystemRegistryQuota.KERNEL32 ref: 00007FFB1C886999
DebugSetProcessKillOnExit.KERNEL32 ref: 00007FFB1C8869A1
FreeLibraryWhenCallbackReturns.KERNEL32 ref: 00007FFB1C8869AB
CompareStringOrdinal.KERNEL32 ref: 00007FFB1C8869C9
FindFirstChangeNotificationW.KERNEL32 ref: 00007FFB1C8869D6
QueueUserWorkItem.KERNEL32 ref: 00007FFB1C8869E3
WaitForThreadpoolWorkCallbacks.KERNEL32 ref: 00007FFB1C8869ED
SetFileShortNameW.KERNEL32 ref: 00007FFB1C8869F7
GlobalReAlloc.KERNEL32 ref: 00007FFB1C886A04
DebugBreakProcess.KERNEL32 ref: 00007FFB1C886A0C
WritePrivateProfileStringW.KERNEL32 ref: 00007FFB1C886A1C
UnregisterApplicationRestart.KERNEL32 ref: 00007FFB1C886A22
CreateDirectoryExW.KERNEL32 ref: 00007FFB1C886A2F
VirtualQueryEx.KERNEL32 ref: 00007FFB1C886A3F
RegisterBadMemoryNotification.KERNEL32 ref: 00007FFB1C886A47

Strings

xnaYjUlyC2uRTjA63tmvliSs2, xrefs: 00007FFB1C8869B9
- Directory, xrefs: 00007FFB1C885D30
- Encrypted, xrefs: 00007FFB1C885DC6
Allocated Memory Address: , xrefs: 00007FFB1C8868A4
ios_base::failbit set, xrefs: 00007FFB1C886B0E
VUUU, xrefs: 00007FFB1C885941
ios_base::eofbit set, xrefs: 00007FFB1C886B15
Current Directory: , xrefs: 00007FFB1C885CE6
ewJwhQmLOtiXAeWrRJOhzdV, xrefs: 00007FFB1C885672
Attributes:, xrefs: 00007FFB1C885D17
NwfCt29RGR3B63mKVRvrR4Neg1Iv, xrefs: 00007FFB1C88635C
- Read-only, xrefs: 00007FFB1C885D49
Semaphore Name: MorningSemaphore, xrefs: 00007FFB1C886658
- Hidden, xrefs: 00007FFB1C885D62
- Archive, xrefs: 00007FFB1C885D94
mNDIfHCvc7VLuNda, xrefs: 00007FFB1C886261
Heap creation failed: , xrefs: 00007FFB1C88681D
ios_base::badbit set, xrefs: 00007FFB1C886B02
- Temporary, xrefs: 00007FFB1C885DDF
Process Creation Time: , xrefs: 00007FFB1C886668
Memory allocation failed: , xrefs: 00007FFB1C886874
- Compressed, xrefs: 00007FFB1C885DAD
rxcTFBfUQlcLMilzuEzMMT.txt, xrefs: 00007FFB1C885721
64iKREQfwc9TNUB, xrefs: 00007FFB1C8869C2
- System, xrefs: 00007FFB1C885D7B
Current Date & Time: , xrefs: 00007FFB1C8864B2

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Process$CreateFile$Time$ConsoleFindProfileStringWrite$AllocDebugHeapOpenPrivateProcessor$ActiveChangeCloseEnumErrorFirstMenuModeNotificationThreadThreadpoolTimerWork$AcquireCaptureCountDeviceDisableExclusiveFormatsGlobalLastLibraryLocalLockMemoryOncePathPopupPowerQueueResourceSemaphoreStateSystemTransactedTypeVolumeWaitWow64$ApplicationAttributeAttributesBreakBufferCallbackCallbacksCallsClassClientCompareCompressedContextControlCopyCurrentDestroyDirectoryDisplayEnvironmentExecuteExemptionExitFocusFreeGroupHandleInfoInformationInitInputInsertItemKillListLogicalLongMaximumMountNameNamedNodeNumaObjectOrdinalOutputParamPipePointPolicyPrepareQueryQuotaRedirectionRegisterRegistryRemoteRequestRestartRestrictionReturnsReuseScopedScreenSearchSectionShortSizeSizeofStatusStreamStructTapeTempTimesTrackTypesUnicodeUnregisterUserVariableVersionVirtualWaitableWhenWindowlstrcmp
String ID: - Archive$ - Compressed$ - Directory$ - Encrypted$ - Hidden$ - Read-only$ - System$ - Temporary$64iKREQfwc9TNUB$Allocated Memory Address: $Attributes:$Current Date & Time: $Current Directory: $Heap creation failed: $Memory allocation failed: $NwfCt29RGR3B63mKVRvrR4Neg1Iv$Process Creation Time: $Semaphore Name: MorningSemaphore$VUUU$ewJwhQmLOtiXAeWrRJOhzdV$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$mNDIfHCvc7VLuNda$rxcTFBfUQlcLMilzuEzMMT.txt$xnaYjUlyC2uRTjA63tmvliSs2
API String ID: 1296165252-4260108306
Opcode ID: 50e2b081ac01f095c85ea292b361785e28808aaf4e8f01596662cd3b73d03b4d
Instruction ID: ab97ce7bfb8953f771ee7dad5eb2c80512fb0ff8cd36c19df8659761fdca9b64
Opcode Fuzzy Hash: 50e2b081ac01f095c85ea292b361785e28808aaf4e8f01596662cd3b73d03b4d
Instruction Fuzzy Hash: B7D29EF2A14E8285EB11DF74D8986FD3362FB84798F60803ADA4E4BA69DF38D145C344

Function 00007FFB1C887530 Relevance: 194.0, APIs: 95, Strings: 15, Instructions: 1510timethreadmemoryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 00007FFB1C887589
InvalidateRect.USER32 ref: 00007FFB1C8878B5
BeginPaint.USER32 ref: 00007FFB1C8878C4
CreateSolidBrush.GDI32 ref: 00007FFB1C887922
FillRect.USER32 ref: 00007FFB1C887949
GetStockObject.GDI32 ref: 00007FFB1C887954
FrameRect.USER32 ref: 00007FFB1C887964
DeleteObject.GDI32 ref: 00007FFB1C88796D
CreateSolidBrush.GDI32 ref: 00007FFB1C8879CE
FillRect.USER32 ref: 00007FFB1C8879F4
GetStockObject.GDI32 ref: 00007FFB1C8879FF
FrameRect.USER32 ref: 00007FFB1C887A10
DeleteObject.GDI32 ref: 00007FFB1C887A19
EndPaint.USER32 ref: 00007FFB1C887A30
KillTimer.USER32 ref: 00007FFB1C887A3F
PostQuitMessage.USER32 ref: 00007FFB1C887A47
SetTimer.USER32 ref: 00007FFB1C887A5D
GetCurrentProcess.KERNEL32 ref: 00007FFB1C887E50
GetProcessTimes.KERNEL32 ref: 00007FFB1C887E7A
OutputDebugStringW.KERNEL32 ref: 00007FFB1C8880FB
FreeResource.KERNEL32 ref: 00007FFB1C8881A8
GetNamedPipeServerSessionId.KERNEL32 ref: 00007FFB1C8881B2
SetDefaultCommConfigW.KERNEL32 ref: 00007FFB1C8881BF
CreateDIBPatternBrushPt.GDI32 ref: 00007FFB1C8881C9
SetComputerNameExW.KERNEL32 ref: 00007FFB1C8881D3
GetRegionData.GDI32 ref: 00007FFB1C8881E0
GetCommMask.KERNEL32 ref: 00007FFB1C8881EA
PaintRgn.GDI32 ref: 00007FFB1C8881F4
GetPrivateProfileStructW.KERNEL32 ref: 00007FFB1C888209
FreeConsole.KERNEL32 ref: 00007FFB1C88820F
SetProcessAffinityMask.KERNEL32 ref: 00007FFB1C888219
SetFileInformationByHandle.KERNEL32 ref: 00007FFB1C888229
GetVolumeInformationByHandleW.KERNEL32 ref: 00007FFB1C88824C
DefineDosDeviceW.KERNEL32 ref: 00007FFB1C888259
GetSystemFileCacheSize.KERNEL32 ref: 00007FFB1C888266
SetWaitableTimer.KERNEL32 ref: 00007FFB1C88827F
GetTextColor.GDI32 ref: 00007FFB1C888287
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFB1C888291
EnumResourceTypesExW.KERNEL32 ref: 00007FFB1C8882A6
ReadDirectoryChangesW.KERNEL32 ref: 00007FFB1C8882C9
WaitForThreadpoolWorkCallbacks.KERNEL32 ref: 00007FFB1C8882D3
GetProcessGroupAffinity.KERNEL32 ref: 00007FFB1C8882E0
SetPolyFillMode.GDI32 ref: 00007FFB1C8882EA
MulDiv.KERNEL32 ref: 00007FFB1C8882F7

Part of subcall function 00007FFB1C890520: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8905D2
Part of subcall function 00007FFB1C890520: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8905FA
Part of subcall function 00007FFB1C890520: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C890627
Part of subcall function 00007FFB1C890520: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8906BA

Part of subcall function 00007FFB1C890520: std::_Facet_Register.LIBCPMT ref: 00007FFB1C8906A0

OpenMutexW.KERNEL32 ref: 00007FFB1C88830B
OutputDebugStringW.KERNEL32 ref: 00007FFB1C888320
CloseHandle.KERNEL32 ref: 00007FFB1C888329
OutputDebugStringW.KERNEL32 ref: 00007FFB1C888338
GetTempPathW.KERNEL32 ref: 00007FFB1C88834A
GetFileAttributesW.KERNEL32 ref: 00007FFB1C888473
OutputDebugStringA.KERNEL32 ref: 00007FFB1C88867F
RegOpenKeyExW.ADVAPI32 ref: 00007FFB1C88871A
OutputDebugStringW.KERNEL32 ref: 00007FFB1C888813
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C88893D

Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C2C
Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C32

GetConsoleCP.KERNEL32 ref: 00007FFB1C888A4F
CommConfigDialogW.KERNEL32 ref: 00007FFB1C888A5C
lstrcmpiW.KERNEL32 ref: 00007FFB1C888A66
EnumTimeFormatsW.KERNEL32 ref: 00007FFB1C888A73
GetConsoleProcessList.KERNEL32 ref: 00007FFB1C888A7D
FindFirstStreamTransactedW.KERNEL32 ref: 00007FFB1C888A97
BuildCommDCBAndTimeoutsW.KERNEL32 ref: 00007FFB1C888AA4
SetThreadExecutionState.KERNEL32 ref: 00007FFB1C888AAC
IsBadStringPtrW.KERNEL32 ref: 00007FFB1C888AB6
AllocateUserPhysicalPagesNuma.KERNEL32 ref: 00007FFB1C888AC6
SetThreadDescription.KERNEL32 ref: 00007FFB1C888AD5
ConvertThreadToFiber.KERNEL32 ref: 00007FFB1C888ADD
BuildCommDCBW.KERNEL32 ref: 00007FFB1C888AE7
FreeUserPhysicalPages.KERNEL32 ref: 00007FFB1C888AF4
SetCalendarInfoW.KERNEL32 ref: 00007FFB1C888B04
HeapValidate.KERNEL32 ref: 00007FFB1C888B11
GetCompressedFileSizeW.KERNEL32 ref: 00007FFB1C888B1B
HeapSize.KERNEL32 ref: 00007FFB1C888B28
AddIntegrityLabelToBoundaryDescriptor.KERNEL32 ref: 00007FFB1C888B35
CreateEventExW.KERNEL32 ref: 00007FFB1C888B45
DeleteBoundaryDescriptor.KERNEL32 ref: 00007FFB1C888B71
UnregisterApplicationRecoveryCallback.KERNEL32 ref: 00007FFB1C888B77
RegisterBadMemoryNotification.KERNEL32 ref: 00007FFB1C888B7F
EscapeCommFunction.KERNEL32 ref: 00007FFB1C888B89
SetEvent.KERNEL32 ref: 00007FFB1C888B91
DeleteVolumeMountPointW.KERNEL32 ref: 00007FFB1C888B99
GetTickCount.KERNEL32 ref: 00007FFB1C888B9F
ReadFileEx.KERNEL32 ref: 00007FFB1C888BB4
ContinueDebugEvent.KERNEL32 ref: 00007FFB1C888BC1
SetThreadPriorityBoost.KERNEL32 ref: 00007FFB1C888BCB
TrySubmitThreadpoolCallback.KERNEL32 ref: 00007FFB1C888BD8
MoveFileWithProgressW.KERNEL32 ref: 00007FFB1C888BEC
CreateFiber.KERNEL32 ref: 00007FFB1C888BF9
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFB1C888C03
FindFirstFileNameW.KERNEL32 ref: 00007FFB1C888C18
VirtualProtect.KERNEL32 ref: 00007FFB1C888C28
GetEnvironmentStringsW.KERNEL32 ref: 00007FFB1C888C2E
GetOverlappedResult.KERNEL32 ref: 00007FFB1C888C3E
IsValidLanguageGroup.KERNEL32 ref: 00007FFB1C888C48
QueueUserWorkItem.KERNEL32 ref: 00007FFB1C888C55
GlobalReAlloc.KERNEL32 ref: 00007FFB1C888C62

Strings

uiashfiua auifh uiaw: , xrefs: 00007FFB1C887FA2
RLYTjigKTcaqJxqnAoeHxGjKKk, xrefs: 00007FFB1C888678
seoigjisue uioase fuia., xrefs: 00007FFB1C888319
ios_base::failbit set, xrefs: 00007FFB1C8888FB, 00007FFB1C888962
epLbnkcc8CJ5xdbX6av2oBEklOP, xrefs: 00007FFB1C888C11
2yZfB8Btfgs6W65vFG9B8zP5Q77n, xrefs: 00007FFB1C888A90
ios_base::eofbit set, xrefs: 00007FFB1C888902
ios_base::badbit set, xrefs: 00007FFB1C8888EF
MyUniqueMutex, xrefs: 00007FFB1C8882FD
Software\QmuWXPdnBvqzgorNpzrkS, xrefs: 00007FFB1C88870C
xeUZqU2TK11UkCgbav, xrefs: 00007FFB1C888ACC
MvvUXBHppKqJTzSwECAE, xrefs: 00007FFB1C88880C
UIRWsFbBKbNIyrTPwfk, xrefs: 00007FFB1C888803
%s\HOSqxXxJcrbBryfxhJjy, xrefs: 00007FFB1C888357
OIUuaiu faiuhf aiu iawo., xrefs: 00007FFB1C888331

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$CommDebugString$CreateOutputProcessRectstd::_$ConsoleDeleteLockitObjectThread$BrushConcurrency::cancel_current_taskEventFillFreeHandlePaintSizeTimerUser$AffinityBoundaryBuildCallbackConfigCountDescriptorEnumFiberFindFirstFrameGroupHeapInformationLockit::_Lockit::~_MaskNameOpenPagesPhysicalReadRegisterResourceSolidStockThreadpoolVolumeWork$AllocAllocateApplicationAttributesBeginBoostCacheCalendarCallbacksChangesCloseColorCompressedComputerContinueConvertCriticalCtrlCurrentDataDefaultDefineDescriptionDeviceDialogDirectoryEnvironmentEscapeExecutionFacet_FormatsFunctionGlobalHandlerInfoInitializeIntegrityInvalidateItemKillLabelLanguageListMemoryMessageModeMountMoveMutexNamedNotificationNumaOverlappedPathPatternPipePointPolyPostPriorityPrivateProcProfileProgressProtectQueueQuitRecoveryRegionResultSectionServerSessionSpinStateStreamStringsStructSubmitSystemTempTextTickTimeTimeoutsTimesTransactedTypesUnregisterValidValidateVirtualWaitWaitableWindowWithlstrcmpi
String ID: %s\HOSqxXxJcrbBryfxhJjy$2yZfB8Btfgs6W65vFG9B8zP5Q77n$MvvUXBHppKqJTzSwECAE$MyUniqueMutex$OIUuaiu faiuhf aiu iawo.$RLYTjigKTcaqJxqnAoeHxGjKKk$Software\QmuWXPdnBvqzgorNpzrkS$UIRWsFbBKbNIyrTPwfk$epLbnkcc8CJ5xdbX6av2oBEklOP$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$seoigjisue uioase fuia.$uiashfiua auifh uiaw: $xeUZqU2TK11UkCgbav
API String ID: 3820235490-933124095
Opcode ID: f7726a4632933b2aef407a08ff99532df6bf2dc800240b54775386ff5fe4e6af
Instruction ID: 47fe157afaa9933ac916b9de4f955d853740f806c82351f50226a7bcff6b0b8c
Opcode Fuzzy Hash: f7726a4632933b2aef407a08ff99532df6bf2dc800240b54775386ff5fe4e6af
Instruction Fuzzy Hash: D3E29FF2A18A8189E711DF75E8882FD33B2FB84798F60413ADA4D57AA9DF38D544C704

Function 00007FFB1C88A530 Relevance: 160.5, APIs: 75, Strings: 16, Instructions: 1226
filethreadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFB1C8F28A4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB1C8F28B8

CryptAcquireContextW.ADVAPI32 ref: 00007FFB1C88A5E2
CryptGenRandom.ADVAPI32 ref: 00007FFB1C88A5FF
CryptReleaseContext.ADVAPI32 ref: 00007FFB1C88A60E

Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C2C
Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C32

GetTempPathW.KERNEL32 ref: 00007FFB1C88ACD4
GetTempFileNameW.KERNEL32 ref: 00007FFB1C88ACF2
UpdateResourceW.KERNEL32 ref: 00007FFB1C88B042
SetLocalTime.KERNEL32 ref: 00007FFB1C88B04A
lstrcmpW.KERNEL32 ref: 00007FFB1C88B054
GetWriteWatch.KERNEL32 ref: 00007FFB1C88B06E
GetThreadDescription.KERNEL32 ref: 00007FFB1C88B078
TzSpecificLocalTimeToSystemTimeEx.KERNEL32 ref: 00007FFB1C88B085
CreateTimerQueue.KERNEL32 ref: 00007FFB1C88B08B
MapViewOfFile.KERNEL32 ref: 00007FFB1C88B0A0
TerminateProcess.KERNEL32 ref: 00007FFB1C88B0AA
GlobalUnlock.KERNEL32 ref: 00007FFB1C88B0B2
SetThreadUILanguage.KERNEL32 ref: 00007FFB1C88B0BA
GetTickCount.KERNEL32 ref: 00007FFB1C88B0C0
SetConsoleCP.KERNEL32 ref: 00007FFB1C88B0C8
GetProcessIoCounters.KERNEL32 ref: 00007FFB1C88B0D2
GetComputerNameW.KERNEL32 ref: 00007FFB1C88B0DC
CreateThreadpoolWork.KERNEL32 ref: 00007FFB1C88B0E9
CreateSemaphoreW.KERNEL32 ref: 00007FFB1C88B10C
CloseHandle.KERNEL32 ref: 00007FFB1C88B11A
BindIoCompletionCallback.KERNEL32 ref: 00007FFB1C88B21F
TrySubmitThreadpoolCallback.KERNEL32 ref: 00007FFB1C88B22C
AddSecureMemoryCacheCallback.KERNEL32 ref: 00007FFB1C88B234
GetSystemPowerStatus.KERNEL32 ref: 00007FFB1C88B23C
CopyFileW.KERNEL32 ref: 00007FFB1C88B249
UnlockFileEx.KERNEL32 ref: 00007FFB1C88B25E
GetNamedPipeClientComputerNameW.KERNEL32 ref: 00007FFB1C88B26B
LCMapStringW.KERNEL32 ref: 00007FFB1C88B285
FindFirstStreamTransactedW.KERNEL32 ref: 00007FFB1C88B29F
EnumSystemGeoID.KERNEL32 ref: 00007FFB1C88B2AC
GetDurationFormatEx.KERNEL32 ref: 00007FFB1C88B2D7
FindNextFileW.KERNEL32 ref: 00007FFB1C88B2E1
SetCurrentDirectoryW.KERNEL32 ref: 00007FFB1C88B2E9
GetCalendarInfoEx.KERNEL32 ref: 00007FFB1C88B311
IsValidLocale.KERNEL32 ref: 00007FFB1C88B31B
CreateDirectoryTransactedW.KERNEL32 ref: 00007FFB1C88B32B
FreeUserPhysicalPages.KERNEL32 ref: 00007FFB1C88B338
GetProcessGroupAffinity.KERNEL32 ref: 00007FFB1C88B345
AddResourceAttributeAce.KERNEL32 ref: 00007FFB1C88B364
VerSetConditionMask.KERNEL32 ref: 00007FFB1C88B481
CreateThreadpoolWait.KERNEL32 ref: 00007FFB1C88B48E
GetComputerNameExW.KERNEL32 ref: 00007FFB1C88B49B
GetUserPreferredUILanguages.KERNEL32 ref: 00007FFB1C88B4AB
LocalFree.KERNEL32 ref: 00007FFB1C88B4B3
WriteFile.KERNEL32 ref: 00007FFB1C88B4C8
SetThreadLocale.KERNEL32 ref: 00007FFB1C88B4D0
CreateDirectoryExW.KERNEL32 ref: 00007FFB1C88B4DD
GetNamedPipeInfo.KERNEL32 ref: 00007FFB1C88B4F2
CompareFileTime.KERNEL32 ref: 00007FFB1C88B4FC
CancelSynchronousIo.KERNEL32 ref: 00007FFB1C88B504
GetProcessTimes.KERNEL32 ref: 00007FFB1C88B519
NeedCurrentDirectoryForExePathW.KERNEL32 ref: 00007FFB1C88B521

Strings

sUkS9lyx1WUHROrzmPcsGC, xrefs: 00007FFB1C88B8DE
NeVhUh2OHw64MfqTbtTxj46, xrefs: 00007FFB1C88B886
yozZDV25D51V1rXtOQrzT3TnUW, xrefs: 00007FFB1C88B30A
BvpoC, xrefs: 00007FFB1C88B728
ios_base::failbit set, xrefs: 00007FFB1C88B65D
ios_base::eofbit set, xrefs: 00007FFB1C88B664
ios_base::badbit set, xrefs: 00007FFB1C88ADCC
saAjSl8m7UrGvqFpNzBx, xrefs: 00007FFB1C88B2D0
txt, xrefs: 00007FFB1C88AD29
iuwvHGUMVRWoWOILfPZgpr, xrefs: 00007FFB1C88B0FB
HEX, xrefs: 00007FFB1C88ACE4
LIND, xrefs: 00007FFB1C88A6D7
XWJGrTx1XKv2NLjLfl2gG, xrefs: 00007FFB1C88B298
r9Vt221F2T95e5EVi78H, xrefs: 00007FFB1C88B2BC
BzltHq149DI5qfA6B62, xrefs: 00007FFB1C88B301
LMXsrbmmsQZQSEWltoqEGoFhBwrk, xrefs: 00007FFB1C88B9B6

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$CreateTime$DirectoryNameProcessSystem$CallbackComputerCryptLocalThreadThreadpool$Concurrency::cancel_current_taskContextCurrentFindFreeInfoLocaleNamedPathPipeResourceTempTransactedUnlockUserWrite$AcquireAffinityAttributeBindCacheCalendarCancelClientCloseCompareCompletionConditionConsoleCopyCountCountersDescriptionDurationEnumFirstFormatGlobalGroupHandleLanguageLanguagesMaskMemoryNeedNextPagesPhysicalPowerPreferredQueueRandomReleaseSecureSemaphoreSpecificStatusStreamStringSubmitSynchronousTerminateTickTimerTimesUpdateValidViewWaitWatchWorklstrcmp
String ID: BvpoC$BzltHq149DI5qfA6B62$HEX$LIND$LMXsrbmmsQZQSEWltoqEGoFhBwrk$NeVhUh2OHw64MfqTbtTxj46$XWJGrTx1XKv2NLjLfl2gG$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$iuwvHGUMVRWoWOILfPZgpr$r9Vt221F2T95e5EVi78H$sUkS9lyx1WUHROrzmPcsGC$saAjSl8m7UrGvqFpNzBx$txt$yozZDV25D51V1rXtOQrzT3TnUW
API String ID: 1475749465-328896319
Opcode ID: 7e14b97be8bdcffb6990ce3a00626400b34134e112207cbd75da923a7813bbb9
Instruction ID: 3a4b4c87134e18d4206a7fd555be1a0e781a632b757a3f56dc0e141b59552642
Opcode Fuzzy Hash: 7e14b97be8bdcffb6990ce3a00626400b34134e112207cbd75da923a7813bbb9
Instruction Fuzzy Hash: 04D27DB2A18B818AE710CFB4E8843ED77B2FB94358F208139DA8D57A69DF38D155C744

Function 00007FFB1C884860 Relevance: 158.3, APIs: 86, Strings: 4, Instructions: 827
timefilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFB1C88C640: SetThreadGroupAffinity.KERNEL32 ref: 00007FFB1C88C6B7
Part of subcall function 00007FFB1C88C640: SetTapeParameters.KERNEL32 ref: 00007FFB1C88C6C4
Part of subcall function 00007FFB1C88C640: QueryDosDeviceW.KERNEL32 ref: 00007FFB1C88C6D6
Part of subcall function 00007FFB1C88C640: WaitForDebugEvent.KERNEL32 ref: 00007FFB1C88C6E0
Part of subcall function 00007FFB1C88C640: DeregisterShellHookWindow.USER32 ref: 00007FFB1C88C6E8
Part of subcall function 00007FFB1C88C640: CreateEventW.KERNEL32 ref: 00007FFB1C88C6F8
Part of subcall function 00007FFB1C88C640: CreateFileMappingFromApp.KERNEL32 ref: 00007FFB1C88C70D
Part of subcall function 00007FFB1C88C640: RegisterClassExW.USER32 ref: 00007FFB1C88C715
Part of subcall function 00007FFB1C88C640: UnlockFile.KERNEL32 ref: 00007FFB1C88C72A
Part of subcall function 00007FFB1C88C640: CancelIoEx.KERNEL32 ref: 00007FFB1C88C734
Part of subcall function 00007FFB1C88C640: ArrangeIconicWindows.USER32 ref: 00007FFB1C88C73C
Part of subcall function 00007FFB1C88C640: CloseThreadpoolIo.KERNEL32 ref: 00007FFB1C88C744
Part of subcall function 00007FFB1C88C640: PowerSetRequest.KERNEL32 ref: 00007FFB1C88C74E
Part of subcall function 00007FFB1C88C640: GetCursor.USER32 ref: 00007FFB1C88C754
Part of subcall function 00007FFB1C88C640: BroadcastSystemMessageExW.USER32 ref: 00007FFB1C88C76E
Part of subcall function 00007FFB1C88C640: DestroyWindow.USER32 ref: 00007FFB1C88C776
Part of subcall function 00007FFB1C88C640: EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C88C780
Part of subcall function 00007FFB1C88C640: WriteTapemark.KERNEL32 ref: 00007FFB1C88C790
Part of subcall function 00007FFB1C88C640: HeapValidate.KERNEL32 ref: 00007FFB1C88C79D
Part of subcall function 00007FFB1C88C640: CloseWindowStation.USER32 ref: 00007FFB1C88C7A5
Part of subcall function 00007FFB1C88C640: SetConsoleTextAttribute.KERNEL32 ref: 00007FFB1C88C7AF

GetDurationFormat.KERNEL32 ref: 00007FFB1C884D54
GetPaletteEntries.GDI32 ref: 00007FFB1C884D64
InitOnceComplete.KERNEL32 ref: 00007FFB1C884D71
GetSystemDefaultUILanguage.KERNEL32 ref: 00007FFB1C884D77
GlobalHandle.KERNEL32 ref: 00007FFB1C884D7F
GetModuleHandleW.KERNEL32 ref: 00007FFB1C884D87
GetProcessGroupAffinity.KERNEL32 ref: 00007FFB1C884D94
SetCommBreak.KERNEL32 ref: 00007FFB1C884D9C
DeleteBoundaryDescriptor.KERNEL32 ref: 00007FFB1C884DA4
DeleteTimerQueueTimer.KERNEL32 ref: 00007FFB1C884DB1
OpenFileMappingW.KERNEL32 ref: 00007FFB1C884DBE
GetPolyFillMode.GDI32 ref: 00007FFB1C884DC6
SetTapeParameters.KERNEL32 ref: 00007FFB1C884DD3
EnumResourceTypesW.KERNEL32 ref: 00007FFB1C884DE0
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C884DE8
GetProcessIoCounters.KERNEL32 ref: 00007FFB1C884DF2
HeapLock.KERNEL32 ref: 00007FFB1C884DFA
IsDebuggerPresent.KERNEL32 ref: 00007FFB1C884E00
CreateBoundaryDescriptorW.KERNEL32 ref: 00007FFB1C884E0A
GetGeoInfoW.KERNEL32 ref: 00007FFB1C884E1F
GetPolyFillMode.GDI32 ref: 00007FFB1C884E27
SetBkColor.GDI32 ref: 00007FFB1C884E31

Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C2C
Part of subcall function 00007FFB1C8E6BFC: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C32

HeapCreate.KERNEL32 ref: 00007FFB1C884EA0
UnregisterApplicationRestart.KERNEL32 ref: 00007FFB1C884EA6
SetFileApisToOEM.KERNEL32 ref: 00007FFB1C884EAC
AllocateUserPhysicalPages.KERNEL32 ref: 00007FFB1C884EB9
CreateSemaphoreExW.KERNEL32 ref: 00007FFB1C884ED1
CreateFileW.KERNEL32 ref: 00007FFB1C884EEE
LoadLibraryW.KERNEL32 ref: 00007FFB1C884EF6
CancelSynchronousIo.KERNEL32 ref: 00007FFB1C884EFE
ApplicationRecoveryInProgress.KERNEL32 ref: 00007FFB1C884F06
EscapeCommFunction.KERNEL32 ref: 00007FFB1C884F10
SetHandleInformation.KERNEL32 ref: 00007FFB1C884F1D
CancelSynchronousIo.KERNEL32 ref: 00007FFB1C884F25
ApplicationRecoveryInProgress.KERNEL32 ref: 00007FFB1C884F2D
GetNumberOfConsoleInputEvents.KERNEL32 ref: 00007FFB1C884F37
ReleaseMutex.KERNEL32 ref: 00007FFB1C884F3F
ReadFileEx.KERNEL32 ref: 00007FFB1C884F54
GetOverlappedResult.KERNEL32 ref: 00007FFB1C884F64
SetThreadGroupAffinity.KERNEL32 ref: 00007FFB1C884F71
SetEventWhenCallbackReturns.KERNEL32 ref: 00007FFB1C8850D1
GetUserDefaultUILanguage.KERNEL32 ref: 00007FFB1C8850D7
GetDurationFormat.KERNEL32 ref: 00007FFB1C8850FC
BuildCommDCBAndTimeoutsW.KERNEL32 ref: 00007FFB1C885109
FindCloseChangeNotification.KERNEL32 ref: 00007FFB1C885111
GetFileAttributesExW.KERNEL32 ref: 00007FFB1C88511E
QueryThreadCycleTime.KERNEL32 ref: 00007FFB1C885128
GetComputerNameW.KERNEL32 ref: 00007FFB1C885132
EnumCalendarInfoExW.KERNEL32 ref: 00007FFB1C885142
Wow64EnableWow64FsRedirection.KERNEL32 ref: 00007FFB1C88514A
CallbackMayRunLong.KERNEL32 ref: 00007FFB1C885152
InitOnceInitialize.KERNEL32 ref: 00007FFB1C88515A
DuplicateHandle.KERNEL32 ref: 00007FFB1C885176
GetFileTime.KERNEL32 ref: 00007FFB1C885186
GlobalSize.KERNEL32 ref: 00007FFB1C88518E
FlushViewOfFile.KERNEL32 ref: 00007FFB1C885198
GlobalLock.KERNEL32 ref: 00007FFB1C8851A0
GetCurrentConsoleFont.KERNEL32 ref: 00007FFB1C8851AD
EnterCriticalSection.KERNEL32 ref: 00007FFB1C8851B5
CreateThreadpoolWork.KERNEL32 ref: 00007FFB1C8851C2
CreateBoundaryDescriptorW.KERNEL32 ref: 00007FFB1C8851CC
PeekNamedPipe.KERNEL32 ref: 00007FFB1C8851E6
GetNamedPipeClientSessionId.KERNEL32 ref: 00007FFB1C8851F0
UnmapViewOfFile.KERNEL32 ref: 00007FFB1C8851F8
EnterCriticalSection.KERNEL32 ref: 00007FFB1C885200
EnumDateFormatsW.KERNEL32 ref: 00007FFB1C885297
CreateFiberEx.KERNEL32 ref: 00007FFB1C8852AC
GetSystemPreferredUILanguages.KERNEL32 ref: 00007FFB1C8852BC
LCMapStringW.KERNEL32 ref: 00007FFB1C8852D5
CancelWaitableTimer.KERNEL32 ref: 00007FFB1C8852DD
SetLocalTime.KERNEL32 ref: 00007FFB1C8852E5
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFB1C8852EF
DeleteTimerQueue.KERNEL32 ref: 00007FFB1C8852F7
TryAcquireSRWLockShared.KERNEL32 ref: 00007FFB1C8852FF
FillConsoleOutputAttribute.KERNEL32 ref: 00007FFB1C885315
DeleteTimerQueueTimer.KERNEL32 ref: 00007FFB1C885322
QueryPerformanceCounter.KERNEL32 ref: 00007FFB1C88532A
SetConsoleTextAttribute.KERNEL32 ref: 00007FFB1C885334
GetConsoleWindow.KERNEL32 ref: 00007FFB1C88533A
CheckNameLegalDOS8Dot3W.KERNEL32 ref: 00007FFB1C88534F
GetLongPathNameW.KERNEL32 ref: 00007FFB1C88535C
GetNumaProximityNode.KERNEL32 ref: 00007FFB1C885366
DnsHostnameToComputerNameW.KERNEL32 ref: 00007FFB1C885373
AddSecureMemoryCacheCallback.KERNEL32 ref: 00007FFB1C88537B
LoadModule.KERNEL32 ref: 00007FFB1C88538A
ApplicationRecoveryInProgress.KERNEL32 ref: 00007FFB1C885392

Strings

Ys/9QONCp8n0cU3NOTiat2ggdwCpIUgIMDY5rMd6p138nnIlZL4GixKOIg2vIeSUw+MVj89cml8oVDzwveXDHqGLXLVyPSL3aRZwdowZ+oOeJpbRduFnEnHBDzLec+djK7Irz1aZVO/u6qspMA7wqml5TyJpBBDK/e6LNXbaKfZwytHPpBfna/wF3WfdoWOSG0prTv8DxXAvsFM9TcziiWIrVwgRPbceuFCUjlj3RWVc+zqfHcsflYxL1hTxbW5E0H8F, xrefs: 00007FFB1C884E7B
2LeHsJ6Ggiv3SJ1aeMisO2ZxAB89, xrefs: 00007FFB1C884D3E
cwhJqaUzL9JqqQ7euryZW1d, xrefs: 00007FFB1C8850E6
rK6esamlRxaxFC2c85VcSlimLTSf4, xrefs: 00007FFB1C885383

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$Create$ConsoleTimer$ApplicationCancelDeleteEnumHandleLockNameSystemWindow$AffinityAttributeBoundaryCallbackCloseCommCriticalDescriptorEventFillGlobalGroupHeapProgressQueryQueueRecoverySectionThreadTime$AcquireComputerConcurrency::cancel_current_taskDefaultDurationEnterFormatInfoInitInitializeLanguageLoadLongMappingModeModuleNamedOnceParametersPipePolyProcessSynchronousTapeTextThreadpoolUserViewWow64$AllocateApisArrangeAttributesBreakBroadcastBuildCacheCalendarChangeCheckClassClientColorCompleteCountCounterCountersCurrentCursorCycleDateDebugDebuggerDeregisterDestroyDeviceDot3DuplicateEnableEntriesEscapeEventsExclusiveFiberFindFlushFontFormatsFromFunctionHookHostnameIconicInformationInputLanguagesLegalLibraryLocalLocalesMemoryMessageMutexNodeNotificationNumaNumberOpenOutputOverlappedPagesPalettePathPeekPerformancePhysicalPowerPreferredPresentProximityReadRedirectionRegisterReleaseRequestResourceRestartResultReturnsSecureSemaphoreSessionSharedShellSizeSpinStationStringTapemarkTimeoutsTypesUnlockUnmapUnregisterValidateWaitWaitableWhenWindowsWorkWrite
String ID: 2LeHsJ6Ggiv3SJ1aeMisO2ZxAB89$Ys/9QONCp8n0cU3NOTiat2ggdwCpIUgIMDY5rMd6p138nnIlZL4GixKOIg2vIeSUw+MVj89cml8oVDzwveXDHqGLXLVyPSL3aRZwdowZ+oOeJpbRduFnEnHBDzLec+djK7Irz1aZVO/u6qspMA7wqml5TyJpBBDK/e6LNXbaKfZwytHPpBfna/wF3WfdoWOSG0prTv8DxXAvsFM9TcziiWIrVwgRPbceuFCUjlj3RWVc+zqfHcsflYxL1hTxbW5E0H8F$cwhJqaUzL9JqqQ7euryZW1d$rK6esamlRxaxFC2c85VcSlimLTSf4
API String ID: 1594207056-2226888895
Opcode ID: 3ce42ff865ff6b8f537a671fd0d7a1675004025344a74e9bf62ebe709e67bf78
Instruction ID: e52500f26936df783fb98368770eea7acae1850d0009ac04499a6cb1f36da2a7
Opcode Fuzzy Hash: 3ce42ff865ff6b8f537a671fd0d7a1675004025344a74e9bf62ebe709e67bf78
Instruction Fuzzy Hash: 498271B2A18B91CAF714CFB4E4552EE33B6FB98758F20413AEA495AE58DF38D105C704

Function 00007FFB1C88F150 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 204
threadmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadUILanguage.KERNEL32 ref: 00007FFB1C88F1BC
FreeLibraryWhenCallbackReturns.KERNEL32 ref: 00007FFB1C88F1C6
TransactNamedPipe.KERNEL32 ref: 00007FFB1C88F1E4
WriteProfileSectionW.KERNEL32 ref: 00007FFB1C88F1EE
VirtualFreeEx.KERNEL32 ref: 00007FFB1C88F1FE
SetComputerNameExW.KERNEL32 ref: 00007FFB1C88F208
FatalAppExitW.KERNEL32 ref: 00007FFB1C88F212
RemoveVectoredExceptionHandler.KERNEL32 ref: 00007FFB1C88F21A
DeleteFiber.KERNEL32 ref: 00007FFB1C88F222
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFB1C88F22C
GetFinalPathNameByHandleW.KERNEL32 ref: 00007FFB1C88F23C
GetOEMCP.KERNEL32 ref: 00007FFB1C88F242
CreateThreadpoolIo.KERNEL32 ref: 00007FFB1C88F252
EnumCalendarInfoW.KERNEL32 ref: 00007FFB1C88F262
FlsAlloc.KERNEL32 ref: 00007FFB1C88F26A
ConvertThreadToFiberEx.KERNEL32 ref: 00007FFB1C88F274
CreateMailslotW.KERNEL32 ref: 00007FFB1C88F284
GetUserPreferredUILanguages.KERNEL32 ref: 00007FFB1C88F294
GetConsoleWindow.KERNEL32 ref: 00007FFB1C88F29A
CreateFileMappingFromApp.KERNEL32 ref: 00007FFB1C88F2B6
AddDllDirectory.KERNEL32 ref: 00007FFB1C88F2C3
IsBadWritePtr.KERNEL32 ref: 00007FFB1C88F3C8
OutputDebugStringW.KERNEL32 ref: 00007FFB1C88F3D0
DeleteProcThreadAttributeList.KERNEL32 ref: 00007FFB1C88F3D8
BackupWrite.KERNEL32 ref: 00007FFB1C88F3F5
GetLogicalProcessorInformation.KERNEL32 ref: 00007FFB1C88F3FF
LocalFileTimeToFileTime.KERNEL32 ref: 00007FFB1C88F409
FindFirstFileNameW.KERNEL32 ref: 00007FFB1C88F41E
GetModuleFileNameW.KERNEL32 ref: 00007FFB1C88F42B
CreateSymbolicLinkW.KERNEL32 ref: 00007FFB1C88F438
WriteConsoleOutputCharacterW.KERNEL32 ref: 00007FFB1C88F44E
GetProcessIdOfThread.KERNEL32 ref: 00007FFB1C88F456
OutputDebugStringA.KERNEL32 ref: 00007FFB1C88F467

Strings

FU4UrimC23pX8Mlsm9R9A6oKP5, xrefs: 00007FFB1C88F2BC
jRcjfHfZJtfbiEu, xrefs: 00007FFB1C88F460
l2jci1TAkyF4b62O6HhEB, xrefs: 00007FFB1C88F417
eQn1FVdPJAPtefQYbx294LhlRnCd, xrefs: 00007FFB1C88F2A0

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$CreateNameThreadWrite$ConsoleOutput$DebugDeleteFiberFreeHandlerStringTime$AllocAttributeBackupCalendarCallbackCharacterComputerConvertCtrlDirectoryEnumExceptionExitFatalFinalFindFirstFromHandleInfoInformationLanguageLanguagesLibraryLinkListLocalLogicalMailslotMappingModuleNamedPathPipePreferredProcProcessProcessorProfileRemoveReturnsSectionSymbolicThreadpoolTransactUserVectoredVirtualWhenWindow
String ID: FU4UrimC23pX8Mlsm9R9A6oKP5$eQn1FVdPJAPtefQYbx294LhlRnCd$jRcjfHfZJtfbiEu$l2jci1TAkyF4b62O6HhEB
API String ID: 1433329356-21634095
Opcode ID: 9dcb506f7a89ecf41dfc1d65955f4cba74ba401fee2385ad14e744a90a8a5611
Instruction ID: 36dc64c32c251b8350b0636ece27164631537429b4864df9aca7bb895d123a23
Opcode Fuzzy Hash: 9dcb506f7a89ecf41dfc1d65955f4cba74ba401fee2385ad14e744a90a8a5611
Instruction Fuzzy Hash: 73A191B2A14A41CAE715DF74E8596EE73A3FF98358F608039DA4E4AD68DE3DD104C304

Function 00007FFB1C883C30 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21088512f5d237f9ce287a99859aef00dc994c6665acdeb13479b4987fa4f58f
Instruction ID: ed2033d5b5e6a63d1701ce816a0ab4746851fbd3bf1b0b9d046d49e60f63cf44
Opcode Fuzzy Hash: 21088512f5d237f9ce287a99859aef00dc994c6665acdeb13479b4987fa4f58f
Instruction Fuzzy Hash: 4C31F673A05B80EDE701CFB4E4803DD73B9EB6434CF10812AAB8C57A69EA34C264C354

Function 00007FFB1C8E7378 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB1C8E73A0
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB1C8E73F2
_RTC_Initialize.LIBCMT ref: 00007FFB1C8E7420
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB1C8E7446
__scrt_release_startup_lock.LIBCMT ref: 00007FFB1C8E7471

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: c0ff84cd4ddafac896b072170a8019a3b91be3d8454282f1e91c0a94af474c71
Instruction ID: 0920c93c245bb42afac0a8377d32e419162b9fc627de224d9aa5064ac6a77844
Opcode Fuzzy Hash: c0ff84cd4ddafac896b072170a8019a3b91be3d8454282f1e91c0a94af474c71
Instruction Fuzzy Hash: 43816DE1E08E4786FA55BB75E8C92FA2793AF457A4F744035EA0D477A6DF2CE8418300

Function 00007FFB1C8FAC30 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FFB1C8FACA9
GetFileType.KERNEL32 ref: 00007FFB1C8FACBF

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e8e2eccca06e41c7f9c79d71546eeb7a8bcaa924752108d5b79b2e045a96cba7
Instruction ID: e467b403872949ac86ad190fae02d979b4da363c5d7ff37ab1d3efc070fc4e51
Opcode Fuzzy Hash: e8e2eccca06e41c7f9c79d71546eeb7a8bcaa924752108d5b79b2e045a96cba7
Instruction Fuzzy Hash: BD3190A1A18E4682D7608B25D5D91F8A752FB45BB0F79033ADB6E473E4CF38E4A1D300

Function 00007FFB1C8E6BFC Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C2C

Part of subcall function 00007FFB1C8E52D4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFB1C8E52DD

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8E6C32

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 8ac0cb602100282bbecd9d9cadd04f9bf5dc1151e1194e8ce4bdec8745722736
Instruction ID: b5fc71dc89c95383c4f9e92177dc763862422c9ec2cc3bbbf89ea61ad99ccd36
Opcode Fuzzy Hash: 8ac0cb602100282bbecd9d9cadd04f9bf5dc1151e1194e8ce4bdec8745722736
Instruction Fuzzy Hash: 86E0E2C0E5AD0B42FD6832B296DE0F402428F1A778F3A1B34D97D096C3FE2CA4918260

Function 00007FFB1C8E0900 Relevance: 1.6, APIs: 1, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE ref: 00007FFB1C8E0975

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f4b8e0852565ae240f485a8ed5b173096ae8d21d336fe275133f3bd28a2ee16b
Instruction ID: 53cc0c1ed362a7f8318b9b7938530bd1edc8865afd91661a03e4cc0404c8cb04
Opcode Fuzzy Hash: f4b8e0852565ae240f485a8ed5b173096ae8d21d336fe275133f3bd28a2ee16b
Instruction Fuzzy Hash: 3311F0F7610A84D6DB50CFAAC4853A877A0E799F8AF29D01ACF1D47350DB3AC189C701

Function 00007FFB1C8E06D0 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFB1C8E070E

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 321bf7ddb35cc8f1c40cc9d624e5687d367040881796733002d111e19bba4b8e
Instruction ID: ba44f8321f83f8fe8080f1f140b3ddfd4bbcee387367348176c8f4cd5f0b7734
Opcode Fuzzy Hash: 321bf7ddb35cc8f1c40cc9d624e5687d367040881796733002d111e19bba4b8e
Instruction Fuzzy Hash: 791103B7700A88C6CB50CF5AD589AA87760F79CB89F268116DF0D43360DB36C495CB41

Function 00007FFB1C8BE030 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8BE0FD

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: eb99b7c9b8b06846b0619a655d2cd4428b816eab63ca5643def7bd64ef54a902
Instruction ID: 5e3b8c71a6a71c30d64c26ad1267b18fd6b6f0acf45debddece93129498ec0cf
Opcode Fuzzy Hash: eb99b7c9b8b06846b0619a655d2cd4428b816eab63ca5643def7bd64ef54a902
Instruction Fuzzy Hash: D52126F5A08E4A95E611CB21F8881F97366BB887A0B744236DA8C43764EF3CE555C704

Function 00007FFB1C8D1930 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8D19FD

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 0e8c4ecb98c5fb7eb5495fd46d75b7b1a05d020c85ca42f46ba235df274f9775
Instruction ID: 53a794bb5605d9bbee2367cb44f5092523bbf43f4588917d738a4c30243ae63f
Opcode Fuzzy Hash: 0e8c4ecb98c5fb7eb5495fd46d75b7b1a05d020c85ca42f46ba235df274f9775
Instruction Fuzzy Hash: F12128F5A08F8A91E611CB21F8840F97366BB847B0B744236DA4C43764DF3CE595C704

Function 00007FFB1C8CB990 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8CBA5D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: bfeed1bf537bc5bc31d5400d5b5fc0e51ee1195fea95fc793497e09899e5ecb0
Instruction ID: 2eb6948cad8c7e0867ff83fe888b4ee9d820f09dccfce09377a046336e6dc88a
Opcode Fuzzy Hash: bfeed1bf537bc5bc31d5400d5b5fc0e51ee1195fea95fc793497e09899e5ecb0
Instruction Fuzzy Hash: 5921F8F1A09E4681E711DB25E8841F973A6FB887A0B744236D68D43764DF3CE555C708

Function 00007FFB1C8C5AA0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8C5B6D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 59a2e54966b01aefdc318707cd061cd3247878b66ce242c31fd6e017fe5c9d00
Instruction ID: 20e698cf43ff70569a4343bf2dd95493a2ad330f3af015dde73a6a91f2775e47
Opcode Fuzzy Hash: 59a2e54966b01aefdc318707cd061cd3247878b66ce242c31fd6e017fe5c9d00
Instruction Fuzzy Hash: E821C7F2A09E4A91E711CB21E8841F97366BB887B4F744236DA8C83764EF7CE555C708

Function 00007FFB1C8B9C80 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8B9D4D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 6c67dea8be60a5b0da6447cfa5f6f43b67141c6e9b740534605913bd4690308b
Instruction ID: 6c1bbea28b5f35fa6de9b8a65828ddab25cf969f40a0c46d6f8ecfaa323f1ec6
Opcode Fuzzy Hash: 6c67dea8be60a5b0da6447cfa5f6f43b67141c6e9b740534605913bd4690308b
Instruction Fuzzy Hash: 482148F1A08F4695E7118B25F8891F973A6FB887A4F644236E55C03B64EF3CE481C700

Function 00007FFB1C8CD540 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8CD60D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 663ba28ac012437984d02a80a220768b583f8a79959cbed652c42b63b96ce58c
Instruction ID: b5f0eca06f4fd9082c60990c3661025e5a204353e3c48a6b61cd52102d7fa20f
Opcode Fuzzy Hash: 663ba28ac012437984d02a80a220768b583f8a79959cbed652c42b63b96ce58c
Instruction Fuzzy Hash: 6121D8F5A08E4A81E6119B21E8941F973A6BB887F4F744236DA4C437A4DF3CE555CB08

Function 00007FFB1C8BD2C0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8BD38D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 2d121a806d63696902e263e2261ebc86e68b1848c29a8b84e914aab6f3b52844
Instruction ID: f4e74aaf94c03fb59ec0b735528bfb61d5dc3a6068400039ea9783c89cd1bae6
Opcode Fuzzy Hash: 2d121a806d63696902e263e2261ebc86e68b1848c29a8b84e914aab6f3b52844
Instruction Fuzzy Hash: FF21F8F2A08E8791E6118B21E9841F5B3A6FB887B0B744236E94C43764EF3CE5958705

Function 00007FFB1C8D3490 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8D355D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 87d313d89d92624dcdc9d58950f963a051ebb52b9c6e22af8920989bdd7a5c56
Instruction ID: 99292f24ef88490790112d54ee4c10ae9678572de964492a9ab0f08ea3e764d9
Opcode Fuzzy Hash: 87d313d89d92624dcdc9d58950f963a051ebb52b9c6e22af8920989bdd7a5c56
Instruction Fuzzy Hash: 932125F2A08F4B81E6118B21E8885F973A6BB887B0F744236D94C43764EF3CE554C745

Function 00007FFB1C8C4D30 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8C4DFD

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 923b1a4090ce109fa3c85acdfdf88055cf3c3c3486537345a815099710e6bd56
Instruction ID: 1e779edb59ad7922678cbe683aa7a7792520dffda5d15f2a4ee3c56de6279be5
Opcode Fuzzy Hash: 923b1a4090ce109fa3c85acdfdf88055cf3c3c3486537345a815099710e6bd56
Instruction Fuzzy Hash: FF212AF5A08F4681E611CB65E8841F97366BB887B4F344636DA4D43B60EF3CE595C708

Function 00007FFB1C8B8EF0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8B8FBD

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 26a7dfd63e766b9e3a79e55f6b750d5bf5fe4f94cc303a4796523a29cf9ef1ce
Instruction ID: 6431f527da993229349cf8c5ca8aba81892caf4e466134ffb702035cd6ed19f6
Opcode Fuzzy Hash: 26a7dfd63e766b9e3a79e55f6b750d5bf5fe4f94cc303a4796523a29cf9ef1ce
Instruction Fuzzy Hash: 652105F5A08F4A85E711CB21E8881F973A6BB887A0F744236DA4C53764EF3CE955C704

Function 00007FFB1C8C08F0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8C09BD

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: caaf5be8c35c92a345f7b81eaaec1c2324e6c44a657aa865a50d084e76f6cceb
Instruction ID: c2dcb336fc19725a03efc70d53828167fe32d990b80ac56599f63c8d42e0428c
Opcode Fuzzy Hash: caaf5be8c35c92a345f7b81eaaec1c2324e6c44a657aa865a50d084e76f6cceb
Instruction Fuzzy Hash: 3F2107F5A08F8A81E6118B21E8981F97366BB887B0F744236DA8C43764EF3CE555C708

Function 00007FFB1C8B4AC0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8B4B8D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 25d83588a2d2d94005151d259c104e0908b0190ca9b6636997085827b11d39c6
Instruction ID: 688a27baf05988b290a2facdf7902d8c17f41dd79e3e282b99a47476c255f555
Opcode Fuzzy Hash: 25d83588a2d2d94005151d259c104e0908b0190ca9b6636997085827b11d39c6
Instruction Fuzzy Hash: 422135F2A08F4A91E601CB24E8881B973A6FB887A4B744276EA4C43760EF3CE5458704

Function 00007FFB1C8BC520 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8BC5ED

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 6500ad169949d25abbe69c1a637b2f9ec7bd5a72e06d313015910343b5733e1b
Instruction ID: 48c1645d8423fd06431d1831c47dfc02308eb4435d9da9f9f4e3987345fb2c0a
Opcode Fuzzy Hash: 6500ad169949d25abbe69c1a637b2f9ec7bd5a72e06d313015910343b5733e1b
Instruction Fuzzy Hash: 4C2155F6A09F4A81E6518B21F8881F97766BB887A0F744236D94C03B60EF7CE554C704

Function 00007FFB1C8CC770 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C8CC83D

Part of subcall function 00007FFB1C8E6B84: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B94

Part of subcall function 00007FFB1C8E6B18: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B28
Part of subcall function 00007FFB1C8E6B18: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFB1C8E6B68

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 927f4d30a7545e9629de110400db363183cc3a112a83307d8164c48a2a2dc159
Instruction ID: e2c33df7cd0273c4ae9577984fddf240fa184ec3b447291909d38df58a02fc7d
Opcode Fuzzy Hash: 927f4d30a7545e9629de110400db363183cc3a112a83307d8164c48a2a2dc159
Instruction Fuzzy Hash: E221F8F5A08E4A81E611CB21E8941F57366FB85BE4F744236E54C43BA4EF3CE555C708

Function 00007FFB1C905088 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C9050B3

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2ceb4d5cf33087d62bc5b558179ae52c632fa1f7f6bab7d19357e92fd11e18ff
Instruction ID: 9d80ac75a4d6592b0d549ad33f15568c753088ef2bea1d02125c95191f497461
Opcode Fuzzy Hash: 2ceb4d5cf33087d62bc5b558179ae52c632fa1f7f6bab7d19357e92fd11e18ff
Instruction Fuzzy Hash: 771160F1909E82C6F3519B24E8881B973AAFB407E0F750434E65E57696DE3CE9208B48

Function 00007FFB1C8E0C90 Relevance: 1.5, APIs: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 00007FFB1C8E0CFB

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 63a3769490ac361e987acf101e4ca7f86bc07a43bc2544b466abdcec6eee52cd
Instruction ID: 931cbf575b31df11d0e52f4ad54e811a4495e315315617c663f8ba1342fe5869
Opcode Fuzzy Hash: 63a3769490ac361e987acf101e4ca7f86bc07a43bc2544b466abdcec6eee52cd
Instruction Fuzzy Hash: 34019D7A604F88D6CB50CF1AE58028AB7A0F388BD4F588516EF8D47B28CB38D561CB04

Function 00007FFB1C8E0D30 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FFB1C8E0D86

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1d5b515d84ae4ba224acf11471ed87933b4847b630e0cd98cdfba70a3cd6e0ff
Instruction ID: ba3346dd10bc1d97ccf6f8559c773308b8840ff5e6c0cf5cb115532b19cb4361
Opcode Fuzzy Hash: 1d5b515d84ae4ba224acf11471ed87933b4847b630e0cd98cdfba70a3cd6e0ff
Instruction Fuzzy Hash: B901AE7A600B9886CB50CF1AE48021977B0F398FD4B518116DF9D53728CB79D852CB00

Function 00007FFB1C8E0F00 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNELBASE ref: 00007FFB1C8E0F45

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 1a018f851f1f377f805ad9a735c1e1fbf772d561ae6850e649be887b72fee7e2
Instruction ID: 55650d35114140a62fbf3fd1cb08e4ed52e05ab70d5bc8e037a2c072b5e90ecd
Opcode Fuzzy Hash: 1a018f851f1f377f805ad9a735c1e1fbf772d561ae6850e649be887b72fee7e2
Instruction Fuzzy Hash: 13F09DB6600B8886CB50CF5AE584A5977A0F798FD8B668026DF5D83324DB3AC895CB00

Function 00007FFB1C8E7140 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB1C8E7154

Part of subcall function 00007FFB1C8E9054: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFB1C8E905C
Part of subcall function 00007FFB1C8E9054: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFB1C8E9061

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: c3da7be3b338c016ba8c89d04683777702791abdddc79b36e056186b56e8a64c
Instruction ID: c4fb6d33f89ffd5f47bdbf8e5e5d150a24962d4fd4bcc9005a563ab82daff88c
Opcode Fuzzy Hash: c3da7be3b338c016ba8c89d04683777702791abdddc79b36e056186b56e8a64c
Instruction Fuzzy Hash: 84E0B6D0D0DA8780FE693671C5CA2F907431F22379F7010B8D96D422C39F4E240A2221

Function 00007FFB1C8E07E0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FFB1C8E0804

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
Instruction ID: acba1fe49ee8351d4f0489dbb5485bd46bb8baaf7d3ea97e89b45ff6e6ab8d73
Opcode Fuzzy Hash: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
Instruction Fuzzy Hash: BEE0E2F3701A80C6DB14CF69C48536877A1EB58B8AF19D019CB1C4B394EA3AC489CB10

Function 00007FFB1C8E09E0 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFB1C8E0A85

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d922ad616f79c91e025b5b67a9d1a5eb79c16820978d6a87348756d1ad9f1146
Instruction ID: a35303c647bb4f3348823924096db07e4d1732323a03eb108713248f0d45dfe8
Opcode Fuzzy Hash: d922ad616f79c91e025b5b67a9d1a5eb79c16820978d6a87348756d1ad9f1146
Instruction Fuzzy Hash: 6F11EFB6700A88C6CB10CF1AD488A6837A4F758BC9F268016DF1D43760DB3AC495CB00

Function 00007FFB1C8FADB4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FFB1C8FAE09

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 92fd63a398a09b1e6516ca9cdaf0f05b99a4822bb84317b4a6edacabb25cc5f3
Instruction ID: 12c2519bc738372f6c969fb81e78dc78a7bbd4ab982922eda38be20337778ccc
Opcode Fuzzy Hash: 92fd63a398a09b1e6516ca9cdaf0f05b99a4822bb84317b4a6edacabb25cc5f3
Instruction Fuzzy Hash: 21F06DD0B09A0785FE996772D99A2F5A3965F58BB1F3C4430C90E862C1EE2CE4914220

Function 00007FFB1C8FC098 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FFB1C8FC0D6

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: fe26e756a70ebcfc36e085db9103b65aa7bc0f90a4010909fc826a6484a7e219
Instruction ID: b4ddb6a73324b6c3dc2cd854bf3f65be7598ab615a2025dfd113764c62d64f48
Opcode Fuzzy Hash: fe26e756a70ebcfc36e085db9103b65aa7bc0f90a4010909fc826a6484a7e219
Instruction Fuzzy Hash: 88F08CD0F0DA0780FA756B72D8882F427825FC47B0F284630DD2EC62C1EE2CE5828110

Non-executed Functions

Function 00007FFB1C888D50 Relevance: 315.9, APIs: 168, Strings: 12, Instructions: 935threadtimefileCOMMON

Download Yara Rule

APIs

IsThreadAFiber.KERNEL32 ref: 00007FFB1C888D9A
WaitCommEvent.KERNEL32 ref: 00007FFB1C888DA7
GetFileInformationByHandle.KERNEL32 ref: 00007FFB1C888DB1
ConvertThreadToFiber.KERNEL32 ref: 00007FFB1C888DB9
IsDebuggerPresent.KERNEL32 ref: 00007FFB1C888DBF
lstrcpyW.KERNEL32 ref: 00007FFB1C888DC9
HeapCompact.KERNEL32 ref: 00007FFB1C888DD3
WaitForDebugEvent.KERNEL32 ref: 00007FFB1C888DDD
CreateTapePartition.KERNEL32 ref: 00007FFB1C888DED
GetDurationFormat.KERNEL32 ref: 00007FFB1C888E0B
OpenWaitableTimerW.KERNEL32 ref: 00007FFB1C888E18
GetProcessDEPPolicy.KERNEL32 ref: 00007FFB1C888E25
DeleteFileW.KERNEL32 ref: 00007FFB1C888E2D
LoadResource.KERNEL32 ref: 00007FFB1C888E37
CommConfigDialogW.KERNEL32 ref: 00007FFB1C888E44
EscapeCommFunction.KERNEL32 ref: 00007FFB1C888E4E
LocalHandle.KERNEL32 ref: 00007FFB1C888E56
SetupComm.KERNEL32 ref: 00007FFB1C888E63
NeedCurrentDirectoryForExePathW.KERNEL32 ref: 00007FFB1C888E6B
DisableThreadLibraryCalls.KERNEL32 ref: 00007FFB1C888E73
GetLogicalProcessorInformation.KERNEL32 ref: 00007FFB1C888E7D
GetAtomNameW.KERNEL32 ref: 00007FFB1C888F56
InitializeSListHead.KERNEL32 ref: 00007FFB1C888F5E
CloseThreadpool.KERNEL32 ref: 00007FFB1C888F66
GetSystemRegistryQuota.KERNEL32 ref: 00007FFB1C888F70
DebugActiveProcessStop.KERNEL32 ref: 00007FFB1C888F78
TzSpecificLocalTimeToSystemTimeEx.KERNEL32 ref: 00007FFB1C888F85
OpenSemaphoreW.KERNEL32 ref: 00007FFB1C888F92
CountClipboardFormats.USER32 ref: 00007FFB1C888F98
EnableWindow.USER32 ref: 00007FFB1C888FA2
MapWindowPoints.USER32 ref: 00007FFB1C888FB2
ReadThreadProfilingData.KERNEL32 ref: 00007FFB1C888FBF
CharPrevW.USER32 ref: 00007FFB1C888FC9
LockFileEx.KERNEL32 ref: 00007FFB1C888FE2
MulDiv.KERNEL32 ref: 00007FFB1C888FEF
DeleteCriticalSection.KERNEL32 ref: 00007FFB1C888FF7
MapWindowPoints.USER32 ref: 00007FFB1C889007
DeleteTimerQueueTimer.KERNEL32 ref: 00007FFB1C889014
MessageBoxW.USER32 ref: 00007FFB1C889024
GetTickCount.KERNEL32 ref: 00007FFB1C88902A
EnumPropsW.USER32 ref: 00007FFB1C889034
SetProcessAffinityMask.KERNEL32 ref: 00007FFB1C88903E
DdeQueryStringW.USER32 ref: 00007FFB1C889052
GetActiveWindow.USER32 ref: 00007FFB1C889058
CreateMemoryResourceNotification.KERNEL32 ref: 00007FFB1C889060
WaitForInputIdle.USER32 ref: 00007FFB1C88906A
WaitMessage.USER32 ref: 00007FFB1C889070
VkKeyScanExW.USER32 ref: 00007FFB1C88907A
GetUserDefaultLangID.KERNEL32 ref: 00007FFB1C889080
HeapDestroy.KERNEL32 ref: 00007FFB1C889088
GetInputState.USER32 ref: 00007FFB1C88908E
CopyFileExW.KERNEL32 ref: 00007FFB1C8890F9
ResolveLocaleName.KERNEL32 ref: 00007FFB1C88910B
GetActiveProcessorCount.KERNEL32 ref: 00007FFB1C889113
GetDefaultCommConfigW.KERNEL32 ref: 00007FFB1C889120
EnumCalendarInfoExEx.KERNEL32 ref: 00007FFB1C889142
SetCommState.KERNEL32 ref: 00007FFB1C88914C
GetUserDefaultUILanguage.KERNEL32 ref: 00007FFB1C889152
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FFB1C889162
GetUserDefaultLangID.KERNEL32 ref: 00007FFB1C889168
SetProcessDEPPolicy.KERNEL32 ref: 00007FFB1C889170
GetThreadSelectorEntry.KERNEL32 ref: 00007FFB1C8891C9
EnumResourceTypesExW.KERNEL32 ref: 00007FFB1C8891E0
SetTapeParameters.KERNEL32 ref: 00007FFB1C8891ED
GetProcessPreferredUILanguages.KERNEL32 ref: 00007FFB1C8891FD
GetNLSVersionEx.KERNEL32 ref: 00007FFB1C88920F
ReleaseMutexWhenCallbackReturns.KERNEL32 ref: 00007FFB1C889219
GetFileInformationByHandle.KERNEL32 ref: 00007FFB1C889223
OpenFileById.KERNEL32 ref: 00007FFB1C88923E
FindFirstFileW.KERNEL32 ref: 00007FFB1C889248
GetMemoryErrorHandlingCapabilities.KERNEL32 ref: 00007FFB1C889250
Wow64DisableWow64FsRedirection.KERNEL32 ref: 00007FFB1C889258
GetProcessWorkingSetSizeEx.KERNEL32 ref: 00007FFB1C889268
MapUserPhysicalPagesScatter.KERNEL32 ref: 00007FFB1C889275
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB1C88927D
EnumSystemLocalesEx.KERNEL32 ref: 00007FFB1C88928D
GetTempPathW.KERNEL32 ref: 00007FFB1C889297
AttachConsole.KERNEL32 ref: 00007FFB1C88929F
CloseThreadpoolCleanupGroup.KERNEL32 ref: 00007FFB1C8892A7
GetSystemDefaultLangID.KERNEL32 ref: 00007FFB1C8892AD
GetFinalPathNameByHandleW.KERNEL32 ref: 00007FFB1C8892BD
CreateJobObjectW.KERNEL32 ref: 00007FFB1C8892C7
EnterSynchronizationBarrier.KERNEL32 ref: 00007FFB1C8892D1
GlobalAddAtomW.KERNEL32 ref: 00007FFB1C8892D9
GetConsoleAliasesLengthW.KERNEL32 ref: 00007FFB1C8892E1
GetLastError.KERNEL32 ref: 00007FFB1C8892E7
CallNamedPipeW.KERNEL32 ref: 00007FFB1C889306
SearchPathW.KERNEL32 ref: 00007FFB1C889322
SetFileValidData.KERNEL32 ref: 00007FFB1C88932C
SetCommBreak.KERNEL32 ref: 00007FFB1C889334
MapUserPhysicalPagesScatter.KERNEL32 ref: 00007FFB1C889341
GetWriteWatch.KERNEL32 ref: 00007FFB1C8893A2
SetThreadpoolThreadMaximum.KERNEL32 ref: 00007FFB1C8893AC
ReleaseSemaphoreWhenCallbackReturns.KERNEL32 ref: 00007FFB1C8893B9
FillConsoleOutputCharacterW.KERNEL32 ref: 00007FFB1C8893D3
GetProcessorSystemCycleTime.KERNEL32 ref: 00007FFB1C8893E0
SetTextJustification.GDI32 ref: 00007FFB1C8893ED
SetDefaultDllDirectories.KERNEL32 ref: 00007FFB1C8893F5
SetBrushOrgEx.GDI32 ref: 00007FFB1C889405
GetCurrentProcessorNumberEx.KERNEL32 ref: 00007FFB1C88940D
LockFileEx.KERNEL32 ref: 00007FFB1C889427
SetConsoleDisplayMode.KERNEL32 ref: 00007FFB1C889434
SetLastError.KERNEL32 ref: 00007FFB1C88943C
WritePrivateProfileSectionW.KERNEL32 ref: 00007FFB1C889449
GetSystemTime.KERNEL32 ref: 00007FFB1C8894A2
MapUserPhysicalPagesScatter.KERNEL32 ref: 00007FFB1C8894AF
FindNextFileW.KERNEL32 ref: 00007FFB1C8894B9
GetVolumeInformationW.KERNEL32 ref: 00007FFB1C8894DD
EnumResourceTypesExW.KERNEL32 ref: 00007FFB1C8894F3
HeapCreate.KERNEL32 ref: 00007FFB1C889500
FindNextVolumeMountPointW.KERNEL32 ref: 00007FFB1C88950D
UnregisterApplicationRecoveryCallback.KERNEL32 ref: 00007FFB1C889513
GetConsoleAliasW.KERNEL32 ref: 00007FFB1C889523
QueryThreadProfiling.KERNEL32 ref: 00007FFB1C88952D
GetFullPathNameTransactedW.KERNEL32 ref: 00007FFB1C889542
WritePrivateProfileSectionW.KERNEL32 ref: 00007FFB1C88954F
GetFileTime.KERNEL32 ref: 00007FFB1C88955F
CopyFileW.KERNEL32 ref: 00007FFB1C88956C
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB1C889574
HeapValidate.KERNEL32 ref: 00007FFB1C889581
FileTimeToSystemTime.KERNEL32 ref: 00007FFB1C88958B
MoveFileWithProgressW.KERNEL32 ref: 00007FFB1C8895A0
QueryDepthSList.KERNEL32 ref: 00007FFB1C8895A8
EnumSystemFirmwareTables.KERNEL32 ref: 00007FFB1C8895B5
QueryPerformanceCounter.KERNEL32 ref: 00007FFB1C8895BD
MultiByteToWideChar.KERNEL32 ref: 00007FFB1C8895DB
GetMaximumProcessorCount.KERNEL32 ref: 00007FFB1C8895E3
GetActiveProcessorGroupCount.KERNEL32 ref: 00007FFB1C8895E9
GetSystemFirmwareTable.KERNEL32 ref: 00007FFB1C8895F9
DosDateTimeToFileTime.KERNEL32 ref: 00007FFB1C889606
InterlockedPushListSListEx.KERNEL32 ref: 00007FFB1C889616
SetThreadpoolTimerEx.KERNEL32 ref: 00007FFB1C889626
InitOnceInitialize.KERNEL32 ref: 00007FFB1C88962E
GlobalAddAtomW.KERNEL32 ref: 00007FFB1C889636
SetThreadpoolTimer.KERNEL32 ref: 00007FFB1C8898B5
GetFocus.USER32 ref: 00007FFB1C8898BB
GetNextDlgGroupItem.USER32 ref: 00007FFB1C8898C8
GetTempPathW.KERNEL32 ref: 00007FFB1C8898D2
GetDlgItemInt.USER32 ref: 00007FFB1C8898E2
CountClipboardFormats.USER32 ref: 00007FFB1C8898E8
PrivateExtractIconsW.USER32 ref: 00007FFB1C88990F
MoveFileW.KERNEL32 ref: 00007FFB1C889919
CreateDesktopExW.USER32 ref: 00007FFB1C88993D
SetCalendarInfoW.KERNEL32 ref: 00007FFB1C88994D
SendInput.USER32 ref: 00007FFB1C88995A
DrawCaption.USER32 ref: 00007FFB1C88996A
SetFileAttributesTransactedW.KERNEL32 ref: 00007FFB1C889977
EnterCriticalSection.KERNEL32 ref: 00007FFB1C88997F
ResetWriteWatch.KERNEL32 ref: 00007FFB1C88998D
WinHelpW.USER32 ref: 00007FFB1C88999D
GlobalGetAtomNameW.KERNEL32 ref: 00007FFB1C8899AA
GetLongPathNameTransactedW.KERNEL32 ref: 00007FFB1C8899BA
GetTabbedTextExtentW.USER32 ref: 00007FFB1C8899CF
SetTimeZoneInformation.KERNEL32 ref: 00007FFB1C8899D7
TranslateAcceleratorW.USER32 ref: 00007FFB1C8899E4
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C8899EC
SetWindowDisplayAffinity.USER32 ref: 00007FFB1C8899F6
UnionRect.USER32 ref: 00007FFB1C889A03
GetThreadDescription.KERNEL32 ref: 00007FFB1C889A0D
FillConsoleOutputAttribute.KERNEL32 ref: 00007FFB1C889A37
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FFB1C889A3F
GetStringScripts.KERNEL32 ref: 00007FFB1C889A59
GetTempFileNameW.KERNEL32 ref: 00007FFB1C889A69
Wow64SetThreadContext.KERNEL32 ref: 00007FFB1C889A73
SetCommTimeouts.KERNEL32 ref: 00007FFB1C889A7D
EnumResourceLanguagesW.KERNEL32 ref: 00007FFB1C889A92
QueryProcessCycleTime.KERNEL32 ref: 00007FFB1C889A9C
ExitProcess.KERNEL32 ref: 00007FFB1C889AE4

Strings

xe2ZUhVLjw7GtgDoDylXkB, xrefs: 00007FFB1C889A50
EaoOa6m25DZN7wW, xrefs: 00007FFB1C889139
tWGFpHgDlAZ85WMbs5a4kTvJjl, xrefs: 00007FFB1C889102
VUUU, xrefs: 00007FFB1C88973F
VUUU, xrefs: 00007FFB1C8897B3
gX7A4Ud2JKF8mGvOVnQ8e84Hu, xrefs: 00007FFB1C889206
TqAh9bHkh2jbQBBZtOSpF7h4, xrefs: 00007FFB1C8895CB
VUUU, xrefs: 00007FFB1C889783
VUUU, xrefs: 00007FFB1C889762
YEA62NABUGOOHl9A66DC, xrefs: 00007FFB1C889126
VUUU, xrefs: 00007FFB1C8897F9
oz6Sn442qbv1jwOWYKoCW, xrefs: 00007FFB1C888D91

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$Time$SystemThread$CommProcess$EnumNamePath$ConsoleCountDefaultProcessorUser$CreateInformationListQueryResourceThreadpoolTimerWindow$ActiveAtomHandleHeapLockSectionWaitWrite$CallbackDeleteErrorFindGlobalGroupInitializeInputLangNextOpenPagesPhysicalPrivateScatterTempTransactedWow64$AcquireAffinityAttributeCalendarCharClipboardCloseConfigCopyCriticalCurrentCycleDataDebugDisableDisplayEnterEventExclusiveFiberFillFirmwareFormatsInfoItemLanguagesLastLocalMaximumMemoryMessageMoveOutputPointsPolicyProfileProfilingReleaseReturnsSemaphoreStateStringTapeTextTypesVolumeWatchWhen$AcceleratorAliasAliasesApplicationAttachAttributesBarrierBreakBrushByteCallCallsCapabilitiesCaptionCharacterCleanupCompactContextConvertCounterDateDebuggerDepthDescriptionDesktopDestroyDialogDirectoriesDirectoryDrawDurationEnableEntryEscapeExceptionExitExtentExtractFilterFinalFirstFocusFormatFullFunctionHandlingHeadHelpIconsIdleInitInterlockedJustificationLanguageLengthLibraryLoadLocaleLocalesLogicalLongMaskModeMountMultiMutexNamedNeedNotificationNumberObjectOnceParametersPartitionPerformancePipePointPreferredPresentPrevProcProgressPropsPushQueueQuotaReadRecoveryRectRedirectionRegistryResetResolveScanScriptsSearchSelectorSendSetupSizeSpecificStopSynchronizationTabbedTableTablesTickTimeoutsTranslateUnhandledUnionUnregisterValidValidateVersionWaitableWideWithWorkingZonelstrcpy
String ID: EaoOa6m25DZN7wW$TqAh9bHkh2jbQBBZtOSpF7h4$VUUU$VUUU$VUUU$VUUU$VUUU$YEA62NABUGOOHl9A66DC$gX7A4Ud2JKF8mGvOVnQ8e84Hu$oz6Sn442qbv1jwOWYKoCW$tWGFpHgDlAZ85WMbs5a4kTvJjl$xe2ZUhVLjw7GtgDoDylXkB
API String ID: 3906559172-1135171958
Opcode ID: 53fc4e0a59a7a00dcda82954eb8e7e0a54fae63abb4233d29c076c4ca872dbfc
Instruction ID: 9369ed3ee29fccac704a3a96d8873da45d82a1f5c6eaaa97f7f6f20eac92f9c7
Opcode Fuzzy Hash: 53fc4e0a59a7a00dcda82954eb8e7e0a54fae63abb4233d29c076c4ca872dbfc
Instruction Fuzzy Hash: 5082C7F2B18E5283F729DF35E819ABA3353EF887A5F65813DDA0B49858CE3DD0458604

Function 00007FFB1C88C640 Relevance: 163.1, APIs: 84, Strings: 9, Instructions: 389threadmemoryfileCOMMON

Download Yara Rule

APIs

SetThreadGroupAffinity.KERNEL32 ref: 00007FFB1C88C6B7
SetTapeParameters.KERNEL32 ref: 00007FFB1C88C6C4
QueryDosDeviceW.KERNEL32 ref: 00007FFB1C88C6D6
WaitForDebugEvent.KERNEL32 ref: 00007FFB1C88C6E0
DeregisterShellHookWindow.USER32 ref: 00007FFB1C88C6E8
CreateEventW.KERNEL32 ref: 00007FFB1C88C6F8
CreateFileMappingFromApp.KERNEL32 ref: 00007FFB1C88C70D
RegisterClassExW.USER32 ref: 00007FFB1C88C715
UnlockFile.KERNEL32 ref: 00007FFB1C88C72A
CancelIoEx.KERNEL32 ref: 00007FFB1C88C734
ArrangeIconicWindows.USER32 ref: 00007FFB1C88C73C
CloseThreadpoolIo.KERNEL32 ref: 00007FFB1C88C744
PowerSetRequest.KERNEL32 ref: 00007FFB1C88C74E
GetCursor.USER32 ref: 00007FFB1C88C754
BroadcastSystemMessageExW.USER32 ref: 00007FFB1C88C76E
DestroyWindow.USER32 ref: 00007FFB1C88C776
EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C88C780
WriteTapemark.KERNEL32 ref: 00007FFB1C88C790
HeapValidate.KERNEL32 ref: 00007FFB1C88C79D
CloseWindowStation.USER32 ref: 00007FFB1C88C7A5
SetConsoleTextAttribute.KERNEL32 ref: 00007FFB1C88C7AF
GetTabbedTextExtentW.USER32 ref: 00007FFB1C88C7C4
IsBadWritePtr.KERNEL32 ref: 00007FFB1C88C7CE
BuildCommDCBAndTimeoutsW.KERNEL32 ref: 00007FFB1C88C7DB
GetHandleInformation.KERNEL32 ref: 00007FFB1C88C7E5
GetVolumeInformationByHandleW.KERNEL32 ref: 00007FFB1C88C809
GetPriorityClass.KERNEL32 ref: 00007FFB1C88C811
SetLastErrorEx.USER32 ref: 00007FFB1C88C81B
RemoveDllDirectory.KERNEL32 ref: 00007FFB1C88C842
SetThreadErrorMode.KERNEL32 ref: 00007FFB1C88C84C
UnregisterWaitEx.KERNEL32 ref: 00007FFB1C88C856
DebugSetProcessKillOnExit.KERNEL32 ref: 00007FFB1C88C85E
QueryPerformanceFrequency.KERNEL32 ref: 00007FFB1C88C866
DuplicateHandle.KERNEL32 ref: 00007FFB1C88C885
GetFileSizeEx.KERNEL32 ref: 00007FFB1C88C88F
HeapDestroy.KERNEL32 ref: 00007FFB1C88C897
CreateFiberEx.KERNEL32 ref: 00007FFB1C88C8AC
Wow64SuspendThread.KERNEL32 ref: 00007FFB1C88C8B4
OpenSemaphoreW.KERNEL32 ref: 00007FFB1C88C8C9
InitOnceExecuteOnce.KERNEL32 ref: 00007FFB1C88C8D9
CreateConsoleScreenBuffer.KERNEL32 ref: 00007FFB1C88C8EE
DeleteFileTransactedW.KERNEL32 ref: 00007FFB1C88C8F8
GetLocaleInfoEx.KERNEL32 ref: 00007FFB1C88C90D
GetUserPreferredUILanguages.KERNEL32 ref: 00007FFB1C88C91D
ClosePrivateNamespace.KERNEL32 ref: 00007FFB1C88C927
ReleaseSRWLockShared.KERNEL32 ref: 00007FFB1C88C92F
FindNLSStringEx.KERNEL32 ref: 00007FFB1C88C966
SignalObjectAndWait.KERNEL32 ref: 00007FFB1C88C976
FindFirstFileW.KERNEL32 ref: 00007FFB1C88C980
DefineDosDeviceW.KERNEL32 ref: 00007FFB1C88C98D
GetDurationFormat.KERNEL32 ref: 00007FFB1C88C9AC
EnumDateFormatsExEx.KERNEL32 ref: 00007FFB1C88C9C1
IsValidCodePage.KERNEL32 ref: 00007FFB1C88C9C9
FlsFree.KERNEL32 ref: 00007FFB1C88C9D1
GetProcessHeap.KERNEL32 ref: 00007FFB1C88C9D7
SetEvent.KERNEL32 ref: 00007FFB1C88CA45
GlobalDeleteAtom.KERNEL32 ref: 00007FFB1C88CA4D
DisableThreadLibraryCalls.KERNEL32 ref: 00007FFB1C88CA55
SetCurrentConsoleFontEx.KERNEL32 ref: 00007FFB1C88CA62
SetLastError.KERNEL32 ref: 00007FFB1C88CA6A
GetConsoleScreenBufferInfoEx.KERNEL32 ref: 00007FFB1C88CA74
AddResourceAttributeAce.KERNEL32 ref: 00007FFB1C88CA93
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFB1C88CAA3
GetStringTypeA.KERNEL32 ref: 00007FFB1C88CABC
SetProcessMitigationPolicy.KERNEL32 ref: 00007FFB1C88CAC9
RtlCaptureContext.KERNEL32 ref: 00007FFB1C88CAD1
RemoveDirectoryTransactedW.KERNEL32 ref: 00007FFB1C88CADB
LCIDToLocaleName.KERNEL32 ref: 00007FFB1C88CAEB
lstrcatW.KERNEL32 ref: 00007FFB1C88CAF5
HeapCreate.KERNEL32 ref: 00007FFB1C88CB02
GetNamedPipeInfo.KERNEL32 ref: 00007FFB1C88CB17
SetConsoleCP.KERNEL32 ref: 00007FFB1C88CB1F
GetFileSizeEx.KERNEL32 ref: 00007FFB1C88CB29
MoveFileWithProgressW.KERNEL32 ref: 00007FFB1C88CB3E
RemoveDirectoryTransactedW.KERNEL32 ref: 00007FFB1C88CB48
PowerCreateRequest.KERNEL32 ref: 00007FFB1C88CB50
CreatePrivateNamespaceW.KERNEL32 ref: 00007FFB1C88CB5D
BackupSeek.KERNEL32 ref: 00007FFB1C88CB77
SizeofResource.KERNEL32 ref: 00007FFB1C88CB81
WritePrivateProfileSectionW.KERNEL32 ref: 00007FFB1C88CB8E
InterlockedFlushSList.KERNEL32 ref: 00007FFB1C88CB96
FileTimeToSystemTime.KERNEL32 ref: 00007FFB1C88CBA0
FindClose.KERNEL32 ref: 00007FFB1C88CBA8
SetThreadErrorMode.KERNEL32 ref: 00007FFB1C88CBB2

Strings

tTIksRjj97jL38M1Q3, xrefs: 00007FFB1C88C93A
\, xrefs: 00007FFB1C88C668
2yWC9N95qtwUxh6Zu4tr64aS3, xrefs: 00007FFB1C88C9B5
I6zau8MrisShdWKX2dR9eg288ft3, xrefs: 00007FFB1C88C68E
hHhLzpLo29z1LJNcXkl5oXW8Ag, xrefs: 00007FFB1C88C901
8cE2bpoSKbKGQWL662m1W52YJX3xN, xrefs: 00007FFB1C88C946
B68fbV64CP46p724ee5, xrefs: 00007FFB1C88C67F
yG4QzssvJ81N381c1pKP4G, xrefs: 00007FFB1C88CAB1
YtS15VItdjosnwZE1q, xrefs: 00007FFB1C88C695

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$Create$ConsoleThread$CloseErrorHeap$DirectoryEventFindHandleInfoPrivateProcessRemoveSystemTransactedWaitWindowWrite$AttributeBufferClassDebugDeleteDestroyDeviceEnumFreeInformationLastLocaleModeNamespaceOncePowerQueryRequestResourceScreenSizeStringTextTime$AffinityArrangeAtomBackupBroadcastBuildCallsCancelCaptureCodeCommContextCurrentCursorDateDefineDeregisterDisableDiskDuplicateDurationExecuteExitExtentFiberFirstFlushFontFormatFormatsFrequencyFromGlobalGroupHookIconicInitInterlockedKillLanguagesLibraryListLocalesLockMappingMessageMitigationMoveNameNamedObjectOpenPageParametersPerformancePipePolicyPreferredPriorityProfileProgressRegisterReleaseSectionSeekSemaphoreSharedShellSignalSizeofSpaceStationSuspendTabbedTapeTapemarkThreadpoolTimeoutsTypeUnlockUnregisterUserValidValidateVolumeWindowsWithWow64lstrcat
String ID: 2yWC9N95qtwUxh6Zu4tr64aS3$8cE2bpoSKbKGQWL662m1W52YJX3xN$B68fbV64CP46p724ee5$I6zau8MrisShdWKX2dR9eg288ft3$YtS15VItdjosnwZE1q$\$hHhLzpLo29z1LJNcXkl5oXW8Ag$tTIksRjj97jL38M1Q3$yG4QzssvJ81N381c1pKP4G
API String ID: 807466959-4049110024
Opcode ID: a7249063717df10330302baf5cca1ebcf6c8b118ad41476c8b5f60c9b1cd0db3
Instruction ID: a8e37b279c2db62b31acfd04f06ba8e9c3f24118303dbca9b2bf6919781ab5c0
Opcode Fuzzy Hash: a7249063717df10330302baf5cca1ebcf6c8b118ad41476c8b5f60c9b1cd0db3
Instruction Fuzzy Hash: F7F171F1A18E5182F729DB31F81EAAB3363FF887A5F65843DDA4B49858CE3DD0458604

Function 00007FFB1DED9E10 Relevance: 160.0, APIs: 88, Strings: 3, Instructions: 727COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED9E57
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED9E81
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED9E99
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DED9EB6
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DED9ECC
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DED9ED4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED9EE3
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED9EFB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED9F62
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED9F7A

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED9FD6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED9FEE
EVP_PKEY_get_security_bits.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA015
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA036
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA04E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA200
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA218
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA378
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA38E
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA396
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA3BD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA3D5
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA453
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA46B

Part of subcall function 00007FFB1DE79AE0: BN_get_rfc3526_prime_8192.LIBCRYPTO-3-X64 ref: 00007FFB1DE79B7C
Part of subcall function 00007FFB1DE79AE0: EVP_PKEY_CTX_new_from_name.LIBCRYPTO-3-X64 ref: 00007FFB1DE79BCF
Part of subcall function 00007FFB1DE79AE0: EVP_PKEY_fromdata_init.LIBCRYPTO-3-X64 ref: 00007FFB1DE79BDF
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_BLD_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE79BE9
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C03
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_BLD_push_uint.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C1C
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_BLD_to_param.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C28
Part of subcall function 00007FFB1DE79AE0: EVP_PKEY_fromdata.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C46
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C4E
Part of subcall function 00007FFB1DE79AE0: OSSL_PARAM_BLD_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C56
Part of subcall function 00007FFB1DE79AE0: EVP_PKEY_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C5E
Part of subcall function 00007FFB1DE79AE0: BN_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79C66

EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA97F
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA995
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA99D
BN_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA9AC
BN_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA9B5
BN_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA9BE
BN_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDA9C7
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEDAA06
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDAA0B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDAA23
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDAA42
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDAA5A

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DED9E92, 00007FFB1DED9EBF, 00007FFB1DED9EF4, 00007FFB1DED9F73, 00007FFB1DED9FE7, 00007FFB1DEDA047, 00007FFB1DEDA081, 00007FFB1DEDA0B3, 00007FFB1DEDA104, 00007FFB1DEDA1A2, 00007FFB1DEDA1CE, 00007FFB1DEDA211, 00007FFB1DEDA250, 00007FFB1DEDA2BC, 00007FFB1DEDA32F, 00007FFB1DEDA354, 00007FFB1DEDA381, 00007FFB1DEDA3CE, 00007FFB1DEDA464, 00007FFB1DEDA5E2, 00007FFB1DEDA611, 00007FFB1DEDA64A, 00007FFB1DEDA683, 00007FFB1DEDA6BC, 00007FFB1DEDA744, 00007FFB1DEDA7A3, 00007FFB1DEDA819, 00007FFB1DEDA87E, 00007FFB1DEDA960, 00007FFB1DEDA988, 00007FFB1DEDA9F9, 00007FFB1DEDAA1C, 00007FFB1DEDAA53
pub, xrefs: 00007FFB1DEDA17D
tls_construct_server_key_exchange, xrefs: 00007FFB1DED9E86, 00007FFB1DED9EE8, 00007FFB1DED9F67, 00007FFB1DED9FDB, 00007FFB1DEDA03B, 00007FFB1DEDA075, 00007FFB1DEDA0A7, 00007FFB1DEDA0F8, 00007FFB1DEDA196, 00007FFB1DEDA205, 00007FFB1DEDA244, 00007FFB1DEDA2B0, 00007FFB1DEDA323, 00007FFB1DEDA348, 00007FFB1DEDA3C2, 00007FFB1DEDA458, 00007FFB1DEDA605, 00007FFB1DEDA63E, 00007FFB1DEDA677, 00007FFB1DEDA6B0, 00007FFB1DEDA738, 00007FFB1DEDA797, 00007FFB1DEDA80D, 00007FFB1DEDA872, 00007FFB1DEDAA10, 00007FFB1DEDAA47

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$N_free$O_freeX_free$Y_free$D_freeD_newD_push_D_push_uintD_to_paramM_freeN_get_rfc3526_prime_8192R_vset_errorX_newX_new_from_nameY_fromdataY_fromdata_initY_get_security_bits
String ID: pub$ssl\statem\statem_srvr.c$tls_construct_server_key_exchange
API String ID: 717660064-128282604
Opcode ID: 21c91595c7a8f1627ff56b015938b5ad22fc7ac8f4f7c1965e68864c49619e03
Instruction ID: fdf0570d66e8b0f7ebb34ceff386c9495381237e8a2df698588616982857faa6
Opcode Fuzzy Hash: 21c91595c7a8f1627ff56b015938b5ad22fc7ac8f4f7c1965e68864c49619e03
Instruction Fuzzy Hash: 4B6269A3B08E4281FE50AB71D9516FF2363AF59BA6F404031DD4D97A9AFF2CE6058341

Function 00007FFB1DEC4E90 Relevance: 89.8, APIs: 46, Strings: 5, Instructions: 581COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4F5D
EVP_PKEY_new_raw_private_key_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4F8F
EVP_DigestSignInit_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4FDC
EVP_DigestSign.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4FFC
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5017
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC501F
CRYPTO_memcmp.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5032
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC503B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5053

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC50B0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC50C8
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC55CF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC55E7
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC560F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5627
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5652
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC566A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC568B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC56A3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC56C2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC56DA
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC56FB
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5713
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5732
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC574A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5769
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5781
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57A3
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57AB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57B0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57C8
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57EC
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57F4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC57F9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5811
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5832
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC584A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5869
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5881

Strings

, xrefs: 00007FFB1DEC4F86
SHA2-256, xrefs: 00007FFB1DEC4FB1
HMAC, xrefs: 00007FFB1DEC4F69
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC504C, 00007FFB1DEC50C1, 00007FFB1DEC5257, 00007FFB1DEC52AB, 00007FFB1DEC5491, 00007FFB1DEC55E0, 00007FFB1DEC5620, 00007FFB1DEC5663, 00007FFB1DEC569C, 00007FFB1DEC56D3, 00007FFB1DEC570C, 00007FFB1DEC5743, 00007FFB1DEC577A, 00007FFB1DEC57C1, 00007FFB1DEC580A, 00007FFB1DEC5843, 00007FFB1DEC587A
tls_parse_ctos_cookie, xrefs: 00007FFB1DEC5040, 00007FFB1DEC50B5, 00007FFB1DEC524B, 00007FFB1DEC529F, 00007FFB1DEC5485, 00007FFB1DEC55D4, 00007FFB1DEC5614, 00007FFB1DEC5657, 00007FFB1DEC5690, 00007FFB1DEC56C7, 00007FFB1DEC5700, 00007FFB1DEC5737, 00007FFB1DEC576E, 00007FFB1DEC57B5, 00007FFB1DEC57FE, 00007FFB1DEC5837, 00007FFB1DEC586E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$X_freeY_free$DigestSign$Init_exO_memcmpR_vset_errorX_newY_new_raw_private_key_ex
String ID: $HMAC$SHA2-256$ssl\statem\extensions_srvr.c$tls_parse_ctos_cookie
API String ID: 700504784-922819786
Opcode ID: c5afd7339cda3e5e2c03b83fbc20d23734996ffb623223bd3be480a254d6c297
Instruction ID: 7d2afbd9f0863d368e4759bdf729fddc7d71f70952f30f4799acbd203e96622e
Opcode Fuzzy Hash: c5afd7339cda3e5e2c03b83fbc20d23734996ffb623223bd3be480a254d6c297
Instruction Fuzzy Hash: 9A428CA3A18E8282FF50AB31D8556FB2763AF4D7A6F804532DA4D865D6FF2CE504C710

Function 00007FFB1DEBCD00 Relevance: 77.4, APIs: 39, Strings: 5, Instructions: 379COMMON

Download Yara Rule

APIs

EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCD6D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCD85
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCD9D

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCE60
EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCE7A
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCE95
EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCF21
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCF2A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBCF42
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEBD372
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEBD384
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBD38C
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBD394

Strings

ext binder, xrefs: 00007FFB1DEBCE15
ssl\statem\extensions.c, xrefs: 00007FFB1DEBCD96, 00007FFB1DEBCF3B, 00007FFB1DEBCFA3, 00007FFB1DEBD095, 00007FFB1DEBD0D1, 00007FFB1DEBD176, 00007FFB1DEBD27E, 00007FFB1DEBD2B5, 00007FFB1DEBD2E9, 00007FFB1DEBD322
res binder, xrefs: 00007FFB1DEBCE0E
HMAC, xrefs: 00007FFB1DEBD13E
tls_psk_do_binder, xrefs: 00007FFB1DEBCD8A, 00007FFB1DEBCF2F, 00007FFB1DEBCF97, 00007FFB1DEBD089, 00007FFB1DEBD0C5, 00007FFB1DEBD16A, 00007FFB1DEBD272, 00007FFB1DEBD2A9, 00007FFB1DEBD2DD, 00007FFB1DEBD316

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Digest$Init_exL_cleanseR_newR_set_debug$D_get_sizeFinal_exR_vset_errorX_freeX_newY_free
String ID: HMAC$ext binder$res binder$ssl\statem\extensions.c$tls_psk_do_binder
API String ID: 1391125327-4250429628
Opcode ID: 50eb83ce231dc522a81319e73dbe5a18760955ea38923bd16de0288e23209f83
Instruction ID: ddf60e5b242520a03fa9fe39c648652ad42c18c19af0f0e5ff332644609ab405
Opcode Fuzzy Hash: 50eb83ce231dc522a81319e73dbe5a18760955ea38923bd16de0288e23209f83
Instruction Fuzzy Hash: 77F171A3A0CE8281EE619B35E8557FB6752EB88BA1F404136DD8D47A96FF3CE105C701

Function 00007FFB1DEC9D03 Relevance: 77.4, APIs: 40, Strings: 4, Instructions: 356COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDE2D
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDEA7
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDEBF
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDEF0
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDF6D
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECDF85
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE0DC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE0F4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE109
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE121
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE144
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE15C
EVP_MD_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,?), ref: 00007FFB1DECE40E

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECDEB8, 00007FFB1DECDEE9, 00007FFB1DECDF51, 00007FFB1DECDF7E, 00007FFB1DECE0ED, 00007FFB1DECE11A, 00007FFB1DECE155, 00007FFB1DECE1AE, 00007FFB1DECE2B7, 00007FFB1DECE2E0, 00007FFB1DECE346, 00007FFB1DECE372, 00007FFB1DECE3BA, 00007FFB1DECE3E9
tls_process_ske_psk_preamble, xrefs: 00007FFB1DECDEAC, 00007FFB1DECDF45, 00007FFB1DECDF72
C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFB1DECDF10, 00007FFB1DECDF22
tls_process_key_exchange, xrefs: 00007FFB1DECE0E1, 00007FFB1DECE10E, 00007FFB1DECE149, 00007FFB1DECE1A7, 00007FFB1DECE2D4, 00007FFB1DECE324, 00007FFB1DECE33A, 00007FFB1DECE366, 00007FFB1DECE3AE, 00007FFB1DECE3DD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeX_freeY_free
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\statem_clnt.c$tls_process_key_exchange$tls_process_ske_psk_preamble
API String ID: 2275278220-901884138
Opcode ID: 9f5443423447525a7f065a967fe32912e2ce963bb17d2896964447c07080f7a7
Instruction ID: 67eb9f33ad8f8f12c59bb44923b4d7c08f42315b192d7eb16a14298c55025dfc
Opcode Fuzzy Hash: 9f5443423447525a7f065a967fe32912e2ce963bb17d2896964447c07080f7a7
Instruction Fuzzy Hash: 27F17FA3A0CE8280FE219B35D4553BF6752EF8DBA2F904132D99C47696FF2CE9458301

Function 00007FFB1DE5DF70 Relevance: 72.0, APIs: 2, Strings: 39, Instructions: 234COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE5DFAB

Strings

AESCCM8(128), xrefs: 00007FFB1DE5E269
ARIAGCM(128), xrefs: 00007FFB1DE5E2DE
KUZNYECHIK, xrefs: 00007FFB1DE5E2C3
CHACHA20/POLY1305(256), xrefs: 00007FFB1DE5E2E7
AESCCM(128), xrefs: 00007FFB1DE5E27B
SRP, xrefs: 00007FFB1DE5E0BA
SHA1, xrefs: 00007FFB1DE5E328
GOST, xrefs: 00007FFB1DE5E069
any, xrefs: 00007FFB1DE5E060
DHEPSK, xrefs: 00007FFB1DE5E09F
SEED(128), xrefs: 00007FFB1DE5E1EF
AESCCM8(256), xrefs: 00007FFB1DE5E25D
GOST94, xrefs: 00007FFB1DE5E31F
GOST89(256), xrefs: 00007FFB1DE5E28D
Camellia(128), xrefs: 00007FFB1DE5E207
ssl\ssl_ciph.c, xrefs: 00007FFB1DE5DF9B
Camellia(256), xrefs: 00007FFB1DE5E1FB
GOST18, xrefs: 00007FFB1DE5E096
RSA, xrefs: 00007FFB1DE5E001
AES(128), xrefs: 00007FFB1DE5E1B3
RSAPSK, xrefs: 00007FFB1DE5E0B1
MD5, xrefs: 00007FFB1DE5E331
PSK, xrefs: 00007FFB1DE5E027
AESCCM(256), xrefs: 00007FFB1DE5E272
SHA384, xrefs: 00007FFB1DE5E33A
MAGMA, xrefs: 00007FFB1DE5E2CC
AES(256), xrefs: 00007FFB1DE5E213
unknown, xrefs: 00007FFB1DE5DFF7
AEAD, xrefs: 00007FFB1DE5E36F
ECDHEPSK, xrefs: 00007FFB1DE5E0A8
AESGCM(128), xrefs: 00007FFB1DE5E21F
ECDH, xrefs: 00007FFB1DE5E049
%-30s %-7s Kx=%-8s Au=%-5s Enc=%-22s Mac=%-4s, xrefs: 00007FFB1DE5E387
None, xrefs: 00007FFB1DE5E0C6
SHA256, xrefs: 00007FFB1DE5E316
ARIAGCM(256), xrefs: 00007FFB1DE5E2D5
GOST2012, xrefs: 00007FFB1DE5E35D
GOST89, xrefs: 00007FFB1DE5E366
AESGCM(256), xrefs: 00007FFB1DE5E284

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_malloc
String ID: %-30s %-7s Kx=%-8s Au=%-5s Enc=%-22s Mac=%-4s$AEAD$AES(128)$AES(256)$AESCCM(128)$AESCCM(256)$AESCCM8(128)$AESCCM8(256)$AESGCM(128)$AESGCM(256)$ARIAGCM(128)$ARIAGCM(256)$CHACHA20/POLY1305(256)$Camellia(128)$Camellia(256)$DHEPSK$ECDH$ECDHEPSK$GOST$GOST18$GOST2012$GOST89$GOST89(256)$GOST94$KUZNYECHIK$MAGMA$MD5$None$PSK$RSA$RSAPSK$SEED(128)$SHA1$SHA256$SHA384$SRP$any$ssl\ssl_ciph.c$unknown
API String ID: 1457121658-3292520901
Opcode ID: 7867be90cec1ceb471c5a0e22d4962461786f0bd64b9cec51587dc3d38567341
Instruction ID: f1205b8395a0d06882e10901bd77af19186e19571d0da62fbcc834079ed0dfeb
Opcode Fuzzy Hash: 7867be90cec1ceb471c5a0e22d4962461786f0bd64b9cec51587dc3d38567341
Instruction Fuzzy Hash: C9B150EBD0CE5380FE658B34D4841BB6363AB4EBB2F958136D94D529DCAF3CA944C241

Function 00007FFB1DE60EB0 Relevance: 65.1, APIs: 23, Strings: 14, Instructions: 313COMMON

Download Yara Rule

APIs

EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFB1DE60F68
ERR_set_mark.LIBCRYPTO-3-X64 ref: 00007FFB1DE60F92
EVP_SIGNATURE_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE60FA8
EVP_KEYEXCH_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE60FD4
EVP_KEYEXCH_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE61003
EVP_KEYEXCH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE6101C
EVP_SIGNATURE_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE61032
EVP_SIGNATURE_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE61048
ERR_pop_to_mark.LIBCRYPTO-3-X64 ref: 00007FFB1DE6104D
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE610A5
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE610C5
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE61115

Part of subcall function 00007FFB1DE6EE40: ERR_set_mark.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE6C
Part of subcall function 00007FFB1DE6EE40: OBJ_nid2sn.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE73
Part of subcall function 00007FFB1DE6EE40: EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE81
Part of subcall function 00007FFB1DE6EE40: ERR_pop_to_mark.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE89

EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE61135
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE61188
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE611A8
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE611FB
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE6121B
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE6126E
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE6128E
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE612CD
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE612ED
EVP_PKEY_asn1_find_str.LIBCRYPTO-3-X64 ref: 00007FFB1DE6132C
EVP_PKEY_asn1_get0_info.LIBCRYPTO-3-X64 ref: 00007FFB1DE6134C

Strings

kuznyechik-mac, xrefs: 00007FFB1DE611EC
gost-mac, xrefs: 00007FFB1DE61063
, xrefs: 00007FFB1DE61158
gost-mac-12, xrefs: 00007FFB1DE61106
, xrefs: 00007FFB1DE611CB
magma-mac, xrefs: 00007FFB1DE61179
ECDSA, xrefs: 00007FFB1DE61028
DSA, xrefs: 00007FFB1DE60F9E
ECDH, xrefs: 00007FFB1DE60FF9
gost2012_256, xrefs: 00007FFB1DE612BE
gost2001, xrefs: 00007FFB1DE6125F
gost2012_512, xrefs: 00007FFB1DE6131D
, xrefs: 00007FFB1DE610E8
, xrefs: 00007FFB1DE6123E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Y_asn1_find_strY_asn1_get0_info$E_fetchH_fetchR_pop_to_markR_set_mark$D_get_sizeE_freeH_freeJ_nid2snR_fetch
String ID: $ $ $ $DSA$ECDH$ECDSA$gost-mac$gost-mac-12$gost2001$gost2012_256$gost2012_512$kuznyechik-mac$magma-mac
API String ID: 2321393641-365409564
Opcode ID: b7c6bb6e3af7159bff88fd0230ed0ff28a56425c1fb517c1b426233e7dad38f6
Instruction ID: dfbdb695191e3707299e0629f38038186bf409eb2f0311c90d8ac6260d713867
Opcode Fuzzy Hash: b7c6bb6e3af7159bff88fd0230ed0ff28a56425c1fb517c1b426233e7dad38f6
Instruction Fuzzy Hash: 0FE1A0B3A05F9285EB518F34D4806AA37A2FB48B69F045235FE4E86695EF38E481C700

Function 00007FFB1C889FE0 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 282windowregistryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FFB1C88A133

Part of subcall function 00007FFB1C889AF0: GetObjectW.GDI32 ref: 00007FFB1C889B3E
Part of subcall function 00007FFB1C889AF0: GetObjectW.GDI32 ref: 00007FFB1C889B54
Part of subcall function 00007FFB1C889AF0: GetDC.USER32 ref: 00007FFB1C889B69
Part of subcall function 00007FFB1C889AF0: CreateCompatibleDC.GDI32 ref: 00007FFB1C889B75
Part of subcall function 00007FFB1C889AF0: CreateCompatibleBitmap.GDI32 ref: 00007FFB1C889B86
Part of subcall function 00007FFB1C889AF0: SelectObject.GDI32 ref: 00007FFB1C889B95
Part of subcall function 00007FFB1C889AF0: CreateCompatibleDC.GDI32 ref: 00007FFB1C889B9E
Part of subcall function 00007FFB1C889AF0: CreateCompatibleDC.GDI32 ref: 00007FFB1C889BB1
Part of subcall function 00007FFB1C889AF0: SelectObject.GDI32 ref: 00007FFB1C889BC8
Part of subcall function 00007FFB1C889AF0: SelectObject.GDI32 ref: 00007FFB1C889BDC
Part of subcall function 00007FFB1C889AF0: BitBlt.GDI32 ref: 00007FFB1C889C19
Part of subcall function 00007FFB1C889AF0: BitBlt.GDI32 ref: 00007FFB1C889C58

MessageBoxW.USER32 ref: 00007FFB1C88A0D6
LoadImageW.USER32 ref: 00007FFB1C88A194
InvalidateRect.USER32 ref: 00007FFB1C88A1AC
BeginPaint.USER32 ref: 00007FFB1C88A1BC
CreateCompatibleDC.GDI32 ref: 00007FFB1C88A1D3
SelectObject.GDI32 ref: 00007FFB1C88A1E6
BitBlt.GDI32 ref: 00007FFB1C88A21A
DeleteDC.GDI32 ref: 00007FFB1C88A223
CreateCompatibleDC.GDI32 ref: 00007FFB1C88A235
SelectObject.GDI32 ref: 00007FFB1C88A248
BitBlt.GDI32 ref: 00007FFB1C88A27F
DeleteDC.GDI32 ref: 00007FFB1C88A288
EndPaint.USER32 ref: 00007FFB1C88A296
PostQuitMessage.USER32 ref: 00007FFB1C88A2A0
RegisterClassW.USER32 ref: 00007FFB1C88A337
CreateWindowExW.USER32 ref: 00007FFB1C88A388
CreateWindowExW.USER32 ref: 00007FFB1C88A3DF
CreateWindowExW.USER32 ref: 00007FFB1C88A433
CreateWindowExW.USER32 ref: 00007FFB1C88A487
ShowWindow.USER32 ref: 00007FFB1C88A492
UpdateWindow.USER32 ref: 00007FFB1C88A49B
GetMessageW.USER32 ref: 00007FFB1C88A4C3
TranslateMessage.USER32 ref: 00007FFB1C88A4D5
DispatchMessageW.USER32 ref: 00007FFB1C88A4E0
GetMessageW.USER32 ref: 00007FFB1C88A4F3

Strings

IFTUQUWBIHBcjkwUgNMSmzkkXufw, xrefs: 00007FFB1C88A3EA
DhHKvXeRhgtpIznDyphBbuGOjf, xrefs: 00007FFB1C88A43E
BUTTON, xrefs: 00007FFB1C88A39F, 00007FFB1C88A3F6, 00007FFB1C88A44A
combined.bmp, xrefs: 00007FFB1C88A063
KkFAVKaSRmXombVyr, xrefs: 00007FFB1C88A393
MainWindowClass, xrefs: 00007FFB1C88A309
, xrefs: 00007FFB1C88A24E
KcLqTCqHxYXtuGXwY, xrefs: 00007FFB1C88A0CC
Blended BMP Editor, xrefs: 00007FFB1C88A345
NUVkpLrTsujGUONwAa, xrefs: 00007FFB1C88A0C5

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Create$Object$CompatibleMessageWindow$Select$DeleteImageLoadPaint$BeginBitmapClassDispatchInvalidatePostQuitRectRegisterShowTranslateUpdate
String ID: $BUTTON$Blended BMP Editor$DhHKvXeRhgtpIznDyphBbuGOjf$IFTUQUWBIHBcjkwUgNMSmzkkXufw$KcLqTCqHxYXtuGXwY$KkFAVKaSRmXombVyr$MainWindowClass$NUVkpLrTsujGUONwAa$combined.bmp
API String ID: 2701338806-2707436382
Opcode ID: 5b25dd3c059e105bf25be2c2b02eeadfbe88830b7ec06e90a8b6f4220208135b
Instruction ID: ebe0c856a2664141f30f9fd795e22701930587ae8ccd2c22b60511e92f26641a
Opcode Fuzzy Hash: 5b25dd3c059e105bf25be2c2b02eeadfbe88830b7ec06e90a8b6f4220208135b
Instruction Fuzzy Hash: 10D163F2A18F8282E7218F21F4497EAB762FB857A4F654139DA8D03A58DF7DE144C704

Function 00007FFB1DE9EF10 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EF76
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EF8E
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EF9E
ERR_new.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EFB8
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EFD0
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00007FFB1DE9F978,?,00000000,?,00000000,?,00007FFB1DE9EE4A,?,?), ref: 00007FFB1DE9EFE1

Strings

qtx_encrypt_into_txe, xrefs: 00007FFB1DE9EF7B, 00007FFB1DE9EFBD, 00007FFB1DE9F000, 00007FFB1DE9F042, 00007FFB1DE9F107, 00007FFB1DE9F15E, 00007FFB1DE9F1F0, 00007FFB1DE9F25E, 00007FFB1DE9F2B1
ssl\quic\quic_record_tx.c, xrefs: 00007FFB1DE9EF87, 00007FFB1DE9EFC9, 00007FFB1DE9F00C, 00007FFB1DE9F04E, 00007FFB1DE9F113, 00007FFB1DE9F16A, 00007FFB1DE9F1FC, 00007FFB1DE9F26A, 00007FFB1DE9F2BD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: qtx_encrypt_into_txe$ssl\quic\quic_record_tx.c
API String ID: 1552677711-1147139145
Opcode ID: a1007960c9a856b562edb166e4585f39de68b8d37f57a182c282608c2b28b1b4
Instruction ID: a6f9d9e306685dc728d2c6862d984153c5d83b1e8fce775c85e15e4a4fed3c89
Opcode Fuzzy Hash: a1007960c9a856b562edb166e4585f39de68b8d37f57a182c282608c2b28b1b4
Instruction Fuzzy Hash: C0B190A3A19E4243EF54EB31D8456BB2362FB4C7A2F900436D94D93A9AFE3CE545C700

Function 00007FFB1C88BF50 Relevance: 61.5, APIs: 23, Strings: 12, Instructions: 268windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FFB1C88C061
ShowWindow.USER32 ref: 00007FFB1C88C083
ShowWindow.USER32 ref: 00007FFB1C88C092
ShowWindow.USER32 ref: 00007FFB1C88C0A1
ShowWindow.USER32 ref: 00007FFB1C88C0B9
ShowWindow.USER32 ref: 00007FFB1C88C0C8
ShowWindow.USER32 ref: 00007FFB1C88C0DE
ShowWindow.USER32 ref: 00007FFB1C88C0ED

Part of subcall function 00007FFB1C88BED0: LoadImageW.USER32 ref: 00007FFB1C88BF1E

PostQuitMessage.USER32 ref: 00007FFB1C88C10A
CreateWindowExW.USER32 ref: 00007FFB1C88C159
SendMessageW.USER32 ref: 00007FFB1C88C19C
SendMessageW.USER32 ref: 00007FFB1C88C1C5
SendMessageW.USER32 ref: 00007FFB1C88C1EE
CreateWindowExW.USER32 ref: 00007FFB1C88C241
CreateWindowExW.USER32 ref: 00007FFB1C88C2A3
CreateWindowExW.USER32 ref: 00007FFB1C88C305

Strings

d, xrefs: 00007FFB1C88C477
Previous, xrefs: 00007FFB1C88C24C
2, xrefs: 00007FFB1C88C47F
Chat, xrefs: 00007FFB1C88C1A9
EDIT, xrefs: 00007FFB1C88C32F, 00007FFB1C88C384, 00007FFB1C88C3E2, 00007FFB1C88C440
STATIC, xrefs: 00007FFB1C88C1FB
SysTabControl32, xrefs: 00007FFB1C88C123
Photo Album, xrefs: 00007FFB1C88C15F
BUTTON, xrefs: 00007FFB1C88C258, 00007FFB1C88C2FE
d, xrefs: 00007FFB1C88C2DD
Next, xrefs: 00007FFB1C88C2F5
Wall, xrefs: 00007FFB1C88C1D2

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Window$Show$Message$CreateSend$ImageLoadPostQuit
String ID: 2$BUTTON$Chat$EDIT$Next$Photo Album$Previous$STATIC$SysTabControl32$Wall$d$d
API String ID: 343215222-3801512821
Opcode ID: 71d6d9baa497e690b80cddc3c187f0748743429577f455643e5bc571cc4d118b
Instruction ID: fd93783120cc3b1df43a237db713dfedba1af757359d3a674deee8235534cb0a
Opcode Fuzzy Hash: 71d6d9baa497e690b80cddc3c187f0748743429577f455643e5bc571cc4d118b
Instruction Fuzzy Hash: E0E141F1918F8686E7118F21F8882AA77A6FB887A4F304135E98D43B68CF7DD145CB44

Function 00007FFB1DE5C030 Relevance: 59.7, APIs: 32, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C07E
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C086
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C0E6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C0FE
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C10F
X509_NAME_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C117
OPENSSL_sk_pop_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C126
OSSL_LIB_CTX_set0_default.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C12E
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C136
X509_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C140
OPENSSL_LH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C148
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C171
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C189
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C1AD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C1C5
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C1E3
OSSL_LIB_CTX_set0_default.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C1F3
PEM_read_bio_X509.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C209
OPENSSL_sk_new_null.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C21C
X509_get_subject_name.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C232
X509_NAME_dup.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C246
OPENSSL_LH_retrieve.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C25D
X509_NAME_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C26A
OPENSSL_LH_insert.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C279
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C284
PEM_read_bio_X509.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C29F
OSSL_LIB_CTX_set0_default.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2B0
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2B8
X509_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2C2
OPENSSL_LH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2CA
ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2D4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C2E1

Strings

ssl\ssl_cert.c, xrefs: 00007FFB1DE5C0F7, 00007FFB1DE5C182, 00007FFB1DE5C1BE
SSL_load_client_CA_file_ex, xrefs: 00007FFB1DE5C0EB, 00007FFB1DE5C176, 00007FFB1DE5C1B2, 00007FFB1DE5C2E6

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debugX509_X_set0_default$E_freeH_freeM_read_bio_O_freeX509X509_free$E_dupH_insertH_retrieveL_sk_new_nullL_sk_pop_freeL_sk_pushO_ctrlO_newO_s_fileR_clear_errorR_set_errorX509_get_subject_name
String ID: SSL_load_client_CA_file_ex$ssl\ssl_cert.c
API String ID: 2739310531-3382427984
Opcode ID: b7b042d8d6794957320641e2aaebb5fe1d56e08cc6deb881002e24655f341240
Instruction ID: ca638357e3b0613b06601a7b352b6eaa66c06783d523ed004ae16dbc97e2b684
Opcode Fuzzy Hash: b7b042d8d6794957320641e2aaebb5fe1d56e08cc6deb881002e24655f341240
Instruction Fuzzy Hash: 6B618F97A0DE0241FD55A775E5252BB2353AF8EFE2F440535EC8D87B9AFE2CE4058600

Function 00007FFB1DEC6050 Relevance: 58.2, APIs: 29, Strings: 4, Instructions: 492COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC61E9
CRYPTO_strndup.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6201
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC623A
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEC62CF
EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFB1DEC65FC
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6695
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC66AD
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC66C0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC66D8
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEC66EE
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC66F3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC676C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC680C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC681B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC682A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6842
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC686E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC687D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6889
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC68A1

Strings

, xrefs: 00007FFB1DEC636B
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC622E, 00007FFB1DEC66A6, 00007FFB1DEC66D1, 00007FFB1DEC671F, 00007FFB1DEC683B, 00007FFB1DEC689A
C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFB1DEC61E0, 00007FFB1DEC61F4
tls_parse_ctos_psk, xrefs: 00007FFB1DEC669F, 00007FFB1DEC66C5, 00007FFB1DEC6718, 00007FFB1DEC6834, 00007FFB1DEC6893

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$L_cleanseO_free$D_get_sizeO_strndup
String ID: $C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_psk
API String ID: 297221546-853974831
Opcode ID: bf4c73cfa60926b827c79e9cfe0853f26775cbe2c50552af1f3b31fab70fd666
Instruction ID: 13b71d56ee71267c146c6b86a162751660e1956f35677cfc4f7a1b759974a5d8
Opcode Fuzzy Hash: bf4c73cfa60926b827c79e9cfe0853f26775cbe2c50552af1f3b31fab70fd666
Instruction Fuzzy Hash: B22291A3A08E8282FE149B71D4543BFA792FB48BA5F504539DA5D47BA5EE7CF040CB00

Function 00007FFB1DEB8E60 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 244COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEB2709), ref: 00007FFB1DEB8E94
OSSL_PARAM_get_int.LIBCRYPTO-3-X64 ref: 00007FFB1DEB8F1D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB8F2A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB91B9
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEB91CA

Strings

stream_mac, xrefs: 00007FFB1DEB8FA7
use_etm, xrefs: 00007FFB1DEB8EF6
max_frag_len, xrefs: 00007FFB1DEB8F39
NULL, xrefs: 00007FFB1DEB91F9
max_early_data, xrefs: 00007FFB1DEB8F72
tls_int_new_record_layer, xrefs: 00007FFB1DEB9033, 00007FFB1DEB91AB
RC4, xrefs: 00007FFB1DEB920C
ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB8E7F, 00007FFB1DEB903F, 00007FFB1DEB91B2
tlstree, xrefs: 00007FFB1DEB8FDE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: M_get_intO_zallocR_newR_set_debugR_set_error
String ID: NULL$RC4$max_early_data$max_frag_len$ssl\record\methods\tls_common.c$stream_mac$tls_int_new_record_layer$tlstree$use_etm
API String ID: 991255803-716357724
Opcode ID: 7957a72a0f803ffcfd1e8dfbef37eb181012a556433cc277bab907072c5b083a
Instruction ID: 36918af25ad46acd2ab9a84c00dd70bce7751a63e4838fbf459ec65c7f053642
Opcode Fuzzy Hash: 7957a72a0f803ffcfd1e8dfbef37eb181012a556433cc277bab907072c5b083a
Instruction Fuzzy Hash: 12B14CB7A08E8281EF559B31D9442BB63A2EF4CBA6F045231DE8D47789FF2CE4418711

Function 00007FFB1DECBF80 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 222COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECBFC2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECBFDA

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECC012
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECC02A
EVP_PKEY_is_a.LIBCRYPTO-3-X64 ref: 00007FFB1DECC05F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECC068
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECC080

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECBFD3, 00007FFB1DECC023, 00007FFB1DECC079, 00007FFB1DECC0B7, 00007FFB1DECC0E1, 00007FFB1DECC143, 00007FFB1DECC185, 00007FFB1DECC2A3, 00007FFB1DECC2C8, 00007FFB1DECC2EF
0, xrefs: 00007FFB1DECC267
RSA, xrefs: 00007FFB1DECC055
tls_construct_cke_rsa, xrefs: 00007FFB1DECBFC7, 00007FFB1DECC017, 00007FFB1DECC06D, 00007FFB1DECC0D5, 00007FFB1DECC137, 00007FFB1DECC17E, 00007FFB1DECC297, 00007FFB1DECC2BC
0, xrefs: 00007FFB1DECC285

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_errorY_is_a
String ID: 0$0$RSA$ssl\statem\statem_clnt.c$tls_construct_cke_rsa
API String ID: 3021795674-3239883068
Opcode ID: 7551cb9ad6af9946085460652e8c1ef03264fd5da3dbfdd7ed86d2f358e5ea25
Instruction ID: 8f5245233833e0f0f72ec48566b1be2815539058395e43daf31b8e85c31055ad
Opcode Fuzzy Hash: 7551cb9ad6af9946085460652e8c1ef03264fd5da3dbfdd7ed86d2f358e5ea25
Instruction Fuzzy Hash: F19171A3A08E8281FE51A771D8157FB2752AF8CBA6F844132DD4D86696FF3CE546C340

Function 00007FFB1DEC9D1A Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 267COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?), ref: 00007FFB1DECD845
CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?), ref: 00007FFB1DECD859
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECD8DD
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECD904
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECD998
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECD9B0
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECDA21
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDA36
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECDA4E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDA7F
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECDAEB
CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFB1DECDB17
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDB55

Part of subcall function 00007FFB1DEC8D60: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8D97
Part of subcall function 00007FFB1DEC8D60: CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8DC0

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDB64
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECDB7C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECDC8B

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECD852, 00007FFB1DECD8D0, 00007FFB1DECD8E9, 00007FFB1DECD9A9, 00007FFB1DECDA14, 00007FFB1DECDA47, 00007FFB1DECDA68, 00007FFB1DECDB75, 00007FFB1DECDBB6, 00007FFB1DECDBEF, 00007FFB1DECDC84
C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFB1DECDADA, 00007FFB1DECDB0B
tls_process_certificate_request, xrefs: 00007FFB1DECD99D, 00007FFB1DECDA3B, 00007FFB1DECDB69, 00007FFB1DECDBAA, 00007FFB1DECDBE3, 00007FFB1DECDC7D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeR_new$R_set_debug$O_memdup$O_zallocmemset
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\statem_clnt.c$tls_process_certificate_request
API String ID: 3017166865-449271392
Opcode ID: 28e25968650c08f6995e9bc83c29e1b996d66a4973aac5a72ded5f3fc64d768e
Instruction ID: ee2a1898675184bcaed2d3dda1b359fae23994454cda436f6621768052629047
Opcode Fuzzy Hash: 28e25968650c08f6995e9bc83c29e1b996d66a4973aac5a72ded5f3fc64d768e
Instruction Fuzzy Hash: B9C18FA3A0CE8281FF109B39D4447BB2392EF89BA5F544031EA8D47695FF7EE5458701

Function 00007FFB1DEC9E7A Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 401COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE63F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE657
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECE6E9
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DECE714
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE735
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE74D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE771
EVP_MD_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DECE8AF
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE8CC
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE911
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE929
EVP_MD_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECE941
EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFB1DECE9A7
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECE9B0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECE9C8
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECEA5A

Part of subcall function 00007FFB1DEBC360: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DEBC3E7
Part of subcall function 00007FFB1DEBC360: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBC3F4
Part of subcall function 00007FFB1DEBC360: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBC40C

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?), ref: 00007FFB1DECEA7A
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?), ref: 00007FFB1DECEA92
EVP_MD_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?), ref: 00007FFB1DECEAAE
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?), ref: 00007FFB1DECEAC8

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECE650, 00007FFB1DECE6D5, 00007FFB1DECE6F1, 00007FFB1DECE746, 00007FFB1DECE922, 00007FFB1DECE9C1, 00007FFB1DECEA41, 00007FFB1DECEA8B, 00007FFB1DECEABB
SHA2-256, xrefs: 00007FFB1DECE8A4
resumption, xrefs: 00007FFB1DECE9EE
tls_process_new_session_ticket, xrefs: 00007FFB1DECE644, 00007FFB1DECE73A, 00007FFB1DECE916, 00007FFB1DECE9B5, 00007FFB1DECEA84

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$O_free$D_free$D_fetchD_get_sizeO_mallocO_zalloc
String ID: SHA2-256$resumption$ssl\statem\statem_clnt.c$tls_process_new_session_ticket
API String ID: 1468141521-2938955119
Opcode ID: 8c7c908e33ff7a4ef9db1fb3d5694d786511127fbe4c3851e8ba41bb97eb5dbd
Instruction ID: 16c1382d0259bdd4ed2e28c8bb79659905f2e65e89528bd184936f446d9bfb9f
Opcode Fuzzy Hash: 8c7c908e33ff7a4ef9db1fb3d5694d786511127fbe4c3851e8ba41bb97eb5dbd
Instruction Fuzzy Hash: 25027DB3A08E8185EF608B25D4443BA77A2FB88BA5F448135DA8D87795EF3CE595C700

Function 00007FFB1DEB4E60 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 268COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB4E95
memcpy.VCRUNTIME140 ref: 00007FFB1DEB5009

Part of subcall function 00007FFB1DEB6960: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB699D
Part of subcall function 00007FFB1DEB6960: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB69B5

EVP_CipherInit_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEB50B7
EVP_CIPHER_CTX_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DEB50DF
EVP_CipherUpdate.LIBCRYPTO-3-X64 ref: 00007FFB1DEB51A9
EVP_CipherUpdate.LIBCRYPTO-3-X64 ref: 00007FFB1DEB51CB
EVP_CipherUpdate.LIBCRYPTO-3-X64 ref: 00007FFB1DEB51EE
EVP_CipherFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEB520A
EVP_CIPHER_CTX_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DEB5247
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB5250
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB527B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB5293

Part of subcall function 00007FFB1DE513A0: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE513D0

ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB4EAD

Part of subcall function 00007FFB1DEB76D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFB1DEB34A0,?,00007FFB1DEB2DD6), ref: 00007FFB1DEB76FE

EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3-X64 ref: 00007FFB1DEB4EEF
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB4EF9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB4F11
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB52BB

Strings

ssl\record\methods\tls13_meth.c, xrefs: 00007FFB1DEB4EA6, 00007FFB1DEB4F0A, 00007FFB1DEB4FA2, 00007FFB1DEB528C
tls13_cipher, xrefs: 00007FFB1DEB4E9A, 00007FFB1DEB4EFE, 00007FFB1DEB4F96, 00007FFB1DEB5255, 00007FFB1DEB5280, 00007FFB1DEB52C0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$Cipher$R_set_debug$Update$X_ctrl$Final_exInit_exO_freeR_vset_errorX_get0_ciphermemcpy
String ID: ssl\record\methods\tls13_meth.c$tls13_cipher
API String ID: 2167596066-1486380087
Opcode ID: 5959f9d875b7fcca663432a3f8e3c0fa36a2f0e40b6d8242c19182858cc584a4
Instruction ID: 791962c2e5e4a5b70641eca31372f749621ad9c0eb66573e98f1091747cd9a8c
Opcode Fuzzy Hash: 5959f9d875b7fcca663432a3f8e3c0fa36a2f0e40b6d8242c19182858cc584a4
Instruction Fuzzy Hash: B5C191A3A08E8256EF249B71D4406FF3762EB4D7A9F440135DF8D47A86EE28E545C700

Function 00007FFB1DE74CC0 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE62F50: ERR_new.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F7F
Part of subcall function 00007FFB1DE62F50: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F97
Part of subcall function 00007FFB1DE62F50: ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62FA8

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE74D06
CRYPTO_new_ex_data.LIBCRYPTO-3-X64 ref: 00007FFB1DE74D7F
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74D96
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE74D9B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE74DB3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE74E82
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE74E9A
CRYPTO_free_ex_data.LIBCRYPTO-3-X64 ref: 00007FFB1DE74ED4
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE74EE2
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE74EF3
X509_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74EFF
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F0B
OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F17
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F30
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F49
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F62
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F7B
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74F94
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74FAD
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74FC6
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE74FDF
memcpy.VCRUNTIME140 ref: 00007FFB1DE7500C

Part of subcall function 00007FFB1DE52360: GetSystemTime.KERNEL32 ref: 00007FFB1DE52381
Part of subcall function 00007FFB1DE52360: SystemTimeToFileTime.KERNEL32 ref: 00007FFB1DE52391

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE74CFA, 00007FFB1DE74D8F, 00007FFB1DE74DAC, 00007FFB1DE74E93, 00007FFB1DE74F23, 00007FFB1DE74F3C, 00007FFB1DE74F55, 00007FFB1DE74F6E, 00007FFB1DE74F87, 00007FFB1DE74FA0, 00007FFB1DE74FB9, 00007FFB1DE74FD1
ssl_get_new_session, xrefs: 00007FFB1DE74DA0, 00007FFB1DE74E87

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$R_newR_set_debugTime$L_cleanseSystemX509_free$FileO_clear_freeO_free_ex_dataO_new_ex_dataO_zallocR_set_errorY_freememcpy
String ID: ssl\ssl_sess.c$ssl_get_new_session
API String ID: 252612468-1994021375
Opcode ID: 822076f57de9ef82094e50242df8c07618292622cbec019a0aa118f73eb09e09
Instruction ID: b54d499fadea629e846051dca282dd2493448890a88dabd8719e80dac3b03073
Opcode Fuzzy Hash: 822076f57de9ef82094e50242df8c07618292622cbec019a0aa118f73eb09e09
Instruction Fuzzy Hash: DD915FA3A08E8282EF84DF71D4442FA2762EB48FA5F045135DE4D8B7A9EF39E5458350

Function 00007FFB1DEC9E91 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5EE3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5EF4
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5F0C
EVP_MD_CTX_copy_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DED5F38
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5F41
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5F59
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DED5F7A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5FBE
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5FD6

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED6021
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED6039
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED606D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED6085
CRYPTO_memcmp.LIBCRYPTO-3-X64 ref: 00007FFB1DED60B1
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED60BA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED60D2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED60F7
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED610F

Strings

tls13_save_handshake_digest_for_pha, xrefs: 00007FFB1DED5EF9, 00007FFB1DED5F46
tls_process_finished, xrefs: 00007FFB1DED5FC3, 00007FFB1DED6026, 00007FFB1DED6072, 00007FFB1DED60BF, 00007FFB1DED60FC
ssl\statem\statem_lib.c, xrefs: 00007FFB1DED5F05, 00007FFB1DED5F52, 00007FFB1DED5FCF, 00007FFB1DED6032, 00007FFB1DED607E, 00007FFB1DED60CB, 00007FFB1DED6108

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_memcmpR_vset_errorX_copy_exX_freeX_new
String ID: ssl\statem\statem_lib.c$tls13_save_handshake_digest_for_pha$tls_process_finished
API String ID: 1740168646-2160900909
Opcode ID: f40ae869233524e462a31377e1873cd7ae6f3baaff3e869d556b84fe27979e85
Instruction ID: 09cbb1f523fdb112cee4e718d6c1539132cc2e32475ad17ade4a01538b335d3c
Opcode Fuzzy Hash: f40ae869233524e462a31377e1873cd7ae6f3baaff3e869d556b84fe27979e85
Instruction Fuzzy Hash: C7B192B3A08E8681EF51DB31D8547BB2762EF49BA9F540035D90D8B696FF2CE945C700

Function 00007FFB1DE51030 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFB1DE51075
GetACP.KERNEL32 ref: 00007FFB1DE5108E
MultiByteToWideChar.KERNEL32 ref: 00007FFB1DE510DC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1DE5114E
MultiByteToWideChar.KERNEL32 ref: 00007FFB1DE51187
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB1DE5119D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1DE5120D
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB1DE51237
WideCharToMultiByte.KERNEL32 ref: 00007FFB1DE51269
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE51286
WideCharToMultiByte.KERNEL32 ref: 00007FFB1DE512B6
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE512CE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1DE512E3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB1DE512FB
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFB1DE51316

Strings

crypto\getenv.c, xrefs: 00007FFB1DE51279, 00007FFB1DE512C7
OPENSSL_WIN32_UTF8, xrefs: 00007FFB1DE5106C

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: ByteCharMultiWide$EnvironmentVariable$freemalloc$O_freeO_mallocgetenv
String ID: OPENSSL_WIN32_UTF8$crypto\getenv.c
API String ID: 961399396-38007710
Opcode ID: 541f84bf0df2ac011f037cd24e831454c5bc7afe2dfc4720033755312ff90a87
Instruction ID: 15a867a624b49610011b1cb5922728a8912c62ffaed5e43cb59e16162c4f1bbf
Opcode Fuzzy Hash: 541f84bf0df2ac011f037cd24e831454c5bc7afe2dfc4720033755312ff90a87
Instruction Fuzzy Hash: 68818EA7A08E4282EE249B76D95017A72D2BF49BF6F444735DA6D47BD8FF3CD5408200

Function 00007FFB1DE71000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE7105E
memcpy.VCRUNTIME140(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE7107F

Part of subcall function 00007FFB1DE71000: CRYPTO_free.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE710AA

ERR_new.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE710C7
ERR_set_debug.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE710DF
ERR_set_error.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE710F0
ERR_new.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE71120
ERR_set_debug.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE71138
CRYPTO_realloc.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE71158
memcpy.VCRUNTIME140(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE71187
ERR_new.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE711AE
ERR_new.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE711CE
ERR_set_debug.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE711E6
ERR_set_error.LIBCRYPTO-3-X64(00000004,00007FFB1DE714E5,?,?,?,?,?,?,?,00007FFB1DE61B0F), ref: 00007FFB1DE711F7

Strings

ssl\ssl_rsa.c, xrefs: 00007FFB1DE71053, 00007FFB1DE7109E, 00007FFB1DE710D8, 00007FFB1DE71131, 00007FFB1DE71148, 00007FFB1DE711DF
SSL_CTX_use_serverinfo_ex, xrefs: 00007FFB1DE710CC, 00007FFB1DE71125, 00007FFB1DE711B3, 00007FFB1DE711D3

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$R_set_errormemcpy$O_freeO_mallocO_realloc
String ID: SSL_CTX_use_serverinfo_ex$ssl\ssl_rsa.c
API String ID: 2781819888-2805076526
Opcode ID: a89e72f673c78d051e6728bb7e93b3edcdcb38e7d493e3aad0fcc1f6aacb7bee
Instruction ID: 326b579a348825713d656963677be25f94118793287c0500a693ddcd9c0140c4
Opcode Fuzzy Hash: a89e72f673c78d051e6728bb7e93b3edcdcb38e7d493e3aad0fcc1f6aacb7bee
Instruction Fuzzy Hash: BF5192A2A08F8281EE90DB35D8511BB6357AF8CBE2F945135EA4D87796FF2CE5418340

Function 00007FFB1C8E5D40 Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FFB1C8E5DED
GetLastError.KERNEL32 ref: 00007FFB1C8E5DF7
FindFirstFileW.KERNEL32 ref: 00007FFB1C8E5E0E
GetLastError.KERNEL32 ref: 00007FFB1C8E5E1A
FindClose.KERNEL32 ref: 00007FFB1C8E5E28
__std_fs_open_handle.LIBCPMT ref: 00007FFB1C8E5EBB
CloseHandle.KERNEL32 ref: 00007FFB1C8E5ED1
CloseHandle.KERNEL32 ref: 00007FFB1C8E6044

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: d3bc3ad0382ca34f78c67d69a41b044f9128940e7bccdede076f0563220f78c3
Instruction ID: 8247255577dc2629bbaa09f8dec303bbda018b2aa23b0dde20d383fe3497cce6
Opcode Fuzzy Hash: d3bc3ad0382ca34f78c67d69a41b044f9128940e7bccdede076f0563220f78c3
Instruction Fuzzy Hash: FE9160F1B08E4786E7648B35E4886B92392AF84BB4F244734DA7E476D4EF3CE4418650

Function 00007FFB1DEBDFB0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 176COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE0A2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE0BA
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE0EF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE107
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE1C5
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE1EC
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE20C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE221
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE245
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE25C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE266
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBE27E

Part of subcall function 00007FFB1DE51C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE51C95

Strings

add_key_share, xrefs: 00007FFB1DEBE0F4, 00007FFB1DEBE211
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBE0B3, 00007FFB1DEBE100, 00007FFB1DEBE1AA, 00007FFB1DEBE21A, 00007FFB1DEBE24F, 00007FFB1DEBE277
tls_construct_ctos_key_share, xrefs: 00007FFB1DEBE0A7, 00007FFB1DEBE1F1, 00007FFB1DEBE26B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$O_free$O_zallocY_free
String ID: add_key_share$ssl\statem\extensions_clnt.c$tls_construct_ctos_key_share
API String ID: 2085171210-1054723374
Opcode ID: 8b176fa1d4d09b3b0bb7db7938e7ee1aad089d42c87783958c1bc4d3aaaf70fd
Instruction ID: 404a9d3cf633baadef3992b84a8084291af494a3d03e74a3f5fd28836d0bd412
Opcode Fuzzy Hash: 8b176fa1d4d09b3b0bb7db7938e7ee1aad089d42c87783958c1bc4d3aaaf70fd
Instruction Fuzzy Hash: 9A7174A2A0CE8241EE50AB31D9556BB6292EF4DBE2F541131EE8D47796FF3CF5058700

Function 00007FFB1DEBFE60 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFE82
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFE9A

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFF2F
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFF43
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFF5B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFF73

Strings

tls_parse_stoc_alpn, xrefs: 00007FFB1DEBFE87, 00007FFB1DEBFF65, 00007FFB1DEC008D
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBFE93, 00007FFB1DEBFF22, 00007FFB1DEBFF3A, 00007FFB1DEBFF6C, 00007FFB1DEC0012, 00007FFB1DEC0094

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_mallocR_vset_error
String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_alpn
API String ID: 3020875438-2890585513
Opcode ID: 661bfb5d8166f5b50c3631d56509cb22e9d7054d27d9a190192cbe8691ab1abf
Instruction ID: c1c48de3297adb6d84accf6865e6799d47790aec51e8165e7db97bb9eff133d2
Opcode Fuzzy Hash: 661bfb5d8166f5b50c3631d56509cb22e9d7054d27d9a190192cbe8691ab1abf
Instruction Fuzzy Hash: 2751C3A3A08E8281EF509B31D4453BF2792EB89BA6F484635DA4C4B795FF3EE5518340

Function 00007FFB1DEDCE30 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCE8B
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCE9C
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCEB4

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

BN_ucmp.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCEE1
BN_is_zero.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCEF5
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCF1D
CRYPTO_strdup.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCF36
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDCF5A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDCF72
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCFE7
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DEDDFD3), ref: 00007FFB1DEDCFFF

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DEDCEAD, 00007FFB1DEDCF09, 00007FFB1DEDCF29, 00007FFB1DEDCF6B, 00007FFB1DEDCFBD, 00007FFB1DEDCFF8
tls_process_cke_srp, xrefs: 00007FFB1DEDCEA1, 00007FFB1DEDCF5F, 00007FFB1DEDCFB1, 00007FFB1DEDCFEC

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$N_bin2bnN_is_zeroN_ucmpO_freeO_strdupR_vset_error
String ID: ssl\statem\statem_srvr.c$tls_process_cke_srp
API String ID: 3252685116-3145630846
Opcode ID: 3da3b4fa9234e2d985829c85583403c56b21d90127378780e934648640a590b5
Instruction ID: 0d6a154a63975bbcd6fcd918c2a0bbed22575c8433468eecc3b3087ce85cfeb7
Opcode Fuzzy Hash: 3da3b4fa9234e2d985829c85583403c56b21d90127378780e934648640a590b5
Instruction Fuzzy Hash: A441BCA3B08E8241FF51AB31D8967BB2352EB8CBA2F545031D94C87796FF2DD5958700

Function 00007FFB1DE75050 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFB1DE751A8
CRYPTO_THREAD_read_lock.LIBCRYPTO-3-X64 ref: 00007FFB1DE751BC
OPENSSL_LH_retrieve.LIBCRYPTO-3-X64 ref: 00007FFB1DE751D9
CRYPTO_THREAD_unlock.LIBCRYPTO-3-X64 ref: 00007FFB1DE751FB
CRYPTO_THREAD_unlock.LIBCRYPTO-3-X64 ref: 00007FFB1DE75213
memcmp.VCRUNTIME140 ref: 00007FFB1DE752FA
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE75315
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7532D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE753A7
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE753BF
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE75454
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7546C

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

ssl_get_prev_session, xrefs: 00007FFB1DE7531A, 00007FFB1DE753AC, 00007FFB1DE75459
ssl\ssl_sess.c, xrefs: 00007FFB1DE75326, 00007FFB1DE753B8, 00007FFB1DE75465

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$D_unlock$D_read_lockH_retrieveR_vset_errormemcmpmemcpy
String ID: ssl\ssl_sess.c$ssl_get_prev_session
API String ID: 2587384529-1744558562
Opcode ID: ca01d3ae8181f38f119ef7227da59f6d4f80502bc35c3250d84dfc644c6a8ef8
Instruction ID: c9023917016092e433c1f641f7e81673b16897da65ec24a3d9cecce6df708f47
Opcode Fuzzy Hash: ca01d3ae8181f38f119ef7227da59f6d4f80502bc35c3250d84dfc644c6a8ef8
Instruction Fuzzy Hash: 0CC14FB3A08EC286EF959B31D4447BF2762FB88BA6F140131DE4E47695EF78E4458780

Function 00007FFB1DEC0CF0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0D28
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0D40
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0DF2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E0A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E16
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E2E
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E65
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E7C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0E94
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0EAC
memcpy.VCRUNTIME140 ref: 00007FFB1DEC0EDD

Strings

tls_parse_stoc_npn, xrefs: 00007FFB1DEC0D2D, 00007FFB1DEC0DF7, 00007FFB1DEC0E99
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEC0D39, 00007FFB1DEC0E03, 00007FFB1DEC0E27, 00007FFB1DEC0E58, 00007FFB1DEC0E6F, 00007FFB1DEC0EA5
ssl_next_proto_validate, xrefs: 00007FFB1DEC0E1B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_mallocmemcpy
String ID: ssl\statem\extensions_clnt.c$ssl_next_proto_validate$tls_parse_stoc_npn
API String ID: 1393888195-3563213302
Opcode ID: 7a92af8302bf3f3fcfaa585fc6e5b776b7ef15d7ed10ce15c881bd9c4fc08051
Instruction ID: 067ebe2208c021569eace91f7509711ee0e803bb362e8d85b27a7381c744e221
Opcode Fuzzy Hash: 7a92af8302bf3f3fcfaa585fc6e5b776b7ef15d7ed10ce15c881bd9c4fc08051
Instruction Fuzzy Hash: FE51BFA3A09F8241EF419B30E4457BB6B92EF89BA2F445031E98D46796FF3CE585C700

Function 00007FFB1DE5D010 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D04E
X509_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D07A
EVP_PKEY_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D086
OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D093
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D0AD
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D0E2
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D0F8
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D10E
X509_STORE_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D117
X509_STORE_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D120
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D145
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D15B
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE63B73,?,00007FFB1DE673AB,?,00007FFB1DE982BD,?,?,00000001,00007FFB1DE9361B), ref: 00007FFB1DE5D170

Strings

ssl\ssl_cert.c, xrefs: 00007FFB1DE5D09C, 00007FFB1DE5D0D5, 00007FFB1DE5D0EB, 00007FFB1DE5D101, 00007FFB1DE5D138, 00007FFB1DE5D14E, 00007FFB1DE5D166

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$E_freeX509_X509_freeY_free
String ID: ssl\ssl_cert.c
API String ID: 1233721043-188639428
Opcode ID: 55a15a956d136460b9df14ac346df1cb2a6ebce51651c7225264afbc9d1b3d66
Instruction ID: c1603f0238887046d2d0b10915e68f0e50adc9deecb0cfa5da8217fc5121f027
Opcode Fuzzy Hash: 55a15a956d136460b9df14ac346df1cb2a6ebce51651c7225264afbc9d1b3d66
Instruction Fuzzy Hash: 01414CB7B08E4281EF00EB35D4412AA2362FB89FA5F405135DF8D97A9AEF39E551C740

Function 00007FFB1C887060 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 295windowregistryCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FFB1C887345
PostQuitMessage.USER32 ref: 00007FFB1C88734D

Part of subcall function 00007FFB1C8F28A4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB1C8F28B8

RegisterClassW.USER32 ref: 00007FFB1C88744F
CreateWindowExW.USER32 ref: 00007FFB1C88749B
ShowWindow.USER32 ref: 00007FFB1C8874A6
GetMessageW.USER32 ref: 00007FFB1C8874CE
TranslateMessage.USER32 ref: 00007FFB1C8874E5
DispatchMessageW.USER32 ref: 00007FFB1C8874F0
GetMessageW.USER32 ref: 00007FFB1C887503

Strings

TetrisGame, xrefs: 00007FFB1C887428
gfff, xrefs: 00007FFB1C8872BC
Game Over!, xrefs: 00007FFB1C88733C
Tetris, xrefs: 00007FFB1C887335, 00007FFB1C88745A

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Message$TimeWindow$ClassCreateDispatchFilePostQuitRegisterShowSystemTranslate
String ID: Game Over!$Tetris$TetrisGame$gfff
API String ID: 3409167224-4281476174
Opcode ID: 35d40b24b8d5111ffb0f2a28b323f0bfaf8650053a8cdd6f96f3f1f4114eec9f
Instruction ID: 76b860cc5c32e1dd0959d11b8ec1ec8a8db48fa377a2a80a1e8d73f495cd5448
Opcode Fuzzy Hash: 35d40b24b8d5111ffb0f2a28b323f0bfaf8650053a8cdd6f96f3f1f4114eec9f
Instruction Fuzzy Hash: E7D172F2A18F8681DB109B25E4882F973A2FB88BE4F744236DA5D07A55DF3CE550C744

Function 00007FFB1DED1F00 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED18DB
Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED18F1
Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED1906
Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED1960
Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED1976
Part of subcall function 00007FFB1DED1820: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED198B

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED2185
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED219D
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED2228
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED2240
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED22A2
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED22BA
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED22D1
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED22E9
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED2318
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000,?,?,?,00000000,-00000031,?,00007FFB1DEC8846), ref: 00007FFB1DED2330

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFB1DED2196, 00007FFB1DED2239, 00007FFB1DED22B3, 00007FFB1DED22E2, 00007FFB1DED2329
dtls_get_reassembled_message, xrefs: 00007FFB1DED218A, 00007FFB1DED222D, 00007FFB1DED22A7, 00007FFB1DED22D6, 00007FFB1DED231D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$R_newR_set_debug
String ID: dtls_get_reassembled_message$ssl\statem\statem_dtls.c
API String ID: 3271392029-2464859936
Opcode ID: 8ba207d4ee099a61aa9b531d5455afc5ea1b49ff4513aa2684777251bf6655b3
Instruction ID: feca62fd68daec33dd5c1f41a804122f6eae71f81fcc9d7de37dcd74a2670e5f
Opcode Fuzzy Hash: 8ba207d4ee099a61aa9b531d5455afc5ea1b49ff4513aa2684777251bf6655b3
Instruction Fuzzy Hash: F1C19073A08E8286EF558F34D8407BA3762FB487A5F048135EB8C97A95EF78E455C310

Function 00007FFB1DE7CD20 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CD6E
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CDBA
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CDD2
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CDEB
CRYPTO_memdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CE0C
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CE29
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFB1DE57F50), ref: 00007FFB1DE7CE50

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE7CD57, 00007FFB1DE7CDCB, 00007FFB1DE7CDFC, 00007FFB1DE7CE1C, 00007FFB1DE7CE43
(, xrefs: 00007FFB1DE7CD46
tls1_set_groups_list, xrefs: 00007FFB1DE7CDBF
No valid groups in '%s', xrefs: 00007FFB1DE7CDDA

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$O_mallocO_memdupR_newR_set_debugR_set_error
String ID: ($No valid groups in '%s'$ssl\t1_lib.c$tls1_set_groups_list
API String ID: 1754736202-1061737906
Opcode ID: cc8b602f8c7684b32e02e3ff221d4bfcc03873a3976025c84f778ca0379fc4d4
Instruction ID: 278035bf2b34b8054277734d3f8a708492b9ea08cb6f39bf6ded4e85b41124eb
Opcode Fuzzy Hash: cc8b602f8c7684b32e02e3ff221d4bfcc03873a3976025c84f778ca0379fc4d4
Instruction Fuzzy Hash: EB314DB3B08F4281EF50DB65E8442AA6766EF88BA1F544035EE8C47B99EF3CE551C740

Function 00007FFB1C886BF0 Relevance: 18.2, APIs: 12, Instructions: 234filethreadmemoryCOMMON

Download Yara Rule

APIs

SetCommConfig.KERNEL32 ref: 00007FFB1C886D06
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFB1C886D13
LocalReAlloc.KERNEL32 ref: 00007FFB1C886D20
GetNumberOfConsoleMouseButtons.KERNEL32 ref: 00007FFB1C886D28
GetProcessGroupAffinity.KERNEL32 ref: 00007FFB1C886D35
WaitForThreadpoolIoCallbacks.KERNEL32 ref: 00007FFB1C886D3F
MapViewOfFileEx.KERNEL32 ref: 00007FFB1C886D59
FormatMessageW.KERNEL32 ref: 00007FFB1C886D77
FlushViewOfFile.KERNEL32 ref: 00007FFB1C886D81
GetVersion.KERNEL32 ref: 00007FFB1C886D87
CloseThreadpool.KERNEL32 ref: 00007FFB1C886D8F
WriteConsoleOutputAttribute.KERNEL32 ref: 00007FFB1C886DA5

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ConsoleFileThreadpoolView$AffinityAllocAttributeButtonsCallbacksCloseCommConfigEnvironmentExpandFlushFormatGroupLocalMessageMouseNumberOutputProcessStringsVersionWaitWrite
String ID:
API String ID: 1427282542-0
Opcode ID: 9bf433654b4853533ca4fd02f79f58872090681018cf0fe6b166d2cadf71b0fa
Instruction ID: 886000eb0306f99a53f83b0df448093a398aa1bdd2ceaf10701f7054ea3cbcaa
Opcode Fuzzy Hash: 9bf433654b4853533ca4fd02f79f58872090681018cf0fe6b166d2cadf71b0fa
Instruction Fuzzy Hash: 3FC1E972A18B808DE711CFB8E8442DE77B5FBA5358F20412ADB8897E69DF38C155CB44

Function 00007FFB1DE59F90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A012
memset.VCRUNTIME140 ref: 00007FFB1DE5A040
memcpy.VCRUNTIME140 ref: 00007FFB1DE5A04A
memcpy.VCRUNTIME140 ref: 00007FFB1DE5A075
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A091
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A0EA
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A0F7
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A162
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A169

Strings

ssl\s3_lib.c, xrefs: 00007FFB1DE59FEE, 00007FFB1DE5A081, 00007FFB1DE5A0D3, 00007FFB1DE5A15B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_clear_free$memcpy$L_cleanseO_mallocmemset
String ID: ssl\s3_lib.c
API String ID: 2649524955-3639828702
Opcode ID: 3aeb4c3df08c8517df8f5c9431e482eea559fa75cd0ac32b7b39047450b3bff8
Instruction ID: 3cfee28097e4d7a5bf5110aeb806d6f6cd760b0b48bf388dec3740ef9eb4537c
Opcode Fuzzy Hash: 3aeb4c3df08c8517df8f5c9431e482eea559fa75cd0ac32b7b39047450b3bff8
Instruction Fuzzy Hash: 4751AAB2608F8182EE148B26E9046AB67A6FB08FD5F544036EE8D47799EF3CE151C300

Function 00007FFB1DE84D40 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SRP_Calc_u_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE84DA7
BN_num_bits.LIBCRYPTO-3-X64 ref: 00007FFB1DE84DF5
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E19
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E26
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E3E

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

BN_bn2bin.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E60
BN_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E83
BN_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE84E8B

Strings

ssl\tls_srp.c, xrefs: 00007FFB1DE84E09, 00007FFB1DE84E37
srp_generate_server_master_secret, xrefs: 00007FFB1DE84E2B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: N_clear_free$Calc_u_exN_bn2binN_num_bitsO_mallocR_newR_set_debugR_vset_error
String ID: srp_generate_server_master_secret$ssl\tls_srp.c
API String ID: 2894122578-1267657263
Opcode ID: 400eae3b511c99b7f18043094bf6643474fc7941b67ef015ac2967bc5c1522be
Instruction ID: 43b8f3b57b7ded9e2af9a00ad13b5c670bd665a73c08a1222699df20d722bcca
Opcode Fuzzy Hash: 400eae3b511c99b7f18043094bf6643474fc7941b67ef015ac2967bc5c1522be
Instruction Fuzzy Hash: 6F3160A7619F8181EE00AB26E8552BA6792FB8CFE9F094531ED4C4B756FF3CD1028300

Function 00007FFB1C88C500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FFB1C88C553
CreateWindowExW.USER32 ref: 00007FFB1C88C5A4
ShowWindow.USER32 ref: 00007FFB1C88C5B2
UpdateWindow.USER32 ref: 00007FFB1C88C5BB
GetMessageW.USER32 ref: 00007FFB1C88C5E3
TranslateMessage.USER32 ref: 00007FFB1C88C5F5
DispatchMessageW.USER32 ref: 00007FFB1C88C600
GetMessageW.USER32 ref: 00007FFB1C88C613

Strings

SocialNetworkWindowClass, xrefs: 00007FFB1C88C525
aNvgHAbNflIQuMIeZ, xrefs: 00007FFB1C88C561

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Message$Window$ClassCreateDispatchRegisterShowTranslateUpdate
String ID: SocialNetworkWindowClass$aNvgHAbNflIQuMIeZ
API String ID: 4213590987-1066387124
Opcode ID: ab7f916197c50a9a40a51421b793f700aa93bf47a2e5dcddd6a5e85bdb6c0f34
Instruction ID: 1bf45cf2197f3344a47e66e8732f34f2a7fde9c839ec00bcc11149cd0933fc70
Opcode Fuzzy Hash: ab7f916197c50a9a40a51421b793f700aa93bf47a2e5dcddd6a5e85bdb6c0f34
Instruction Fuzzy Hash: D63175B2A18FD281E710CB21F8482AE73A5FB98790F664235E69D43A18DF39D555C700

Function 00007FFB1DE7CEE0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE7CF08
memset.VCRUNTIME140 ref: 00007FFB1DE7CF3C
CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE7CF50
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE7D02E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7D046
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE7D10B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7D123

Strings

tls1_set_server_sigalgs, xrefs: 00007FFB1DE7D033, 00007FFB1DE7D110
ssl\t1_lib.c, xrefs: 00007FFB1DE7CEF4, 00007FFB1DE7CF49, 00007FFB1DE7D03F, 00007FFB1DE7D11C

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_zallocmemset
String ID: ssl\t1_lib.c$tls1_set_server_sigalgs
API String ID: 2125936233-369108580
Opcode ID: 8e7335efe920e2ace8b8d1fc7220872b0e36672084f4e95c29e6134e82f933e1
Instruction ID: 9a19d434a7ffaefff9c834d057448fa18f322eba515b2cfa33d29053672d5ebb
Opcode Fuzzy Hash: 8e7335efe920e2ace8b8d1fc7220872b0e36672084f4e95c29e6134e82f933e1
Instruction Fuzzy Hash: 0661A1A3A09E4285EF559F35E4003FA2796EB49BA6F185031DE4D47798EF3DE482C390

Function 00007FFB1DEA2CF0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

OPENSSL_LH_retrieve.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2D3C
CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2D73
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2DB3
OPENSSL_LH_insert.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2DEA
OPENSSL_LH_insert.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2E43
OPENSSL_LH_retrieve.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2E6A
OPENSSL_LH_insert.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2E7E
OPENSSL_LH_insert.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE8DB50), ref: 00007FFB1DEA2ED8

Strings

ssl\quic\quic_srtm.c, xrefs: 00007FFB1DEA2D67, 00007FFB1DEA2DA9

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: H_insert$H_retrieve$O_freeO_zalloc
String ID: ssl\quic\quic_srtm.c
API String ID: 3332892965-1571964953
Opcode ID: 0c95155452231cd3a3aeffa83459906a94b24acc31dc2ee1a7f4995fd586d30c
Instruction ID: 9730dfc8262a3152821b3f642f200dc7a2976d9a6bca46b34390ecf4641ca13e
Opcode Fuzzy Hash: 0c95155452231cd3a3aeffa83459906a94b24acc31dc2ee1a7f4995fd586d30c
Instruction Fuzzy Hash: 9C518BA3A09F4281EE159B26D4902BE67A2FB4CFE5F049435DE8D97785FF2CE4508300

Function 00007FFB1DE56FC0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

ssl3_setup_key_block, xrefs: 00007FFB1DE5711B
ssl\s3_enc.c, xrefs: 00007FFB1DE570C8, 00007FFB1DE570EE, 00007FFB1DE57127

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl3_setup_key_block$ssl\s3_enc.c
API String ID: 0-3285098195
Opcode ID: ee10232764cc8ed0f4b7d80da359f4e73cef204572b0d892005a2d49d5edd6fd
Instruction ID: 7a0fc4fdbeee43234a51486d6b1348d172ae8a9b5fe159161e3562be0be56470
Opcode Fuzzy Hash: ee10232764cc8ed0f4b7d80da359f4e73cef204572b0d892005a2d49d5edd6fd
Instruction Fuzzy Hash: 3A416277B08E8282DB54DB35E5442AEA3A1FB89BE1F500135EF9C87B59EF38D0618740

Function 00007FFB1DEA2F00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

OPENSSL_LH_retrieve.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2F44
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2F86
OPENSSL_LH_delete.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2FA4
OPENSSL_LH_retrieve.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2FB0
OPENSSL_LH_insert.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2FC9
OPENSSL_LH_error.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA2FD2
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8B93D), ref: 00007FFB1DEA3024

Strings

ssl\quic\quic_srtm.c, xrefs: 00007FFB1DEA2F7C, 00007FFB1DEA301A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: H_retrieveO_free$H_deleteH_errorH_insert
String ID: ssl\quic\quic_srtm.c
API String ID: 3506934081-1571964953
Opcode ID: 3f25c8ba26338b6c0a18e44e9a63bf7d68e9f932941824fcf1dacb34824ca182
Instruction ID: d646721fea63786d47866bafcd7447cbda3e9101221f36f00a671a81a9317478
Opcode Fuzzy Hash: 3f25c8ba26338b6c0a18e44e9a63bf7d68e9f932941824fcf1dacb34824ca182
Instruction Fuzzy Hash: 8D314DA3B08E92C5EE509B32E49527AA392AF48FD5F445431EE8D4B799FE2CE4018700

Function 00007FFB1C884080 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FFB1C8840D7
CreateWindowExW.USER32 ref: 00007FFB1C884123
ShowWindow.USER32 ref: 00007FFB1C884133
GetMessageW.USER32 ref: 00007FFB1C88415B
TranslateMessage.USER32 ref: 00007FFB1C88416A
DispatchMessageW.USER32 ref: 00007FFB1C884175
GetMessageW.USER32 ref: 00007FFB1C884188

Strings

JSON Formatter, xrefs: 00007FFB1C8840E2
JsonEditorWindow, xrefs: 00007FFB1C8840B5

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
String ID: JSON Formatter$JsonEditorWindow
API String ID: 4062082325-1842938598
Opcode ID: c6bfcd4637c407bdd722a2db32c1fdb33f16b7892766a695c0b549ea5e6537e5
Instruction ID: d514a3d0fab8dd7b8f2b9462270e1dfb131de3b19f0b90baf43ad475456e6a08
Opcode Fuzzy Hash: c6bfcd4637c407bdd722a2db32c1fdb33f16b7892766a695c0b549ea5e6537e5
Instruction Fuzzy Hash: 1B3183B2A1CFC182E710CF21F4486AE73A5FB987A0F764239DA9D42A14DF79D585C700

Function 00007FFB1DE79E10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE79E3B
EVP_MAC_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE79E90
EVP_MAC_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE79EA0
EVP_MAC_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79EB0
EVP_MAC_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79ECB
EVP_MAC_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79ED3
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79EE8

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE79E2B, 00007FFB1DE79EDE
HMAC, xrefs: 00007FFB1DE79E86

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: C_free$C_fetchO_freeO_zallocX_freeX_new
String ID: HMAC$ssl\t1_lib.c
API String ID: 1171047353-1458471465
Opcode ID: 0e31a0dfe2c348721a69ba00e0365a9dd1f664828a6f5c09db7c230a5bcea0fd
Instruction ID: cd21dbbfab5d3f750e4bbd846d6fd24a26d86822afd753b3b464d835eed0472f
Opcode Fuzzy Hash: 0e31a0dfe2c348721a69ba00e0365a9dd1f664828a6f5c09db7c230a5bcea0fd
Instruction Fuzzy Hash: 652162A3B09E4240EEA4D736E5451BE5392EF4DBD5F481035EA8E87B9AFE2CF5418700

Function 00007FFB1DEB8D50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8D74
BIO_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8D7D
BIO_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8D86
CRYPTO_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8D9F
EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8DC5
EVP_MD_CTX_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8DD1
OPENSSL_cleanse.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8DF5
CRYPTO_free.LIBCRYPTO-3-X64(-0000001F,00007FFB1DEB6B60,?,00007FFB1DEB25F2), ref: 00007FFB1DEB8E20

Strings

ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB8D92, 00007FFB1DEB8E13, 00007FFB1DEB8E38

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$X_free$L_cleanse
String ID: ssl\record\methods\tls_common.c
API String ID: 3857070794-847517130
Opcode ID: 8ac0874fa5ab86aca2b6a0fdd1ebcbee07f2c6a6f5b954580b098ac74c3cdab0
Instruction ID: 77f8c472a4049109607a0ce9123fb3d0f40acb501aa7852336ae7fb533f66128
Opcode Fuzzy Hash: 8ac0874fa5ab86aca2b6a0fdd1ebcbee07f2c6a6f5b954580b098ac74c3cdab0
Instruction Fuzzy Hash: CB213573A18E8185EE14DB31E8452EE6366EB89FA1F045031EBDE43659EE3CE5418701

Function 00007FFB1DE62F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F7F
ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F97
ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62FA8
CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62FE7
CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE63012
CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE6303B

Strings

ssl\ssl_init.c, xrefs: 00007FFB1DE62F90
OPENSSL_init_ssl, xrefs: 00007FFB1DE62F84

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_run_once$R_newR_set_debugR_set_error
String ID: OPENSSL_init_ssl$ssl\ssl_init.c
API String ID: 3879570137-538246785
Opcode ID: e428231572362727e442b1ea25062718500cea8211376ac3d808f4ad4c4b1cdf
Instruction ID: 2ba2521b9fc130fa2c5a169d9d2f427bc42624bc3990cf69a66336386efb8782
Opcode Fuzzy Hash: e428231572362727e442b1ea25062718500cea8211376ac3d808f4ad4c4b1cdf
Instruction Fuzzy Hash: 0D312FA2B18D07C6FF849735E8956B62393EF9C7A2F481135D90D82195FE2DE945C700

Function 00007FFB1DEA5F70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA5FBA
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA5FC7
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA5FE8
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA6046
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA605E
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE8C807), ref: 00007FFB1DEA606F

Strings

ssl\quic\quic_tls.c, xrefs: 00007FFB1DEA5FAE, 00007FFB1DEA5FDE, 00007FFB1DEA6057
ossl_quic_tls_new, xrefs: 00007FFB1DEA604B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: E_newO_freeO_zallocR_newR_set_debugR_set_error
String ID: ossl_quic_tls_new$ssl\quic\quic_tls.c
API String ID: 1337097257-212905574
Opcode ID: 07a6e7a53650a328b48d4c8086b47f4ddac9562137019026a073c9e71da6c7b9
Instruction ID: 62c75b18c59fd581285ab786ca973f9df44d35e21c389566e4b269756402b358
Opcode Fuzzy Hash: 07a6e7a53650a328b48d4c8086b47f4ddac9562137019026a073c9e71da6c7b9
Instruction Fuzzy Hash: 5B313E93E18F8582EB558B38C6453B923A1FB59759F04A234DF8C42596FF28F5E5C300

Function 00007FFB1DE70EF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE70F47
memcpy.VCRUNTIME140 ref: 00007FFB1DE70F7E
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE70FA9
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE70FB2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE70FCA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE70FDB

Strings

ssl\ssl_rsa.c, xrefs: 00007FFB1DE70F31, 00007FFB1DE70F9D, 00007FFB1DE70FC3
SSL_CTX_use_serverinfo_ex, xrefs: 00007FFB1DE70FB7

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_mallocR_newR_set_debugR_set_errormemcpy
String ID: SSL_CTX_use_serverinfo_ex$ssl\ssl_rsa.c
API String ID: 3414495729-2805076526
Opcode ID: 117c0580ed0a577117123264ac3cd7d8bb4798b487c192ce15e24cc0f1dffc92
Instruction ID: 8ccf9c89582a16088ba7601fdb4adc9fbeef52db58cd5afdfedc1b729ac154ee
Opcode Fuzzy Hash: 117c0580ed0a577117123264ac3cd7d8bb4798b487c192ce15e24cc0f1dffc92
Instruction Fuzzy Hash: 2A21D6A3708E8182EE84DB35E4512EB9662EF4CBD5F584035EE8D87B8AFE3DD5418700

Function 00007FFB1C90A62C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C90A210: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C90A251
Part of subcall function 00007FFB1C90A210: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C90A2CF
Part of subcall function 00007FFB1C90A210: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C90A320

CreateFileW.KERNEL32 ref: 00007FFB1C90A732
CreateFileW.KERNEL32 ref: 00007FFB1C90A782
GetLastError.KERNEL32 ref: 00007FFB1C90A7B2
GetFileType.KERNEL32 ref: 00007FFB1C90A7C7
GetLastError.KERNEL32 ref: 00007FFB1C90A7D1
CloseHandle.KERNEL32 ref: 00007FFB1C90A804
CloseHandle.KERNEL32 ref: 00007FFB1C90A967
CreateFileW.KERNEL32 ref: 00007FFB1C90A99C
GetLastError.KERNEL32 ref: 00007FFB1C90A9AB

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a56d3e023696b04d149f0235eb57b9135650ae742d6cb89905a0fdcd75b4d7ec
Instruction ID: c37ecf1f4341ad35a309e3da5d0f1ea3d1d15aef657dba6bc5498ad374088d0b
Opcode Fuzzy Hash: a56d3e023696b04d149f0235eb57b9135650ae742d6cb89905a0fdcd75b4d7ec
Instruction Fuzzy Hash: 62C1A0B6B24E4285EB51CF74C4952AC3766FB48BA8F215329DA2E97794CF3CD062C340

Function 00007FFB1DEA8010 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DE8C6B2), ref: 00007FFB1DEA80B1
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8C6B2), ref: 00007FFB1DEA81CF
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE8C6B2), ref: 00007FFB1DEA81F5
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE8C6B2), ref: 00007FFB1DEA820D
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE8C6B2), ref: 00007FFB1DEA821E

Strings

ossl_quic_tx_packetiser_new, xrefs: 00007FFB1DEA81FA
ssl\quic\quic_txp.c, xrefs: 00007FFB1DEA80A5, 00007FFB1DEA81C5, 00007FFB1DEA8206

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_zallocR_newR_set_debugR_set_error
String ID: ossl_quic_tx_packetiser_new$ssl\quic\quic_txp.c
API String ID: 2487674020-2408920186
Opcode ID: 0d54829e627100d95710d9f9ff8c469428cef590888d58cb8fc85c4405ccb3ce
Instruction ID: 3f1ee7cf015518442cc6b3b71c490c5e2e6259ae9001de20f8499b35aaa41fea
Opcode Fuzzy Hash: 0d54829e627100d95710d9f9ff8c469428cef590888d58cb8fc85c4405ccb3ce
Instruction Fuzzy Hash: 16515D63908F82C2EB518B28D5413F927A1FB68B59F14A236DA8C52666FF38E5D5C300

Function 00007FFB1DE5ECD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

COMP_get_type.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ECFD
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ED2F
COMP_get_name.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ED49
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ED5C
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ED75
OPENSSL_sk_sort.LIBCRYPTO-3-X64 ref: 00007FFB1DE5ED81

Strings

ssl\ssl_ciph.c, xrefs: 00007FFB1DE5ED23, 00007FFB1DE5ED6B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_pushL_sk_sortO_freeO_mallocP_get_nameP_get_type
String ID: ssl\ssl_ciph.c
API String ID: 3831471288-1912280922
Opcode ID: c426d557a64d348212905d6b705e4924477e6e602ca8a573227d6069c5b95010
Instruction ID: 08a381e8e0419f12aa750d50eb7dd6ee73685aeac98bc86b8f700bdf4eefcf4a
Opcode Fuzzy Hash: c426d557a64d348212905d6b705e4924477e6e602ca8a573227d6069c5b95010
Instruction Fuzzy Hash: 4F113DE2E09E0280FE41AB31E9492B923939F4DBA1F445535D94D873DAFE3DE5408701

Function 00007FFB1C9070D8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

TranslateName.LIBCMT ref: 00007FFB1C907142
TranslateName.LIBCMT ref: 00007FFB1C90717D
GetACP.KERNEL32 ref: 00007FFB1C9071C4
IsValidCodePage.KERNEL32 ref: 00007FFB1C9071FC
GetLocaleInfoW.KERNEL32 ref: 00007FFB1C9073B9

Strings

utf8, xrefs: 00007FFB1C9072E0

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 8c984b191dd8d4ab8c62329e412aaf2878b1b2fa7b0e38ac3d78b4ea2ee77a9d
Instruction ID: d8ac2c900f4b421a0ad2103bee603967bfec9d3334368b63c6e498c29f149cd3
Opcode Fuzzy Hash: 8c984b191dd8d4ab8c62329e412aaf2878b1b2fa7b0e38ac3d78b4ea2ee77a9d
Instruction Fuzzy Hash: 39915FE2A08B8285EBA69F71D8492FD239AAB44BE0F644135DE5C47786DF3CE561C340

Function 00007FFB1C907B20 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FA5

GetUserDefaultLCID.KERNEL32 ref: 00007FFB1C907C90

Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FD2
Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FE3
Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FF4

EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C907C77
ProcessCodePage.LIBCMT ref: 00007FFB1C907CBA
IsValidCodePage.KERNEL32 ref: 00007FFB1C907CCC
IsValidLocale.KERNEL32 ref: 00007FFB1C907CE2
GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907D3E
GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907D5A

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: b6dbe6e1f468c4d986dea7447cfbbc849d1da4805b2ab7b11bae69cd138aad5a
Instruction ID: 0d5fedc18c3b093314724dd76ce4dc58478e76c9bccadc7b768b6b177bd9cabe
Opcode Fuzzy Hash: b6dbe6e1f468c4d986dea7447cfbbc849d1da4805b2ab7b11bae69cd138aad5a
Instruction Fuzzy Hash: A8718CE2B18A128AFB929B70D8586FC33AABF447B4F644035CA0D47785EF3CA855C350

Function 00007FFB1DEC9F76 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECA04D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECA069
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECA081
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DECA0AB

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECA040, 00007FFB1DECA07A, 00007FFB1DECA09E
tls_process_encrypted_extensions, xrefs: 00007FFB1DECA06E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$R_newR_set_debug
String ID: ssl\statem\statem_clnt.c$tls_process_encrypted_extensions
API String ID: 3271392029-66032045
Opcode ID: 121354645d4f7b5a54b3dd69de628dbd2bc432ba43e66a0f60b9aec39af00b4f
Instruction ID: a24e8e335e390fdbd81fdae1de69d1b6b2c268ed3e733466bc702a9184741d38
Opcode Fuzzy Hash: 121354645d4f7b5a54b3dd69de628dbd2bc432ba43e66a0f60b9aec39af00b4f
Instruction Fuzzy Hash: 093193B3A1CE8281EB508B61F4411BBA792EB887E5F445131EBCD47A59EF7CE1908B00

Function 00007FFB1C8E77FC Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB1C8E7818
RtlCaptureContext.KERNEL32 ref: 00007FFB1C8E7845
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB1C8E785F
RtlVirtualUnwind.KERNEL32 ref: 00007FFB1C8E78A0
IsDebuggerPresent.KERNEL32 ref: 00007FFB1C8E78F4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB1C8E7911
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB1C8E791C

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: f4b3e86278e8da6e438ddba34c90fa2e72e04d3d5be9a2c9c5daf3bdadeeef46
Instruction ID: 36b76df9263d947907059f4238ec6151d6bf741b7f57f2bf25c19705f1e2d1c2
Opcode Fuzzy Hash: f4b3e86278e8da6e438ddba34c90fa2e72e04d3d5be9a2c9c5daf3bdadeeef46
Instruction Fuzzy Hash: FB3148B2608F818AEB609F70E8843ED7366FB84754F54403ADA4E47B98EF38D658C714

Function 00007FFB1DED0D00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D3B
CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D5B
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D76
CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D9D
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0DB8

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFB1DED0D2D, 00007FFB1DED0D54, 00007FFB1DED0D6C, 00007FFB1DED0D96, 00007FFB1DED0DB1

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_zalloc$O_malloc
String ID: ssl\statem\statem_dtls.c
API String ID: 2040210391-3166991913
Opcode ID: 4ee3175b06c1e3864376740c292cc202866a76f1f36279b6d8d13029f1d86476
Instruction ID: 6c89ea840bf4fcd6d19b723b25a800156f0534deaf79b74cde1c7c4e58ee734e
Opcode Fuzzy Hash: 4ee3175b06c1e3864376740c292cc202866a76f1f36279b6d8d13029f1d86476
Instruction Fuzzy Hash: 2A216DA3619E1296EE60DB22D4005AA36A2EB4CBD1F485131EA8D83B49FF3DF904C700

Function 00007FFB1C8FF35C Relevance: 9.3, APIs: 6, Instructions: 335timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFB1C8FF3A1

Part of subcall function 00007FFB1C8FEA18: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8FEA2C

Part of subcall function 00007FFB1C8FBC14: HeapFree.KERNEL32 ref: 00007FFB1C8FBC2A
Part of subcall function 00007FFB1C8FBC14: GetLastError.KERNEL32 ref: 00007FFB1C8FBC34

Part of subcall function 00007FFB1C909910: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C90985B

_get_daylight.LIBCMT ref: 00007FFB1C8FF390

Part of subcall function 00007FFB1C8FEA78: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8FEA8C

_get_daylight.LIBCMT ref: 00007FFB1C8FF606
_get_daylight.LIBCMT ref: 00007FFB1C8FF617
_get_daylight.LIBCMT ref: 00007FFB1C8FF628
GetTimeZoneInformation.KERNEL32 ref: 00007FFB1C8FF64F

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 355007559-0
Opcode ID: ed5c070b7a09bceae998240616531d19f2ca4813460624cb4a4d0a5370a6e910
Instruction ID: b8514c59e0fb7f25eb6f1c8a3dc225e3fbf4a6fb4bd309e70d91ce6ef4ef68ae
Opcode Fuzzy Hash: ed5c070b7a09bceae998240616531d19f2ca4813460624cb4a4d0a5370a6e910
Instruction Fuzzy Hash: D5D1CFF6A08A4286EB21DF35D8881FD6793FB54BA4F604435EA4D47695DF3CE441C780

Function 00007FFB1C8F2918 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8F293A
_get_daylight.LIBCMT ref: 00007FFB1C8F299A
_get_daylight.LIBCMT ref: 00007FFB1C8F29AB
_get_daylight.LIBCMT ref: 00007FFB1C8F29BC
_isindst.LIBCMT ref: 00007FFB1C8F2A0D
_isindst.LIBCMT ref: 00007FFB1C8F2A60

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 6d0120c0fcbd085e5283179bca21b93c03aa44e662d3e671d3edca23e54111e0
Instruction ID: 086279084252170df3a825ee99b049e5bd83c0b72d32aff16f589ed6da389ae3
Opcode Fuzzy Hash: 6d0120c0fcbd085e5283179bca21b93c03aa44e662d3e671d3edca23e54111e0
Instruction Fuzzy Hash: 1C91E7F2B04A468BEB588F75C9893F82796EB54B98F148035DE0D8B789EF3CE4518700

Function 00007FFB1C8F36A0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFB1C8F3719
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB1C8F3731
RtlVirtualUnwind.KERNEL32 ref: 00007FFB1C8F376C
IsDebuggerPresent.KERNEL32 ref: 00007FFB1C8F37A5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB1C8F37AF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB1C8F37BA

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f528700eaa381ee5cf219629b03147affbcdb80a622f37f4bdce0303fd850b75
Instruction ID: 9ca1f080b3a0a8f3d4fb9ec28460b4b8f6b53151f39ffbff7e89ec1e8dd7fda7
Opcode Fuzzy Hash: f528700eaa381ee5cf219629b03147affbcdb80a622f37f4bdce0303fd850b75
Instruction Fuzzy Hash: 58317FB6618F8186EB60CB35E8442EE73A5FB857A4F600135EA9D47B58DF3CC555CB00

Function 00007FFB1DEAEF60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEFBD
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEFD2
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEFE8
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE54EF0), ref: 00007FFB1DEAF035

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFB1DEAEFC5, 00007FFB1DEAEFDB, 00007FFB1DEAF02E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$L_cleanse
String ID: ssl\record\rec_layer_d1.c
API String ID: 927910673-2186836241
Opcode ID: 5508b19d622f061c9b1d53798353b5f1da236bf3d2e924b5e2f7a8e3381cbec4
Instruction ID: 7d048aa17567b1b06b0bcdf9da6ac3292571dcd1fc70ab0b0829698b5d2a78a0
Opcode Fuzzy Hash: 5508b19d622f061c9b1d53798353b5f1da236bf3d2e924b5e2f7a8e3381cbec4
Instruction Fuzzy Hash: 72216DA7709E9681EE40DB26D48526A2362FB8CBE5F488031EE8D87759EF3CE4418300

Function 00007FFB1DE7A040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

OSSL_PROVIDER_do_all.LIBCRYPTO-3-X64(00000000,00007FFB1DE64590), ref: 00007FFB1DE7A05F
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE7A08E
CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE7A0AB
OBJ_txt2nid.LIBCRYPTO-3-X64 ref: 00007FFB1DE7A0EC

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE7A081, 00007FFB1DE7A09A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: J_txt2nidO_freeO_zallocR_do_all
String ID: ssl\t1_lib.c
API String ID: 2081320938-1168734446
Opcode ID: 4522fdd821fc6d633d4f8c236fc774a1732d19341980f1941b9abff2e6b6de77
Instruction ID: c80481662258123875af3009c190893ba0056d3366828d2e679ef806828d5739
Opcode Fuzzy Hash: 4522fdd821fc6d633d4f8c236fc774a1732d19341980f1941b9abff2e6b6de77
Instruction Fuzzy Hash: 1C216DA3A19E8581EF509F61E8443AA77A2FB88B95F081035DE4D8B749EF39D451C350

Function 00007FFB1DEA3D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEA3DA4
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEA3DF2
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEA3E0C

Strings

C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/ring_buf.h, xrefs: 00007FFB1DEA3DEB
ssl\quic\quic_sstream.c, xrefs: 00007FFB1DEA3D9D, 00007FFB1DEA3DFE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$O_zalloc
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/ring_buf.h$ssl\quic\quic_sstream.c
API String ID: 3122723925-3855655258
Opcode ID: fadc9f331ea1978603b88a6127e6c6768119e5fae58bdae66f22d38603fb8a53
Instruction ID: e2b30b1ea87e31e264eac5f6a587b6a14d26698c94df2ed556fcc635d3880573
Opcode Fuzzy Hash: fadc9f331ea1978603b88a6127e6c6768119e5fae58bdae66f22d38603fb8a53
Instruction Fuzzy Hash: 861181B3B28E5281EF509B25E4400AA7365EB88F94B855031EB8D47B59EF3CE995C740

Function 00007FFB1DE89E70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

OPENSSL_LH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE89E97

Part of subcall function 00007FFB1DEAE8C0: CRYPTO_free.LIBCRYPTO-3-X64(00007FFB1DEA383E,?,00007FFB1DEA49ED,?,00007FFB1DE986D2,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEAE8F0

OPENSSL_LH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE89EC9
OPENSSL_LH_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE89EFC
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE89F32

Strings

ssl\quic\quic_ackm.c, xrefs: 00007FFB1DE89F28

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: H_free$O_free
String ID: ssl\quic\quic_ackm.c
API String ID: 1910653227-1180045938
Opcode ID: 998c3a664cc84d8033547ad971abbd64c4c92aa923f625fe29ef86c4b599d786
Instruction ID: 67d3a7e94dbce116e1a97957ebac00562d12c0d6391d7054b4435b5b11a7b7eb
Opcode Fuzzy Hash: 998c3a664cc84d8033547ad971abbd64c4c92aa923f625fe29ef86c4b599d786
Instruction Fuzzy Hash: BB115CA3E18E8280EF04DF34D4453BA2791EF99B59F541532EA4C9A286FF38D581C380

Function 00007FFB1DE5DE10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

i2d_X509_NAME.LIBCRYPTO-3-X64 ref: 00007FFB1DE5DE47
memcmp.VCRUNTIME140 ref: 00007FFB1DE5DE6C
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5DE8A
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5DEA1

Strings

ssl\ssl_cert.c, xrefs: 00007FFB1DE5DE80, 00007FFB1DE5DE94

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$X509_i2d_memcmp
String ID: ssl\ssl_cert.c
API String ID: 3961804185-188639428
Opcode ID: 2333bb739c99903e67c5a981d5ce0fd111dc44893573e4097e11239608cff131
Instruction ID: 02606fd640ae8650434a25582439226b1dc2b5e1ba619908be563b0cc014f7ad
Opcode Fuzzy Hash: 2333bb739c99903e67c5a981d5ce0fd111dc44893573e4097e11239608cff131
Instruction Fuzzy Hash: 4201E5A3B0CE4245EE409639E44416F6663EB8EBF1F241035EA8D87B9EFE2DD4418700

Function 00007FFB1DEA3050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFB1DE9B45E,?,00007FFB1DE9AED7,?,00007FFB1DE923F0), ref: 00007FFB1DEA306A
OPENSSL_LH_free.LIBCRYPTO-3-X64(?,00007FFB1DE9B45E,?,00007FFB1DE9AED7,?,00007FFB1DE923F0), ref: 00007FFB1DEA3088
EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,00007FFB1DE9B45E,?,00007FFB1DE9AED7,?,00007FFB1DE923F0), ref: 00007FFB1DEA3090
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE9B45E,?,00007FFB1DE9AED7,?,00007FFB1DE923F0), ref: 00007FFB1DEA30A5

Strings

ssl\quic\quic_srtm.c, xrefs: 00007FFB1DEA309B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: H_free$O_freeX_free
String ID: ssl\quic\quic_srtm.c
API String ID: 2794152495-1571964953
Opcode ID: 36e6481bdd707c1d79cd4b0f86534af4367d454759a6bea3687065b713e46f7d
Instruction ID: b78203c916130327a144e0532c214f920d05e4337271660afbbe2bc46722d68f
Opcode Fuzzy Hash: 36e6481bdd707c1d79cd4b0f86534af4367d454759a6bea3687065b713e46f7d
Instruction Fuzzy Hash: EFF012D3F19D0280FE14EB71D89527A22529F8CFA6F445031D94DCB296FE5CE8418755

Function 00007FFB1DED0F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DED0D00: CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D3B
Part of subcall function 00007FFB1DED0D00: CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D5B
Part of subcall function 00007FFB1DED0D00: CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DED131B,00000000,?,?,?,?,00007FFB1DED2183,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD), ref: 00007FFB1DED0D76

CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DED2156,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000), ref: 00007FFB1DED10FE
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DED2156,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000), ref: 00007FFB1DED1114
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DED2156,?,?,?,?,00000000,00007FFB1DED1CBD,?,00007FFB1DEC81BD,00000000), ref: 00007FFB1DED1129

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFB1DED10F1, 00007FFB1DED1107, 00007FFB1DED111F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$O_mallocO_zalloc
String ID: ssl\statem\statem_dtls.c
API String ID: 2830562681-3166991913
Opcode ID: 1a730945e3393305367e5eb0cfe69b410dca60805baabbf4968c3e304bb087c6
Instruction ID: 6603c22c3b84fb9203e3717d6c7ab7f0937d1eeb759ac3a305d873011d2f9ae8
Opcode Fuzzy Hash: 1a730945e3393305367e5eb0cfe69b410dca60805baabbf4968c3e304bb087c6
Instruction Fuzzy Hash: 5B51C6A3B09E8182EF548B25D5402BA6362FB9CB95F445131EF8D87795EF3DE4518700

Function 00007FFB1DE6CDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE6CE75
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE6CF2F

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE6CE49, 00007FFB1DE6CF1D
%02x, xrefs: 00007FFB1DE6CEB5, 00007FFB1DE6CEE5

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_clear_freeO_malloc
String ID: %02x$ssl\ssl_lib.c
API String ID: 1578198043-4123061399
Opcode ID: 7d3805ec666331174c8a31d228c8cd37d9265ece0db4ab4fd851bc85acb06b01
Instruction ID: acf017077e2cff273afadd8a18502b6d58c936a4c7fd200eb4f89d6c9e878453
Opcode Fuzzy Hash: 7d3805ec666331174c8a31d228c8cd37d9265ece0db4ab4fd851bc85acb06b01
Instruction Fuzzy Hash: 7A418363A08F9186DF518B29F50036A6BA6F75CB95F485031EE8D43755EE3DD1528700

Function 00007FFB1DE9ADA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DE923F0), ref: 00007FFB1DE9ADC4
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64(?,00007FFB1DE923F0), ref: 00007FFB1DE9AE0C

Part of subcall function 00007FFB1DE921F0: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE9222D
Part of subcall function 00007FFB1DE921F0: BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE92263
Part of subcall function 00007FFB1DE921F0: BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE9227A

Part of subcall function 00007FFB1DEA3190: RAND_priv_bytes_ex.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA31CB
Part of subcall function 00007FFB1DEA3190: CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA31E7
Part of subcall function 00007FFB1DEA3190: EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA3205
Part of subcall function 00007FFB1DEA3190: EVP_CIPHER_CTX_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA3216
Part of subcall function 00007FFB1DEA3190: EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA324E
Part of subcall function 00007FFB1DEA3190: OPENSSL_LH_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA3263
Part of subcall function 00007FFB1DEA3190: OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA328C
Part of subcall function 00007FFB1DEA3190: OPENSSL_LH_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA32A8
Part of subcall function 00007FFB1DEA3190: OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,?,?,00007FFB1DE9AE5F,?,00007FFB1DE923F0), ref: 00007FFB1DEA32CA

Part of subcall function 00007FFB1DE9AA60: CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFB1DE9AE75,?,00007FFB1DE923F0), ref: 00007FFB1DE9AA9B
Part of subcall function 00007FFB1DE9AA60: OPENSSL_LH_new.LIBCRYPTO-3-X64(?,00007FFB1DE9AE75,?,00007FFB1DE923F0), ref: 00007FFB1DE9AABA
Part of subcall function 00007FFB1DE9AA60: OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,00007FFB1DE9AE75,?,00007FFB1DE923F0), ref: 00007FFB1DE9AAE3
Part of subcall function 00007FFB1DE9AA60: OPENSSL_LH_new.LIBCRYPTO-3-X64(?,00007FFB1DE9AE75,?,00007FFB1DE923F0), ref: 00007FFB1DE9AAFF
Part of subcall function 00007FFB1DE9AA60: OPENSSL_LH_set_thunks.LIBCRYPTO-3-X64(?,00007FFB1DE9AE75,?,00007FFB1DE923F0), ref: 00007FFB1DE9AB28

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE923F0), ref: 00007FFB1DE9AEE7

Strings

ssl\quic\quic_port.c, xrefs: 00007FFB1DE9ADBD, 00007FFB1DE9AEDD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: H_newH_set_thunksO_zalloc$O_ctrl$D_priv_bytes_exE_newO_freeR_fetchR_freeX_new
String ID: ssl\quic\quic_port.c
API String ID: 3589639851-1976217255
Opcode ID: 4c3cfb9d85eb85d1d9d0878f52bcd982ac35bf487ec90c1839e666db09dbf35f
Instruction ID: 45e967bc3392d552f86cc1de9be4f8d994b6245664d94c99c7d8bc89b1b7d102
Opcode Fuzzy Hash: 4c3cfb9d85eb85d1d9d0878f52bcd982ac35bf487ec90c1839e666db09dbf35f
Instruction Fuzzy Hash: 4F41F8A2606F4281EF59DB39D05036A37A6EF48B99F584135CA4D473A9EF38E492C340

Function 00007FFB1DE90020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE90048
CRYPTO_strdup.LIBCRYPTO-3-X64 ref: 00007FFB1DE900CC
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE900ED

Strings

ssl\quic\quic_channel.c, xrefs: 00007FFB1DE90036, 00007FFB1DE900C5, 00007FFB1DE900E3

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_strdupO_zalloc
String ID: ssl\quic\quic_channel.c
API String ID: 496748389-3763991639
Opcode ID: 012fc72dd6c083d61b716ad15464edbe78b0a7ae2f4ed73a6705700e2b7c3ed2
Instruction ID: 83737b3ae283db593f92282f53c30cb3be0b5d27684a0025491911d142ffccc6
Opcode Fuzzy Hash: 012fc72dd6c083d61b716ad15464edbe78b0a7ae2f4ed73a6705700e2b7c3ed2
Instruction Fuzzy Hash: 36215172719F0186EF588B39E55136A37A2EB4CB95F445139DB4D87B89FF28E4A08700

Function 00007FFB1DE79F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

OSSL_PROVIDER_do_all.LIBCRYPTO-3-X64(?,00007FFB1DE64578), ref: 00007FFB1DE79F79
CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DE64578), ref: 00007FFB1DE79FF2
memcpy.VCRUNTIME140(?,00007FFB1DE64578), ref: 00007FFB1DE7A00E

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE79FEB

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_mallocR_do_allmemcpy
String ID: ssl\t1_lib.c
API String ID: 968945768-1168734446
Opcode ID: 3cbf170337629093123c5c839b9163a1397769b72870bdcb2c9395c533104355
Instruction ID: a72d124bfa1b0f20a304636979fd2fda54338f6ee374e2e4d694c1d5d4432480
Opcode Fuzzy Hash: 3cbf170337629093123c5c839b9163a1397769b72870bdcb2c9395c533104355
Instruction Fuzzy Hash: 0421C4A3B08F4281EE948B75E8512BB63A3EF4D7A1F441435EA8D87795FE2DE141C340

Function 00007FFB1DE73D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE62F50: ERR_new.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F7F
Part of subcall function 00007FFB1DE62F50: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62F97
Part of subcall function 00007FFB1DE62F50: ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFB1DE73D8B,00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE62FA8

CRYPTO_zalloc.LIBCRYPTO-3-X64(00000000,00007FFB1DE5ABE9,?,?,?,?,?,00007FFB1DE5AB6E), ref: 00007FFB1DE73DA5

Part of subcall function 00007FFB1DE52360: GetSystemTime.KERNEL32 ref: 00007FFB1DE52381
Part of subcall function 00007FFB1DE52360: SystemTimeToFileTime.KERNEL32 ref: 00007FFB1DE52391

CRYPTO_new_ex_data.LIBCRYPTO-3-X64 ref: 00007FFB1DE73E1A
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE73E31

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE73D99, 00007FFB1DE73E2A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Time$System$FileO_freeO_new_ex_dataO_zallocR_newR_set_debugR_set_error
String ID: ssl\ssl_sess.c
API String ID: 2079961291-3038452671
Opcode ID: 8c98617e46ef33e362c00297dbffd849ff9d594020140a8d1261fc600ce81e04
Instruction ID: 1b9878f4318fb449e935019b80ee2d0630b1556ae1e0c698fce4cd8b5049b043
Opcode Fuzzy Hash: 8c98617e46ef33e362c00297dbffd849ff9d594020140a8d1261fc600ce81e04
Instruction Fuzzy Hash: 4F1142E2605F8241EF909B75D4493E92292DF48BB5F484235DE6C4B3D6FE7DA5818210

Function 00007FFB1DEAEE90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEEEB
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEF00
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEAEF16

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFB1DEAEEF3, 00007FFB1DEAEF09

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$L_cleanse
String ID: ssl\record\rec_layer_d1.c
API String ID: 927910673-2186836241
Opcode ID: 033ae27bbd57ffbbeba534773e5d2946313cb879bf9a005337beda19e0d60a69
Instruction ID: 5c59a35fd01cd91af2fe4ba876509f2c5666f7362ba8959f7d47a271e7ec4d72
Opcode Fuzzy Hash: 033ae27bbd57ffbbeba534773e5d2946313cb879bf9a005337beda19e0d60a69
Instruction Fuzzy Hash: ED1151A7609E8681DE10DB22E48536A6362FB88FD4F489031EF8D47B59EF3CE4418740

Function 00007FFB1DED0CA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE54CA1,?,?,?,00007FFB1DE54A5D), ref: 00007FFB1DED0CC5
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE54CA1,?,?,?,00007FFB1DE54A5D), ref: 00007FFB1DED0CDB
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE54CA1,?,?,?,00007FFB1DE54A5D), ref: 00007FFB1DED0CF0

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFB1DED0CBE, 00007FFB1DED0CCE, 00007FFB1DED0CE6

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\statem\statem_dtls.c
API String ID: 2581946324-3166991913
Opcode ID: 980d27eda708c6e69cd876b2074985f9e6f072451b0e7c0b3c3691562bec142a
Instruction ID: d1c2378e08d147db5d6da9abce27b74e80998e44789a8a8af33c255e283a8fa7
Opcode Fuzzy Hash: 980d27eda708c6e69cd876b2074985f9e6f072451b0e7c0b3c3691562bec142a
Instruction Fuzzy Hash: 90F0A9D3B18D0740FE00A771C4412A61712EF5CBA2F401030DA8D87686BE2EEA058301

Function 00007FFB1C8FF5D8 Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFB1C8FF606

Part of subcall function 00007FFB1C8FEA78: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8FEA8C

_get_daylight.LIBCMT ref: 00007FFB1C8FF617

Part of subcall function 00007FFB1C8FEA18: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8FEA2C

_get_daylight.LIBCMT ref: 00007FFB1C8FF628

Part of subcall function 00007FFB1C8FEA48: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8FEA5C

Part of subcall function 00007FFB1C8FBC14: HeapFree.KERNEL32 ref: 00007FFB1C8FBC2A
Part of subcall function 00007FFB1C8FBC14: GetLastError.KERNEL32 ref: 00007FFB1C8FBC34

GetTimeZoneInformation.KERNEL32 ref: 00007FFB1C8FF64F

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: a7ca922b4082f335ec865cc2bb97cdd54e95a96ddc2d134f08a3b9f6e2ad6ed7
Instruction ID: 61e21fcd41ce6868fee73538fb91dfcd9fd6f13c5fbd155ac498d2b593cea640
Opcode Fuzzy Hash: a7ca922b4082f335ec865cc2bb97cdd54e95a96ddc2d134f08a3b9f6e2ad6ed7
Instruction Fuzzy Hash: 85519FF2A18A8286E310DF35E8C85FD67A2BB497A4F644536EA4D43A95DF3CE440C740

Function 00007FFB1DEA3F60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DEA3DE0,?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEA3FB8
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DEA3DE0,?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000,?,?,?,00007FFB1DE9359D), ref: 00007FFB1DEA4074

Part of subcall function 00007FFB1DEA3EA0: memcpy.VCRUNTIME140(00000000,?,?,00007FFB1DEA4029,?,00007FFB1DEA3DE0,?,00007FFB1DE8C976,00000000,?,?,00007FFB1DE901CA,00000000,00007FFB1DE98635,?,00000000), ref: 00007FFB1DEA3F27

Strings

C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/ring_buf.h, xrefs: 00007FFB1DEA3FAE, 00007FFB1DEA406D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_mallocmemcpy
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/ring_buf.h
API String ID: 2350084802-864110966
Opcode ID: fe0754c134d5b2a107909fe9c8a7928b7b976a9abd0f4d7a9d496bd47251997e
Instruction ID: 3db918650efe02a6f5f44eb7092c6b0f9fd4a1c0cca54a8f3b9eb1c8b51d91fb
Opcode Fuzzy Hash: fe0754c134d5b2a107909fe9c8a7928b7b976a9abd0f4d7a9d496bd47251997e
Instruction Fuzzy Hash: 0E31C9A3B18F82C1EE108F25E18016BA362FB58BD5F084035EB8D07B59EF7CE5918701

Function 00007FFB1DE73E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE73E85
CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFB1DE73EA7

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE73E71, 00007FFB1DE73E9A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\ssl_sess.c
API String ID: 3962629258-3038452671
Opcode ID: b615e097eb74a3e31e4004b7168d177a0a07b464e4d234aa27a0fff723e03222
Instruction ID: 5f6c7f59cfff35bfe613fd94acc2e349f6f0283c340c634a1f908c2651104115
Opcode Fuzzy Hash: b615e097eb74a3e31e4004b7168d177a0a07b464e4d234aa27a0fff723e03222
Instruction Fuzzy Hash: 1501A163B09FC181EBC68B21E9402AE63A5EB4CFD6F5C1035EE4C57B59EE29D5518300

Function 00007FFB1C8E4FE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FFB1C8E5006
FormatMessageA.KERNEL32 ref: 00007FFB1C8E5039

Strings

!x-sys-default-locale, xrefs: 00007FFB1C8E4FF9

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: da121b0053147a4cd48a103c60f298f1c445e81a4b04cb097de0a51a00665d45
Instruction ID: 027be6f2c0a4fb1686ac8478b2e06b539a9ce290689b5f4c7b0fc41edd5a977d
Opcode Fuzzy Hash: da121b0053147a4cd48a103c60f298f1c445e81a4b04cb097de0a51a00665d45
Instruction Fuzzy Hash: A20184F2B08B8282E7118B22F4487BA6792FB847E4F284035EA4E46A98DF3CD505C750

Function 00007FFB1DE74070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE740A5
CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFB1DE740D0

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE74091, 00007FFB1DE740C3

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\ssl_sess.c
API String ID: 3962629258-3038452671
Opcode ID: 2d9c2895b9a193ef70793ee609b6ec90d74ba3e07034518977d3d2daa7db7724
Instruction ID: 9dd367d2c2b627104e68e3987690c1bca38a6ac5e8aa308bb247f2e2c500fcb8
Opcode Fuzzy Hash: 2d9c2895b9a193ef70793ee609b6ec90d74ba3e07034518977d3d2daa7db7724
Instruction Fuzzy Hash: FB01C0A2B0DF8181FB968B35E4002AA63A5EF0CFE5F085030EE8C47B59EF2DD5528700

Function 00007FFB1DEB8050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DEB342B,?,00007FFB1DEB2DD6), ref: 00007FFB1DEB8084
COMP_expand_block.LIBCRYPTO-3-X64(?,00007FFB1DEB342B,?,00007FFB1DEB2DD6), ref: 00007FFB1DEB80AD

Strings

ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB8078

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_mallocP_expand_block
String ID: ssl\record\methods\tls_common.c
API String ID: 3543690440-847517130
Opcode ID: 40abed4e54d3991b77dce65aad5586adb9395deef946fbb790158b3d5fb62b57
Instruction ID: 65ddc24fae8ae6da2fc84a2a5bd27adbd5f62200642717c8ac3ebcd3ef4e6569
Opcode Fuzzy Hash: 40abed4e54d3991b77dce65aad5586adb9395deef946fbb790158b3d5fb62b57
Instruction Fuzzy Hash: AE0140A2715E4186EF508B35E54426AA2A5EB4CBD4F144135EF8C87789FE2DD5908700

Function 00007FFB1DEC8D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8D97
CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8DC0

Strings

C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFB1DEC8D87, 00007FFB1DEC8DB0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_memdup
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h
API String ID: 3962629258-149585741
Opcode ID: d511be7a97a76a68f8892750297987b73b2b4cb7e7618b9771533d684fb77ab5
Instruction ID: 4e5ec507817446211de208fb7811c06561abdb43cbde27a119359a099619afd8
Opcode Fuzzy Hash: d511be7a97a76a68f8892750297987b73b2b4cb7e7618b9771533d684fb77ab5
Instruction Fuzzy Hash: D6011A72706F8281EB508F26E98469A67A5EB58B90F488435EE8C87B49EF3DD4518700

Function 00007FFB1DEAF060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFB1DE55283), ref: 00007FFB1DEAF084
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE55283), ref: 00007FFB1DEAF0B4

Strings

ssl\record\rec_layer_d1.c, xrefs: 00007FFB1DEAF07D, 00007FFB1DEAF0AD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_malloc
String ID: ssl\record\rec_layer_d1.c
API String ID: 2609694610-2186836241
Opcode ID: 23bd01bcd12ebb62baa04184616f65c6e6d5da1de59c522abf4d49fefdb66ba4
Instruction ID: b58508d089a9a1b93f648566f2cbf6461e5cd9784d2a4e024da1dc3d812a280c
Opcode Fuzzy Hash: 23bd01bcd12ebb62baa04184616f65c6e6d5da1de59c522abf4d49fefdb66ba4
Instruction Fuzzy Hash: 000181A3B19E4285EF45DB25E1853AE62A1FF48B95F444031EB5C47789FE2CE8948700

Function 00007FFB1DE73F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE73F2D
CRYPTO_strdup.LIBCRYPTO-3-X64 ref: 00007FFB1DE73F5E

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE73F20, 00007FFB1DE73F54

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ssl\ssl_sess.c
API String ID: 2148955802-3038452671
Opcode ID: 4eaf6e4e8a3e6fd9a1389c0241ed9c31d69d2b9b7c72df51797123ec3ac3d8e0
Instruction ID: 5f25f34b233ab71883c32a370e33643a5c71ec89608b54f46f2b522497965c2a
Opcode Fuzzy Hash: 4eaf6e4e8a3e6fd9a1389c0241ed9c31d69d2b9b7c72df51797123ec3ac3d8e0
Instruction Fuzzy Hash: 38F0A962B15E4141EF85CB26E5412A96367DF4CFE0F5C9035DD4C47B59EE2DD2914600

Function 00007FFB1DE79CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EVP_MAC_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79CE9
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE79D06

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE79CFC

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeX_free
String ID: ssl\t1_lib.c
API String ID: 2813942177-1168734446
Opcode ID: f7b29a22eb9fa9cc7dfb8880774f9b502d9fba244acae5210d0cf4f1baa20b64
Instruction ID: 27a2f45e67b9e7841d97f67f577a2984b80e1a6526b2305cc99e5303e0bb4221
Opcode Fuzzy Hash: f7b29a22eb9fa9cc7dfb8880774f9b502d9fba244acae5210d0cf4f1baa20b64
Instruction Fuzzy Hash: 2CE0C2C3F09D0304FD14B671D8162BA02124F4CBA2F681030ED0EC6783FD1DA5514310

Function 00007FFB1C90759C Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FA5

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907608

Part of subcall function 00007FFB1C902FE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C902FFD

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907651

Part of subcall function 00007FFB1C902FE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C903056

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907719

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 0adfbabb5d1312336817d496e804cc97cdd558a4d4970df37c366173e7d510d4
Instruction ID: b6aaa50e8c0157f240aa9ba668680cf9293bc7a2502be3b27189dbe190345d09
Opcode Fuzzy Hash: 0adfbabb5d1312336817d496e804cc97cdd558a4d4970df37c366173e7d510d4
Instruction Fuzzy Hash: 0A6190F2A0894286EBB58F25D9442BD73AAFB84BE5F204135C74E97695DF3CE460C740

Function 00007FFB1DE51EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE51FB4

Strings

crypto\packet.c, xrefs: 00007FFB1DE51FA0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: crypto\packet.c
API String ID: 2581946324-224687097
Opcode ID: a91c07f2220dcfd8f204099255ed410dcd60e15240fbc2a54fa147de89677054
Instruction ID: f07222d7957557e51076a8dd55e425501f5440523ff2578c4159450cd71d80b5
Opcode Fuzzy Hash: a91c07f2220dcfd8f204099255ed410dcd60e15240fbc2a54fa147de89677054
Instruction Fuzzy Hash: BB5183EBB09F4246EE749A21D44437A6296FF5ABE1F044635EE8D47789EF2DE480C310

Function 00007FFB1DE91E80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE91F27

Strings

ssl\quic\quic_demux.c, xrefs: 00007FFB1DE91F1D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\quic\quic_demux.c
API String ID: 3931833713-194952269
Opcode ID: 32d6ee59eee4b98597971afdc89b69a607b429d456732ce99e5fb26fb5a7654b
Instruction ID: 17720f9561cf9d9ce80341313d5f646ee8c7d5d33e1492d37cce1b5ba52af4eb
Opcode Fuzzy Hash: 32d6ee59eee4b98597971afdc89b69a607b429d456732ce99e5fb26fb5a7654b
Instruction Fuzzy Hash: AB51037360AF4581EB698F29E58032973A5FB08F98F248539DA8D47758EF39D8A1C340

Function 00007FFB1DEC1E40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64(?,00000000,?,00007FFB1DE71EBC,?,?,?,00007FFB1DE710C3,00000004,00007FFB1DE714E5), ref: 00007FFB1DEC1F31

Strings

ssl\statem\extensions_cust.c, xrefs: 00007FFB1DEC1F27

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\statem\extensions_cust.c
API String ID: 3931833713-1564674317
Opcode ID: 79e04fb2f9bdfc2e85e275b17c82108a36db3bdef6b85b420f43a53b58715f15
Instruction ID: 60fe6c82465fab236e807f1b6e813d7e2dd54f1153a958c38c87734048532a7b
Opcode Fuzzy Hash: 79e04fb2f9bdfc2e85e275b17c82108a36db3bdef6b85b420f43a53b58715f15
Instruction Fuzzy Hash: 023183B3B09F8189EF548F2AE44017EA7A2FB4CBA5F944235DA4C87794EF3DD4528600

Function 00007FFB1DEAECB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFB1DE8B14A,?,00007FFB1DE8A9AE), ref: 00007FFB1DEAED76

Strings

ssl\quic\uint_set.c, xrefs: 00007FFB1DEAED60

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\quic\uint_set.c
API String ID: 2581946324-544055092
Opcode ID: b178622824566dcbe607fa44507ade0df14a53dd3449cd6503402db4b8e7a8ce
Instruction ID: af4c7737642d5bf6288bae6e9ae4ae53ee6a08dfe3373a90c7982414b80626b9
Opcode Fuzzy Hash: b178622824566dcbe607fa44507ade0df14a53dd3449cd6503402db4b8e7a8ce
Instruction Fuzzy Hash: 88412B73B0AE46C5DF549F31D48026A73A6FB48F95B188432DB5D47758EF39D4A18300

Function 00007FFB1DE85FB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64(00000000,00007FFB1DE86D3C,?,00007FFB1DE88468,02000100,00007FFB1DE87847,?,00007FFB1DE896D5,02000100,00007FFB1DE8E4FE,?,00007FFB1DE90F24), ref: 00007FFB1DE86042

Strings

ssl\quic\json_enc.c, xrefs: 00007FFB1DE86035

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\quic\json_enc.c
API String ID: 3931833713-3790216822
Opcode ID: 376e1c870c84ef4e230b81aeb6d2d6718e68366784f14be5723c91685cf3db44
Instruction ID: 2e0c5b85c8b8a08d3cbd062f52369d1fe3f0eb881fddc88f1d602d75118542a2
Opcode Fuzzy Hash: 376e1c870c84ef4e230b81aeb6d2d6718e68366784f14be5723c91685cf3db44
Instruction Fuzzy Hash: CE31A2B3A09EC184EF21CF35D45017A67A2EB49B99F284439DA8D47789EF3DE442C714

Function 00007FFB1C8FDCB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C8FDD24

Strings

GetLocaleInfoEx, xrefs: 00007FFB1C8FDCCC, 00007FFB1C8FDCDD

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: b2363f4c04da51dc6206509ecbc96c89d1f4623565e6e076fc0036d9e7d04674
Instruction ID: 213a61756bd4a4fb7d3174bbbc017bb0cd4987b2f0d228d5457053145e2d2608
Opcode Fuzzy Hash: b2363f4c04da51dc6206509ecbc96c89d1f4623565e6e076fc0036d9e7d04674
Instruction Fuzzy Hash: 9A017CA4B08E8186EB059F66E4481FAA366EB84BE0F684036DE4D47B99DE3CD5418341

Function 00007FFB1DE54E80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE54F0C

Strings

ssl\d1_lib.c, xrefs: 00007FFB1DE54EFF

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\d1_lib.c
API String ID: 2581946324-957499845
Opcode ID: 024b1b54408724ecc6d3c734aef7402c7b87e2468e72c0165e9ae6f10a91d8d9
Instruction ID: 075d1b16a606c724a7ecd120566f13d76186d54c4cc74288b17a737a0699317e
Opcode Fuzzy Hash: 024b1b54408724ecc6d3c734aef7402c7b87e2468e72c0165e9ae6f10a91d8d9
Instruction Fuzzy Hash: 1E0140AB719D8685EF40DF75D4953FA2322EF89FD9F481131DA4D4B69AEF28D0428310

Function 00007FFB1DE55DB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE55DD7

Strings

ssl\pqueue.c, xrefs: 00007FFB1DE55DCD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_malloc
String ID: ssl\pqueue.c
API String ID: 1457121658-827308526
Opcode ID: 52e7d2af857e5fbf65eeb62b814c97241e6d29bf2ac81d773921c94436c12082
Instruction ID: 726cd2d17c075b9f1da53bf116850a8ae59bf8bd5e1ffdf7bbafc83570487e48
Opcode Fuzzy Hash: 52e7d2af857e5fbf65eeb62b814c97241e6d29bf2ac81d773921c94436c12082
Instruction Fuzzy Hash: 41F03AB7B05F4181DA409B15F5857A973A1EB4CBD1F588036EB5C4375AEE38D5948700

Function 00007FFB1DE92010 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE91A70: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE91AE5

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE92048

Strings

ssl\quic\quic_demux.c, xrefs: 00007FFB1DE9203E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\quic\quic_demux.c
API String ID: 2581946324-194952269
Opcode ID: 86d8b67ec2ce8b1214a999898367857714e6828aca6b145ac2fa452047e6816b
Instruction ID: 82e41a69df420f7a1867e7bb572d5de321543e00970b5ebff1a10d4e28706193
Opcode Fuzzy Hash: 86d8b67ec2ce8b1214a999898367857714e6828aca6b145ac2fa452047e6816b
Instruction Fuzzy Hash: 77E08CC2F0AD0211FE18A371C8423BA12038F0D7A2F840034E90E8128ABD0CEA418341

Function 00007FFB1DEA5E80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE8B9F9), ref: 00007FFB1DEA5EB2

Strings

ssl\quic\quic_tls.c, xrefs: 00007FFB1DEA5EA8

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\quic\quic_tls.c
API String ID: 2581946324-27893869
Opcode ID: 7ad295910f6931cb6498d30be6b0a6bd2162199cb00bb7e3b5855186388e47ca
Instruction ID: 91851c2dce2b85adb091f71ce6a9174743a20eb07b7305ffe7a4762f056ce11e
Opcode Fuzzy Hash: 7ad295910f6931cb6498d30be6b0a6bd2162199cb00bb7e3b5855186388e47ca
Instruction Fuzzy Hash: 0DD05ED3F1AD0244FD04B771D84A3BA02129F4CBA2F485430EE4DC6783BE2DA9424200

Function 00007FFB1DE9ACD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE9B430: OSSL_ERR_STATE_free.LIBCRYPTO-3-X64(?,00007FFB1DE9AED7,?,00007FFB1DE923F0), ref: 00007FFB1DE9B473

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFB1DE95187), ref: 00007FFB1DE9ACFB

Strings

ssl\quic\quic_port.c, xrefs: 00007FFB1DE9ACF1

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: E_freeO_free
String ID: ssl\quic\quic_port.c
API String ID: 1398637539-1976217255
Opcode ID: 7118cd13374e06e604f49ab9599792ff0dfb795f56a13e2b7fae20ffe6626298
Instruction ID: 7dc454686402e4d0b99b99589f9eb9b0f3fe110ae759e10fc775f604dca59548
Opcode Fuzzy Hash: 7118cd13374e06e604f49ab9599792ff0dfb795f56a13e2b7fae20ffe6626298
Instruction Fuzzy Hash: 23D052C3F0AA0244FD596371E84A3BA02024F0CBA2E885030ED0C8638ABD2CA2914240

Function 00007FFB1DE8FCC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE8B8E0: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE8BA16
Part of subcall function 00007FFB1DE8B8E0: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE8BA2F
Part of subcall function 00007FFB1DE8B8E0: OSSL_ERR_STATE_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE8BA3B
Part of subcall function 00007FFB1DE8B8E0: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE8BA54

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE8FCEB

Strings

ssl\quic\quic_channel.c, xrefs: 00007FFB1DE8FCE1

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free$E_free
String ID: ssl\quic\quic_channel.c
API String ID: 2903139349-3763991639
Opcode ID: 82d8da54f33b79c215d817e7162c674f776a81135cc56d144b5576bead719ac1
Instruction ID: 7e8592f872928040f88654c5451870f3826c7a29df17243cd41ee6a927506268
Opcode Fuzzy Hash: 82d8da54f33b79c215d817e7162c674f776a81135cc56d144b5576bead719ac1
Instruction Fuzzy Hash: DDD0A9C3F0AE0340FD547371E84A3BA02028F0CBB2FA81830EE0E86783BD1CE2824200

Function 00007FFB1DE57DA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE57DB4

Strings

ssl\s3_lib.c, xrefs: 00007FFB1DE57DA7

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\s3_lib.c
API String ID: 2581946324-3639828702
Opcode ID: 2b4508f6ecc4cffd34a2207e694f95bcb5c9855163e91780b01d888f1840f89d
Instruction ID: 80592f98f1681d63cb80ccafbba9817506edc8015d9af5ac284fd032584e1002
Opcode Fuzzy Hash: 2b4508f6ecc4cffd34a2207e694f95bcb5c9855163e91780b01d888f1840f89d
Instruction Fuzzy Hash: C3D0C772F1AE4141FF409F25D4407AA2257A744B59F180436D94C5B65ADE7994518311

Function 00007FFB1DE65070 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-3-X64 ref: 00007FFB1DE65090
CRYPTO_THREAD_unlock.LIBCRYPTO-3-X64 ref: 00007FFB1DE650B2

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_unlockD_write_lock
String ID:
API String ID: 1724170673-0
Opcode ID: 5a2d336af165c646be72a8f1ae6c68047f85ed2d3b3b29b939537b198314da76
Instruction ID: 3983b6058b138a11f3a1f0e43af98bb8983f5c65d7063244e3c21f7b470757e4
Opcode Fuzzy Hash: 5a2d336af165c646be72a8f1ae6c68047f85ed2d3b3b29b939537b198314da76
Instruction Fuzzy Hash: 00E06563B18D8181EF809B65F5852AD5264EB8CFD4F181030FE4CCB78AFE28C4914610

Function 00007FFB1C9035A4 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5faab318d3a4579eeeb2ca022ca9c2b6e59a052a0bd1af17012e6ff5a81073
Instruction ID: 504cffba06e33306c88e76b9ee748605f9b65956ea761ceff69f62ffcbc0bcb3
Opcode Fuzzy Hash: 1d5faab318d3a4579eeeb2ca022ca9c2b6e59a052a0bd1af17012e6ff5a81073
Instruction Fuzzy Hash: 6151B3E2B08A8185EB509B76E8485EA7BA6BB44BE4F244135EE5D67B99CE3CD011C700

Function 00007FFB1C9077E4 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

Part of subcall function 00007FFB1C8F8F60: FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FA5

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C90784C

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: 0aa5be65ae464991427677355b10fe6b304cf55bd833c627679654733300a17d
Instruction ID: 9c4d14e2e4091519d2560ec6b46e90f410132d9c42d2fa9479d4e8598ac2b5f5
Opcode Fuzzy Hash: 0aa5be65ae464991427677355b10fe6b304cf55bd833c627679654733300a17d
Instruction Fuzzy Hash: 803181F1B08A8286FBA58B31D8857EE6396FB447E4F248175DA5D87645DF3CE420C700

Function 00007FFB1C907434 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C9074D2

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 8a03f314228991030f97571e164ce453a0f1148ff8f9a0674c3993f02b20408f
Instruction ID: 8f886bddcd0aebb23c39320907edec36dcaae924144f2ddba886c6590775776d
Opcode Fuzzy Hash: 8a03f314228991030f97571e164ce453a0f1148ff8f9a0674c3993f02b20408f
Instruction Fuzzy Hash: B511C3E3A18E458AEB558F35D4446FC7BA3E780BF0F648135C669432C5DA78D5E1C740

Function 00007FFB1C9079EC Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

GetLocaleInfoW.KERNEL32 ref: 00007FFB1C907A23

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: ade77afbdfe061483007cddb47ac06d2cd97ee25eeb43b93d2c9de6e63a8d558
Instruction ID: d6557b05e2e6c7b53bd6a3c0a48d3f50927fd34bf99cf20ba4bbb1a0376bfbfb
Opcode Fuzzy Hash: ade77afbdfe061483007cddb47ac06d2cd97ee25eeb43b93d2c9de6e63a8d558
Instruction Fuzzy Hash: 11117DF2B1895247E7F58731E449ABE2257EB40BF4F744231D62D876C4EE29DA508300

Function 00007FFB1C907504 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F8F60: GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
Part of subcall function 00007FFB1C8F8F60: FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
Part of subcall function 00007FFB1C8F8F60: SetLastError.KERNEL32 ref: 00007FFB1C8F900F

EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C907582

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: e1e51086aa39d5908dda8ba01fe6510b2ecaa94ce784174308523d506aa15cea
Instruction ID: c99d9bb73421c72c276687a1ce680e866d76d6f97e0a7fabcd9285c730113a75
Opcode Fuzzy Hash: e1e51086aa39d5908dda8ba01fe6510b2ecaa94ce784174308523d506aa15cea
Instruction Fuzzy Hash: 1301F5F2E0868186E7914B35E8487FD7297EB44BF4F649231D668072C8DF38D4908700

Function 00007FFB1C8FD770 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 00007FFB1C8FD7BF

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: c845efb142ed998ea417f664628cf16b446ecaaf5565848cad3ed86c710dcadd
Instruction ID: a83c10faa13687c80d2c8049354fa62b10a07e917c5836f1f76665b2fbd73533
Opcode Fuzzy Hash: c845efb142ed998ea417f664628cf16b446ecaaf5565848cad3ed86c710dcadd
Instruction Fuzzy Hash: 32F08CF2B08F4183E704CB35E8991E96362EB99BE0F249035EA0D83364CE3CD5A0C304

Function 00007FFB1DE5BFF0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64 ref: 00007FFB1DE5C00B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_run_once
String ID:
API String ID: 1403826838-0
Opcode ID: ab403c3c7ac0488e713bacb51cef460df3f26b41bfaedb84d844bbe0c9e9c8a7
Instruction ID: 9a8cade56c65d6ddae127d533746a9d6b08621756c5d7d63624bfc72d399c15f
Opcode Fuzzy Hash: ab403c3c7ac0488e713bacb51cef460df3f26b41bfaedb84d844bbe0c9e9c8a7
Instruction Fuzzy Hash: E7E0ECE5F09D13C6FE549B3CE86617623A2AF49371F404335E51DC21E5FE1DAA158B04

Function 00007FFB1DE5EDB0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-3-X64(00007FFB1DE5E773), ref: 00007FFB1DE5EDCB

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_run_once
String ID:
API String ID: 1403826838-0
Opcode ID: d00fc621a718b68c0e1b1cc737b8e43a4b90a1f0b59afe1246e0e6099a0f45ef
Instruction ID: bec4aa6997a2d7842f34fbc49d51ec6112d3fb322d12dd0935c1c7ff5ed39875
Opcode Fuzzy Hash: d00fc621a718b68c0e1b1cc737b8e43a4b90a1f0b59afe1246e0e6099a0f45ef
Instruction Fuzzy Hash: 64D09EA5F05D4796EA046738D9961A62252AF48761F804535E40DC2195FD2CE6058A50

Function 00007FFB1C998028 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3845d6525bfda03c2c73c429e5b1ed9d500e41c1694ccffe82f2f4df5dd30b5
Instruction ID: 3fda9996be37953816afe51d8a3579d4bcd8d06fb94003d8912fad3d76bdf5b9
Opcode Fuzzy Hash: c3845d6525bfda03c2c73c429e5b1ed9d500e41c1694ccffe82f2f4df5dd30b5
Instruction Fuzzy Hash: BB9129D7D4DEC18AF3634978CC7E0E92FA1DB92B60F5E807FC7854A1CBA94929058315

Function 00007FFB1C998FE0 Relevance: .2, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5f274fb491e3d953eb170baf4fe3e16efd75fe9ec33f842be44314c2d7f2fc
Instruction ID: e403e753be33cbdf3f8f96268c99c9c98cf9209ba29adc60c289720e291bff38
Opcode Fuzzy Hash: 7d5f274fb491e3d953eb170baf4fe3e16efd75fe9ec33f842be44314c2d7f2fc
Instruction Fuzzy Hash: 6C6104D7D0DEC34AF3634A78CC6D0A92F66EB92B60B5F8076C39C471CBE80E29058651

Function 00007FFB1C998FF8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50268199bd49e86fdd58cc4601fe1cb752462fdbc12127b41a9c232bafd85019
Instruction ID: c558963af0f5b5d6eab533760726020ea9d45b33c5fe1cd53d726c8fe6e30e52
Opcode Fuzzy Hash: 50268199bd49e86fdd58cc4601fe1cb752462fdbc12127b41a9c232bafd85019
Instruction Fuzzy Hash: 2F51F6D7D0DEC74AF3634A78CC6D0A92F65EB52B6075F8076D39C471CBE80E29058651

Function 00007FFB1C998120 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981e9ae9e6799e00f171b463c3651b7c2cd9c259e8fe970e86bb14a5994afe4
Instruction ID: e1cf3f4765cc91d1a8fbad72b605d70ba95c8987202d53dcc21faa81728d0980
Opcode Fuzzy Hash: 9981e9ae9e6799e00f171b463c3651b7c2cd9c259e8fe970e86bb14a5994afe4
Instruction Fuzzy Hash: 2C4109DBD4EEC54BF3B38978CC6D0A92FA19B92F64F1D807EC7850A1CBE95926048605

Function 00007FFB1C998010 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fbd788c7afb88a36f9865da36b64c2b1da2c1d11359a45b4f1fef3e52892d5
Instruction ID: e34937bb12e57879d88c079da342df68f64e39726e71ec24add27401b3b45577
Opcode Fuzzy Hash: c9fbd788c7afb88a36f9865da36b64c2b1da2c1d11359a45b4f1fef3e52892d5
Instruction Fuzzy Hash: D5E0E6D7A4EDC28AE3574534CC5D0D81F825BD2761F6D407EC789163CFEC4D68159215

Function 00007FFB1C998E30 Relevance: .1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ae2985f4eab853707df2b552ca1ab41df5bba2e7fffb15580c0dfa003b7778
Instruction ID: c711956fe85bbaeca196bc07c2a65d62429333249c99b9efe74ac8b777c9b60c
Opcode Fuzzy Hash: a2ae2985f4eab853707df2b552ca1ab41df5bba2e7fffb15580c0dfa003b7778
Instruction Fuzzy Hash: 3A1166D7D0DEC586F3532AB8CD3D1AA3F91AB52F54F1E807DD6850E08BE91928018649

Function 00007FFB1C90D110 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4ebb94953b842e5653686159f13f2b05dd81e7b00b1281161ed4322aa3226b
Instruction ID: f5454bb373a08bb5c5e678caaeea176edfb721dbfd2f3efccfac3fa3ef1e6b31
Opcode Fuzzy Hash: 6a4ebb94953b842e5653686159f13f2b05dd81e7b00b1281161ed4322aa3226b
Instruction Fuzzy Hash: 75F068F1719AA58ADB969F78E8426697BD1E7483D0F608139D58D83B14D63C90608F04

Function 00007FFB1C9981D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e3cfe9203eb5a7246f694acd48080004086198dd59aa8eb7b2e2e1cafb8bd8
Instruction ID: 75aff80d77feb4675b99da2287d7eadd56c6e43311ac5cdc91fce8a0a4632266
Opcode Fuzzy Hash: a5e3cfe9203eb5a7246f694acd48080004086198dd59aa8eb7b2e2e1cafb8bd8
Instruction Fuzzy Hash: 9AF0C7DBD4EEC147F3638A74CC6D06D2F92DB92B65B1E80BFC7850A187A9152A04434A

Function 00007FFB1C998EB0 Relevance: .0, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e97da26384f18b3fe386de1f7437c343bc35a9df9a3dd0e0e467dbf53b4c4c6
Instruction ID: cf238a4ca5653f09901a42353af8859f7661a0c8cc8d9f1829cd3d300497202f
Opcode Fuzzy Hash: 0e97da26384f18b3fe386de1f7437c343bc35a9df9a3dd0e0e467dbf53b4c4c6
Instruction Fuzzy Hash: 7BD012EBD0DE8587E3575DB4C86E0953F91A751B61B18503DC6460E58A672928018209

Function 00007FFB1DE65050 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fbb3ba1aa0ea2122419ec6d6550b4d7a9f1419740c96ac23a96294324dd8c7
Instruction ID: 12937c9df0b88c7534df79020448a00f3e26727aa2346a85fb66dfe0cc8ac0a1
Opcode Fuzzy Hash: 20fbb3ba1aa0ea2122419ec6d6550b4d7a9f1419740c96ac23a96294324dd8c7
Instruction Fuzzy Hash: 4CC092C7E9ED03C6FE5027B4D45F37A10A2DF99B22F204531E14D80A82FC1C61965652

Function 00007FFB1C9991A0 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa69458c751ed2d0501f3814a64279181efc16cb0ab00e2c4d4be9b5013a8e5
Instruction ID: 5a2011245fa208cbb11e0a519654c06df020e68cc87cfd34ed58fc8adde34097
Opcode Fuzzy Hash: eaa69458c751ed2d0501f3814a64279181efc16cb0ab00e2c4d4be9b5013a8e5
Instruction Fuzzy Hash:

Function 00007FFB1DE76CC0 Relevance: 51.0, APIs: 23, Strings: 6, Instructions: 214COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE76D85
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE76DA3

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE76DC8
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE76DD9
EVP_KDF_fetch.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E02
EVP_KDF_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E16
EVP_KDF_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E21
EVP_MD_get0_name.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E32
OSSL_PARAM_construct_utf8_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E49
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76E7D
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76EAD
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76EDF
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76F13
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76F47
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE76F7E
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64 ref: 00007FFB1DE76FAA

Strings

digest, xrefs: 00007FFB1DE76E3A
secret, xrefs: 00007FFB1DE76E53
seed, xrefs: 00007FFB1DE76E85, 00007FFB1DE76EB7, 00007FFB1DE76EE9, 00007FFB1DE76F1D, 00007FFB1DE76F51
TLS1-PRF, xrefs: 00007FFB1DE76DE9
tls1_PRF, xrefs: 00007FFB1DE76D8A, 00007FFB1DE77008
ssl\t1_enc.c, xrefs: 00007FFB1DE76D91, 00007FFB1DE7700F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: M_construct_octet_string$R_set_debug$D_get0_nameF_fetchF_freeM_construct_endM_construct_utf8_stringR_newR_set_errorR_vset_errorX_new
String ID: TLS1-PRF$digest$secret$seed$ssl\t1_enc.c$tls1_PRF
API String ID: 62230626-3940633726
Opcode ID: 1996dc3dc15587a9dca75bd6e81dba96edeac221ee34235bcc7b1d623ce2dcdf
Instruction ID: 8733fe36e66cfaec38e932610e321f2e59671f974b67cee5ba7854af56be82ee
Opcode Fuzzy Hash: 1996dc3dc15587a9dca75bd6e81dba96edeac221ee34235bcc7b1d623ce2dcdf
Instruction Fuzzy Hash: FFB17063908FCA85EB619F34D8412EA7771FB99799F005235EE8C57616EF38E285C700

Function 00007FFB1DE6CF60 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6CF91
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6CFB0

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6CFDE
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6CFEF
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6D01A
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00007FFB1DE65CE0), ref: 00007FFB1DE6D039

Strings

ossl_bytes_to_cipher_list, xrefs: 00007FFB1DE6CF9B, 00007FFB1DE6D024, 00007FFB1DE6D150, 00007FFB1DE6D183, 00007FFB1DE6D20C
ssl\ssl_lib.c, xrefs: 00007FFB1DE6CFA2, 00007FFB1DE6D02B, 00007FFB1DE6D157, 00007FFB1DE6D18A, 00007FFB1DE6D213

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_set_debug$R_new$R_set_errorR_vset_error
String ID: ossl_bytes_to_cipher_list$ssl\ssl_lib.c
API String ID: 138049072-2762198905
Opcode ID: bca6aad99d0fcdfcc539ba4f1a9908f244e91ff217f463bfa3af697c29ebd132
Instruction ID: e787b8c3cecebca5b27421fc140fc9cfbe21e2b32b7c47e63e85e2bcb967b928
Opcode Fuzzy Hash: bca6aad99d0fcdfcc539ba4f1a9908f244e91ff217f463bfa3af697c29ebd132
Instruction Fuzzy Hash: 8681A8A3A0CD4282FE52AA79E4057BB2692AF887A2F544035D94D47AC5FE3DE582C701

Function 00007FFB1DEC3080 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 316COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC30D0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC30E8

Strings

SHA2-256, xrefs: 00007FFB1DEC3408
, xrefs: 00007FFB1DEC33E2
HMAC, xrefs: 00007FFB1DEC33C7
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC30E1, 00007FFB1DEC3306, 00007FFB1DEC3481, 00007FFB1DEC3502, 00007FFB1DEC357E
tls_construct_stoc_cookie, xrefs: 00007FFB1DEC30D5, 00007FFB1DEC32FA, 00007FFB1DEC347A, 00007FFB1DEC34F6, 00007FFB1DEC3577

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: $HMAC$SHA2-256$ssl\statem\extensions_srvr.c$tls_construct_stoc_cookie
API String ID: 193678381-4098586831
Opcode ID: b2f239b687ba1ac7a383a71686d00e611803b4f7119a62b4ae398e0da005fcf2
Instruction ID: 001c57fcf5416446adaf39e0234843faefe569fec4f0864d597547c39d3278ed
Opcode Fuzzy Hash: b2f239b687ba1ac7a383a71686d00e611803b4f7119a62b4ae398e0da005fcf2
Instruction Fuzzy Hash: 4AD13FA7B08E4345FE119B72D4153FF23A2AF49BE6F844531DE4D8668AFE2DE6058310

Function 00007FFB1DE7EE10 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 294COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7EF3A
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7EF4C
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7EF71
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7EFAB
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F042
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F054
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F08E
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F0D1
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F11F
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F152
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F1A6
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F1B8
d2i_X509_NAME.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F1CC
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F1E3
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F205
X509_NAME_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE7F20D

Part of subcall function 00007FFB1DE810A0: BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE810CA
Part of subcall function 00007FFB1DE810A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810E4
Part of subcall function 00007FFB1DE810A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810FF

Part of subcall function 00007FFB1DE807E0: BIO_indent.LIBCRYPTO-3-X64(?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE80827
Part of subcall function 00007FFB1DE807E0: BIO_puts.LIBCRYPTO-3-X64(?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE8083B

Strings

request_extensions, xrefs: 00007FFB1DE7F282
<UNPARSEABLE DN>, xrefs: 00007FFB1DE7F1DC
DistinguishedName (len=%d): , xrefs: 00007FFB1DE7F1AE
UNKNOWN, xrefs: 00007FFB1DE7EF91, 00007FFB1DE7F0BA
%s (%d), xrefs: 00007FFB1DE7EFA1
certificate_authorities (len=%d), xrefs: 00007FFB1DE7F138
%s (0x%04x), xrefs: 00007FFB1DE7F0C7
request_context, xrefs: 00007FFB1DE7EE97
signature_algorithms (len=%d), xrefs: 00007FFB1DE7F04A
certificate_types (len=%d), xrefs: 00007FFB1DE7EF42

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_indentO_printf$O_puts$X509_$E_freed2i_
String ID: %s (%d)$%s (0x%04x)$<UNPARSEABLE DN>$DistinguishedName (len=%d): $UNKNOWN$certificate_authorities (len=%d)$certificate_types (len=%d)$request_context$request_extensions$signature_algorithms (len=%d)
API String ID: 527714260-1289818360
Opcode ID: b4a2c63667237052fbd216761570a1286445e457b2325f48cfab88b12bb44429
Instruction ID: 08f4469c5e70704b637f0542898d87e16fcf37769e23c8c67b74b164e75ee1b3
Opcode Fuzzy Hash: b4a2c63667237052fbd216761570a1286445e457b2325f48cfab88b12bb44429
Instruction Fuzzy Hash: CDC1D2A3B18ED245EE64DB25E4056AB6B93FB89BA6F448031DD8D43B95EF3CE101C350

Function 00007FFB1DE8CD10 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 218COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CD8B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CDA3
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CDF2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CE0A
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CE1B
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CE2F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CEC6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CEDE
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CF2D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CF45
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CF56
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CF6A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8CFFA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8D012
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8D060
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8D078
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8D089
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8D09D

Strings

Post-handshake TLS CertificateRequest received, xrefs: 00007FFB1DE8CDB5
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFB1DE8CDEB, 00007FFB1DE8CF26, 00007FFB1DE8D054
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFB1DE8CD90, 00007FFB1DE8CECB, 00007FFB1DE8CFFF
ch_on_handshake_alert, xrefs: 00007FFB1DE8CDF7, 00007FFB1DE8CF32, 00007FFB1DE8D065
handshake alert, xrefs: 00007FFB1DE8D024
/, xrefs: 00007FFB1DE8CE6C
Bad max_early_data received, xrefs: 00007FFB1DE8CEF0
ssl\quic\quic_channel.c, xrefs: 00007FFB1DE8CD9C, 00007FFB1DE8CE03, 00007FFB1DE8CED7, 00007FFB1DE8CF3E, 00007FFB1DE8D00B, 00007FFB1DE8D071

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: /$Bad max_early_data received$Post-handshake TLS CertificateRequest received$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_handshake_alert$handshake alert$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-2661310867
Opcode ID: 65fa96e4008da09b9f3fbff6c2eb15e914d9a864325cdb2c7fb5b36312e1ffa4
Instruction ID: 7c868548554da2014e61c056e4961fc817df12e4af4bb667c8a804685f2d9cde
Opcode Fuzzy Hash: 65fa96e4008da09b9f3fbff6c2eb15e914d9a864325cdb2c7fb5b36312e1ffa4
Instruction Fuzzy Hash: 58A160A2A09F8285FF10DB30E8443BB77E6EB59762F540139EA8D46695FF3CE546C600

Function 00007FFB1C889AF0 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00007FFB1C889B3E
GetObjectW.GDI32 ref: 00007FFB1C889B54
GetDC.USER32 ref: 00007FFB1C889B69
CreateCompatibleDC.GDI32 ref: 00007FFB1C889B75
CreateCompatibleBitmap.GDI32 ref: 00007FFB1C889B86
SelectObject.GDI32 ref: 00007FFB1C889B95
CreateCompatibleDC.GDI32 ref: 00007FFB1C889B9E
CreateCompatibleDC.GDI32 ref: 00007FFB1C889BB1
SelectObject.GDI32 ref: 00007FFB1C889BC8
SelectObject.GDI32 ref: 00007FFB1C889BDC
BitBlt.GDI32 ref: 00007FFB1C889C19
BitBlt.GDI32 ref: 00007FFB1C889C58
GetDIBits.GDI32 ref: 00007FFB1C889D4E
DeleteObject.GDI32 ref: 00007FFB1C889DAC
DeleteDC.GDI32 ref: 00007FFB1C889DB9
DeleteDC.GDI32 ref: 00007FFB1C889DC6
DeleteDC.GDI32 ref: 00007FFB1C889DCF
ReleaseDC.USER32 ref: 00007FFB1C889DDA

Strings

6, xrefs: 00007FFB1C889CB3
, xrefs: 00007FFB1C889C2A
(, xrefs: 00007FFB1C889C5E
ios_base::failbit set, xrefs: 00007FFB1C889E6B
ios_base::eofbit set, xrefs: 00007FFB1C889E72
ios_base::badbit set, xrefs: 00007FFB1C889E60

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Object$CompatibleCreateDelete$Select$BitmapBitsRelease
String ID: $($6$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2929339508-282752976
Opcode ID: 81d3baf75cff85d6e1743fc8b9086cfd6275fe3d9bcd16db086331c2fa9e8dfc
Instruction ID: ebe06303caec7f09637dd13b15cc46e09067e0df80d81a67c24d8b7def0713f2
Opcode Fuzzy Hash: 81d3baf75cff85d6e1743fc8b9086cfd6275fe3d9bcd16db086331c2fa9e8dfc
Instruction Fuzzy Hash: D4B13DB2614A82CAEB11DF35E8883E977A1FB84B98F604139DA4D87B58DF38D505C704

Function 00007FFB1DE9DDF0 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 339COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DE63
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DE7B
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DE8C
EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DF8A
OPENSSL_cleanse.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DF9C
EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DFC8
OPENSSL_cleanse.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DFDD
EVP_MD_free.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9DFE9
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9E016
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9E02E

Strings

quic hp, xrefs: 00007FFB1DE9E143
ssl\quic\quic_record_shared.c, xrefs: 00007FFB1DE9DE74, 00007FFB1DE9E027, 00007FFB1DE9E0AC
quic ku, xrefs: 00007FFB1DE9E203, 00007FFB1DE9E2AE
ossl_qrl_enc_level_set_provide_secret, xrefs: 00007FFB1DE9DE68, 00007FFB1DE9E020, 00007FFB1DE9E0A0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_cleanseR_newR_set_debugX_free$D_freeR_set_error
String ID: ossl_qrl_enc_level_set_provide_secret$quic hp$quic ku$ssl\quic\quic_record_shared.c
API String ID: 3376602870-530731218
Opcode ID: a0df0d035f1c3c7f66bababeb5ab73a2a84ce023b1770783a390982fe743a060
Instruction ID: 1ed8f4fda0a1392333a271c5601a3627df6adb4d8b58089ef0d3d956c9fa33f3
Opcode Fuzzy Hash: a0df0d035f1c3c7f66bababeb5ab73a2a84ce023b1770783a390982fe743a060
Instruction Fuzzy Hash: 9FF16FB3A09F8185EE649B35E4403AB77A6FB89B61F140135DA8D43B99EF3DE451CB00

Function 00007FFB1DED7D10 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 296COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED7D36
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED7D4E

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED7D9E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED7DB6

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DED7D47, 00007FFB1DED7DAF, 00007FFB1DEDBA80, 00007FFB1DEDBB16, 00007FFB1DEDBC3D, 00007FFB1DEDBCF9, 00007FFB1DEDBD48
ssl_check_srp_ext_ClientHello, xrefs: 00007FFB1DEDBCED, 00007FFB1DEDBD3C
tls_post_process_client_key_exchange, xrefs: 00007FFB1DED7DA3
p, xrefs: 00007FFB1DEDBCBE
ossl_statem_server_post_process_message, xrefs: 00007FFB1DED7D3B
tls_post_process_client_hello, xrefs: 00007FFB1DEDBA74, 00007FFB1DEDBB0A
tls_handle_status_request, xrefs: 00007FFB1DEDBC31

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ossl_statem_server_post_process_message$p$ssl\statem\statem_srvr.c$ssl_check_srp_ext_ClientHello$tls_handle_status_request$tls_post_process_client_hello$tls_post_process_client_key_exchange
API String ID: 4275876640-2954090895
Opcode ID: 063168f274a9bde6768cb7d67a078dc44ceff80372279927d178362d3e63f372
Instruction ID: 7c5bfd71bf41c6296a9b3638b21ef9c437cb6d329a32340692aa26826022cf55
Opcode Fuzzy Hash: 063168f274a9bde6768cb7d67a078dc44ceff80372279927d178362d3e63f372
Instruction Fuzzy Hash: ACC181A3E08E4281FF919B71D8953BB26A2EF49B66F585031C90D866D5FF3CD885C710

Function 00007FFB1DE6BD30 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BD88
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BDA0
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BDBB
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BDD3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BF01
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BF17
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BF2F
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE6BF40

Strings

SSL_verify_client_post_handshake, xrefs: 00007FFB1DE6BD8D, 00007FFB1DE6BDC0, 00007FFB1DE6BE11, 00007FFB1DE6BE38, 00007FFB1DE6BE7F, 00007FFB1DE6BEBE, 00007FFB1DE6BEE2, 00007FFB1DE6BF21
ssl\ssl_lib.c, xrefs: 00007FFB1DE6BD99, 00007FFB1DE6BDCC, 00007FFB1DE6BE1D, 00007FFB1DE6BE44, 00007FFB1DE6BE8B, 00007FFB1DE6BECA, 00007FFB1DE6BEEE, 00007FFB1DE6BF28

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$R_set_error
String ID: SSL_verify_client_post_handshake$ssl\ssl_lib.c
API String ID: 3026104281-3876967214
Opcode ID: 64185e098c1e540af8eaeed21b6aa3358c9e9f506206b946f21917699093de88
Instruction ID: 1dfe559b18f0b9345878d2c4f51b771c2464868d06d2a0f40bb5ef721db85e12
Opcode Fuzzy Hash: 64185e098c1e540af8eaeed21b6aa3358c9e9f506206b946f21917699093de88
Instruction Fuzzy Hash: 2D514CE3E1CD4241FE15AB79D8652FB2253EF5C726F904036D90E86AE2FF2DE9058601

Function 00007FFB1DE70D40 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFB1DE70D6B
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE70D73
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE70D80
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE70D98
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE70DB6
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE70DBF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE70DD7
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE70EC4
X509_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE70ECE
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE70ED6

Strings

ssl\ssl_rsa.c, xrefs: 00007FFB1DE70D91, 00007FFB1DE70DD0, 00007FFB1DE70E10, 00007FFB1DE70E7A, 00007FFB1DE70EAC
SSL_CTX_use_certificate_file, xrefs: 00007FFB1DE70D85, 00007FFB1DE70DC4, 00007FFB1DE70E04, 00007FFB1DE70E6E, 00007FFB1DE70EA0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_errorX509_free
String ID: SSL_CTX_use_certificate_file$ssl\ssl_rsa.c
API String ID: 2680622528-4211319898
Opcode ID: f18ccf9e675e49b04429550e3eff73629faba42339b90f6c5f2de25160969228
Instruction ID: f14ed36f4043ff26307164aeec8ec9702847ddf3ce211ac81df7da927e2a7760
Opcode Fuzzy Hash: f18ccf9e675e49b04429550e3eff73629faba42339b90f6c5f2de25160969228
Instruction Fuzzy Hash: 944150A7A0CE5241EE50AB75D4552BF6622EF8CBB2F504035E94C43A9AFF3CE9058741

Function 00007FFB1DED2CA0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

OPENSSL_sk_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2CCC
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2CDB
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2CF3

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

d2i_X509_NAME.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2DA0
OPENSSL_sk_push.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2DBE
OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2DDA
OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2EBA
X509_NAME_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DEBB9DE), ref: 00007FFB1DED2EC2

Strings

parse_ca_names, xrefs: 00007FFB1DED2CE5, 00007FFB1DED2E04, 00007FFB1DED2E29, 00007FFB1DED2E4E, 00007FFB1DED2E82
ssl\statem\statem_lib.c, xrefs: 00007FFB1DED2CEC, 00007FFB1DED2E10, 00007FFB1DED2E35, 00007FFB1DED2E5A, 00007FFB1DED2E8E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_pop_freeX509_$E_freeL_sk_newL_sk_pushR_newR_set_debugR_vset_errord2i_
String ID: parse_ca_names$ssl\statem\statem_lib.c
API String ID: 1078948774-2141598178
Opcode ID: c46b9159b83832a022c3a6c50a79f5a18fd55039077077058c5df5826ed6341c
Instruction ID: 5abde62c16f10665b64ad0c554f0d3ea33c222c20eb57c52866d6140bcc97859
Opcode Fuzzy Hash: c46b9159b83832a022c3a6c50a79f5a18fd55039077077058c5df5826ed6341c
Instruction Fuzzy Hash: 2F5192A3A0CE8245FE11AB71D8551BB2653EF8CBB6F448031EE8C82696FF3DE5458701

Function 00007FFB1DEBADC0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 204COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAEAC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAEC4
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAEDA
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAF6D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAF85
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAF9F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAFE3
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBAFFB
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEBB011
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBB054
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBB06C
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEBB082

Strings

SSL_poll does not support unknown poll descriptor type %d, xrefs: 00007FFB1DEBAF8E
SSL_poll currently only supports QUIC SSL objects, xrefs: 00007FFB1DEBAEC9
SSL_poll does not currently support blocking operation, xrefs: 00007FFB1DEBB071
SSL_poll currently does not support polling sockets, xrefs: 00007FFB1DEBB000
ssl\rio\poll_immediate.c, xrefs: 00007FFB1DEBAEBD, 00007FFB1DEBAF7E, 00007FFB1DEBAFF4, 00007FFB1DEBB065
SSL_poll, xrefs: 00007FFB1DEBAEB1, 00007FFB1DEBAF72, 00007FFB1DEBAFE8, 00007FFB1DEBB059

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_poll$SSL_poll currently does not support polling sockets$SSL_poll currently only supports QUIC SSL objects$SSL_poll does not currently support blocking operation$SSL_poll does not support unknown poll descriptor type %d$ssl\rio\poll_immediate.c
API String ID: 1552677711-1312627168
Opcode ID: 99e812f416e3727851a7b3c56d9dfbc1924d3e52949b43b8061e4dd351794333
Instruction ID: 3ba2171cb2130d95f6e1278a037b40714350524dbf8ea55c89c5b39846e019c1
Opcode Fuzzy Hash: 99e812f416e3727851a7b3c56d9dfbc1924d3e52949b43b8061e4dd351794333
Instruction Fuzzy Hash: 5571A1B3B08E4286EE248F34D8102BB6692FB88BA2F545531DACE57794EF7CE405C740

Function 00007FFB1DE8EEEC Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 170COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EF83
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EF9B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EFED
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F005
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F016
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F02A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F0C2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F0DA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F12C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F144
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F155
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8F169

Strings

QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFB1DE8EFDD, 00007FFB1DE8F11C
ch_rx_handle_packet, xrefs: 00007FFB1DE8EFF2, 00007FFB1DE8F131
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFB1DE8EF88, 00007FFB1DE8F0C7
client received initial token, xrefs: 00007FFB1DE8F0EC
new packet with old keys, xrefs: 00007FFB1DE8EFAD
ssl\quic\quic_channel.c, xrefs: 00007FFB1DE8EF94, 00007FFB1DE8EFFE, 00007FFB1DE8F0D3, 00007FFB1DE8F13D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_rx_handle_packet$client received initial token$new packet with old keys$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-2370986996
Opcode ID: c73a274985b2f8831848ef10f53c9fbcba782f14c798533a719cf5fca782607f
Instruction ID: 5d47602836f9937b847c4fd2c577ca376513346cab9e2d8b266e61ab948660ab
Opcode Fuzzy Hash: c73a274985b2f8831848ef10f53c9fbcba782f14c798533a719cf5fca782607f
Instruction Fuzzy Hash: CD816FA3B09F8186FE11DB30E9403BB77A2EB48766F540139DA8E46695EF3CE542C700

Function 00007FFB1DE73020 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFB1DE7304E
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE73056
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE73063
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE73079
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE73097
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE730A0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE730B8
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE73174
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE7317C

Strings

ssl\ssl_rsa_legacy.c, xrefs: 00007FFB1DE73072, 00007FFB1DE730B1, 00007FFB1DE73123, 00007FFB1DE7315C
SSL_use_RSAPrivateKey_file, xrefs: 00007FFB1DE73068, 00007FFB1DE730A5, 00007FFB1DE73119, 00007FFB1DE73150

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_error
String ID: SSL_use_RSAPrivateKey_file$ssl\ssl_rsa_legacy.c
API String ID: 1899708915-461091929
Opcode ID: 4dc95865bd5ee1d1fafe938c8bf7ceadbe445d5709b5ee3ca4dc30e911d0f142
Instruction ID: 2805b6aad63fe912d552e1033a414e2f55bc378a27550f391dc81a09f22f0ca2
Opcode Fuzzy Hash: 4dc95865bd5ee1d1fafe938c8bf7ceadbe445d5709b5ee3ca4dc30e911d0f142
Instruction Fuzzy Hash: BC31C1A3A0CE4341FE94A771D8451BB2203AF8CFA2F544435E99D87A97FE3CE5458341

Function 00007FFB1DEA6EC7 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 67COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6ED1

Part of subcall function 00007FFB1DEABAA0: memset.VCRUNTIME140(?,00007FFB1DE88D5F), ref: 00007FFB1DEABB4F

BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6EF8
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F0B
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F1A
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F2F
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F3D
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F5D
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F80
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6F98
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

New conn id, xrefs: 00007FFB1DEA6EC7
<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Stateless Reset Token: , xrefs: 00007FFB1DEA6F53
<zero length id>, xrefs: 00007FFB1DEA6F28
Sequence Number: %llu, xrefs: 00007FFB1DEA6EEE
Retire prior to: %llu, xrefs: 00007FFB1DEA6F01
%02x, xrefs: 00007FFB1DEA6F76
Connection id: , xrefs: 00007FFB1DEA6F10

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf$memset
String ID: Stateless Reset Token: $ <unexpected trailing frame data skipped>$ Connection id: $ Retire prior to: %llu$ Sequence Number: %llu$%02x$<zero length id>$New conn id
API String ID: 1053681018-3229369408
Opcode ID: bc177c2539c96af3b2f75e52271a3b0772aefa78012a3f119ed141c6e70f3694
Instruction ID: b9e3158c03e73c0310dc5fbd01a88b5ad9fde918873427d1308dc2e0d6135bde
Opcode Fuzzy Hash: bc177c2539c96af3b2f75e52271a3b0772aefa78012a3f119ed141c6e70f3694
Instruction Fuzzy Hash: C5314FD3B48E5384FE10EB35E8512BA1363AF8EBA6F845035D94E46696FE7CE245C300

Function 00007FFB1DEDBF90 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFC0), ref: 00007FFB1DEDBFBC
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFC0), ref: 00007FFB1DEDBFD4

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFC0), ref: 00007FFB1DEDC035
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFC0), ref: 00007FFB1DEDC04D
EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFC0), ref: 00007FFB1DEDC15D

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DEDBFCD, 00007FFB1DEDC046, 00007FFB1DEDC0A3, 00007FFB1DEDC106, 00007FFB1DEDC130
tls_process_cke_ecdhe, xrefs: 00007FFB1DEDBFC1, 00007FFB1DEDC03A, 00007FFB1DEDC097, 00007FFB1DEDC0FA, 00007FFB1DEDC124

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_errorY_free
String ID: ssl\statem\statem_srvr.c$tls_process_cke_ecdhe
API String ID: 3480850779-2523305932
Opcode ID: 967a7a1891d377d33193c02967b62af0a95984905677b546d53bc4c7284bb708
Instruction ID: c69f57af299608675ebb23b32ccf8f7c6f33abc68492fca68843f980424d1a05
Opcode Fuzzy Hash: 967a7a1891d377d33193c02967b62af0a95984905677b546d53bc4c7284bb708
Instruction Fuzzy Hash: A6417CA3A0CE4281FE10AB71D8552BB6666EF4DBE2F544131DE4C87B96EF2CE5558300

Function 00007FFB1DEDBDA0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBE0A
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBE22
ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBE38
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBE50
ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBF2C
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBF44
EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,00007FFB1DEDDFAD), ref: 00007FFB1DEDBF62

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DEDBE1B, 00007FFB1DEDBE49, 00007FFB1DEDBEB0, 00007FFB1DEDBF13, 00007FFB1DEDBF3D
tls_process_cke_dhe, xrefs: 00007FFB1DEDBE0F, 00007FFB1DEDBE3D, 00007FFB1DEDBEA4, 00007FFB1DEDBF07, 00007FFB1DEDBF31

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$Y_free
String ID: ssl\statem\statem_srvr.c$tls_process_cke_dhe
API String ID: 2633058761-2145857467
Opcode ID: 3696b4a97e3730642a9b869c5f25713406a3dda3faf817eb095120064dc2e424
Instruction ID: 92fb16f57b8d97c8e065e541a9b9c47c27288448db2f67aeb71a04b649ff444a
Opcode Fuzzy Hash: 3696b4a97e3730642a9b869c5f25713406a3dda3faf817eb095120064dc2e424
Instruction Fuzzy Hash: B0414AA3A08E4681FE10AB71EC952BB6663AF48BA2F544031DD4D87A96FF3CE4558700

Function 00007FFB1DECB010 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB07E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECB096
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB0C4
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECB0DC
OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DECB135
OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFB1DECB151
OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DECB1FB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB20F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECB227
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB26B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB2A0
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECB2B6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECB2CE

Strings

No ciphers enabled for max supported SSL/TLS version, xrefs: 00007FFB1DECB2D6
ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECB08F, 00007FFB1DECB0D5, 00007FFB1DECB220, 00007FFB1DECB2C7
ssl_cipher_list_to_bytes, xrefs: 00007FFB1DECB083, 00007FFB1DECB0C9, 00007FFB1DECB219, 00007FFB1DECB2BB

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$L_sk_num$L_sk_value
String ID: No ciphers enabled for max supported SSL/TLS version$ssl\statem\statem_clnt.c$ssl_cipher_list_to_bytes
API String ID: 3652367727-3974761036
Opcode ID: e196cbb6ead76ac6b43d595bf6ce1558f701381f10ed86937303572f5c74c3a8
Instruction ID: 2141254826cb8c0e487439b2929fd77b36f2b1d1c782a86b0c9a0006130a0fbf
Opcode Fuzzy Hash: e196cbb6ead76ac6b43d595bf6ce1558f701381f10ed86937303572f5c74c3a8
Instruction Fuzzy Hash: 7A81A2A3A08E8282EF519B31D8017BF2792AF99BA6F444031DE5C47695FF3CE585D700

Function 00007FFB1DE72CF0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D1E
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D26
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D33
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D4B
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D69
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D72
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE72D8A
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE72E48
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE72E50

Strings

ssl\ssl_rsa_legacy.c, xrefs: 00007FFB1DE72D44, 00007FFB1DE72D83, 00007FFB1DE72DF7, 00007FFB1DE72E30
SSL_CTX_use_RSAPrivateKey_file, xrefs: 00007FFB1DE72D38, 00007FFB1DE72D77, 00007FFB1DE72DEB, 00007FFB1DE72E24

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_error
String ID: SSL_CTX_use_RSAPrivateKey_file$ssl\ssl_rsa_legacy.c
API String ID: 1899708915-4141410350
Opcode ID: c695e77076db850c0d285dc253a1647065fe05fa58fee034a8de279cfa009101
Instruction ID: 5e90ce387e5e2c2eabe7db5fb8069645612caa1ce2638453c576adde4b70b904
Opcode Fuzzy Hash: c695e77076db850c0d285dc253a1647065fe05fa58fee034a8de279cfa009101
Instruction Fuzzy Hash: B3318FA3E0CE4241FE55AB72D8552BF1243EF8CFA2F544435E98D87BA6FE2CE5054242

Function 00007FFB1DE72E80 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72E9E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE72EB4
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE72EC4
EVP_PKEY_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72EDB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72EE8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE72EFE
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE72F0E

Strings

ssl\ssl_rsa_legacy.c, xrefs: 00007FFB1DE72EAD, 00007FFB1DE72EF7
SSL_use_RSAPrivateKey, xrefs: 00007FFB1DE72EA3, 00007FFB1DE72EED

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$Y_new
String ID: SSL_use_RSAPrivateKey$ssl\ssl_rsa_legacy.c
API String ID: 2166683265-843432994
Opcode ID: fcbdac663444c984cc1c776bfcb1b051b48d6c9b6286b0ed5f1a32ae04c0e965
Instruction ID: 1a5f63efe87e4d40678bb2bc3d3af178813ae67f114cf6bc920ba7aeb3406e13
Opcode Fuzzy Hash: fcbdac663444c984cc1c776bfcb1b051b48d6c9b6286b0ed5f1a32ae04c0e965
Instruction Fuzzy Hash: 6D21A2A3A18D4242EE44F735E5851FB1252EF4CFE5F481434EA4D97A87FE2CE5818700

Function 00007FFB1DE5BE20 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BE3B
OPENSSL_sk_new_reserve.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BE46
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BE53
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BE6B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BE7B
OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BEA5
X509_NAME_dup.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BEAD
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFB1DE5BEBD

Strings

ssl\ssl_cert.c, xrefs: 00007FFB1DE5BE64, 00007FFB1DE5BEF1
SSL_dup_CA_list, xrefs: 00007FFB1DE5BE58, 00007FFB1DE5BEE5

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: E_dupL_sk_new_reserveL_sk_numL_sk_pushL_sk_valueR_newR_set_debugR_set_errorX509_
String ID: SSL_dup_CA_list$ssl\ssl_cert.c
API String ID: 876855465-192599479
Opcode ID: 6e3ead793171882e7cad39b48af15352646ba32d41d308672a7b54769bd801a5
Instruction ID: 8f386d859fff7b413f89b38efd1e49fd65bd3dc128cb14d10724156a43ac8455
Opcode Fuzzy Hash: 6e3ead793171882e7cad39b48af15352646ba32d41d308672a7b54769bd801a5
Instruction Fuzzy Hash: 352186A7B1CE4646EE50A731E5452BF5253AF4CBA1F940435E98E83B8BFE2CE4458A01

Function 00007FFB1DECFFA0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED0044
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED005C
EVP_PKEY_set1_encoded_public_key.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED00E0
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED00E9
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED0101
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED014E
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED0166
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED017B
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED0193

Part of subcall function 00007FFB1DE5A1A0: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A216
Part of subcall function 00007FFB1DE5A1A0: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A22E
Part of subcall function 00007FFB1DE5A1A0: EVP_PKEY_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE5A271

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED01AA
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECDFFE,?,?,?,?,?,?), ref: 00007FFB1DED01C2

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DED0055, 00007FFB1DED00FA, 00007FFB1DED015F, 00007FFB1DED018C, 00007FFB1DED01BB
tls_process_ske_ecdhe, xrefs: 00007FFB1DED0049, 00007FFB1DED00EE, 00007FFB1DED0153, 00007FFB1DED0180, 00007FFB1DED01AF

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$X_freeY_set1_encoded_public_key
String ID: ssl\statem\statem_clnt.c$tls_process_ske_ecdhe
API String ID: 2103322892-2515942935
Opcode ID: 432d5e60ed84920e5364d4d679556847c334b97ecd75f4f894e5567e0079c389
Instruction ID: 5812e00d7604a149186a58594051e0ff84db83b468e554bc40955c360947858e
Opcode Fuzzy Hash: 432d5e60ed84920e5364d4d679556847c334b97ecd75f4f894e5567e0079c389
Instruction Fuzzy Hash: E5519DB3A08E9282FF50DB31D9516BB6762EB8D7A1F444131DA8D83A96FF2CE551C300

Function 00007FFB1DE6FFD0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE7003C
OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE70053
CT_POLICY_EVAL_CTX_new_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE7008D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE7009A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE700B2
CT_POLICY_EVAL_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE700CE
OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFB1DE700E4

Part of subcall function 00007FFB1DE677C0: o2i_SCT_LIST.LIBCRYPTO-3-X64 ref: 00007FFB1DE6782E
Part of subcall function 00007FFB1DE677C0: SCT_LIST_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE67850
Part of subcall function 00007FFB1DE677C0: d2i_OCSP_RESPONSE.LIBCRYPTO-3-X64 ref: 00007FFB1DE678A2
Part of subcall function 00007FFB1DE677C0: OCSP_response_get1_basic.LIBCRYPTO-3-X64 ref: 00007FFB1DE678B2
Part of subcall function 00007FFB1DE677C0: OCSP_resp_count.LIBCRYPTO-3-X64 ref: 00007FFB1DE678C4
Part of subcall function 00007FFB1DE677C0: OCSP_resp_get0.LIBCRYPTO-3-X64 ref: 00007FFB1DE678D5
Part of subcall function 00007FFB1DE677C0: OCSP_SINGLERESP_get1_ext_d2i.LIBCRYPTO-3-X64 ref: 00007FFB1DE678ED
Part of subcall function 00007FFB1DE677C0: OCSP_resp_count.LIBCRYPTO-3-X64 ref: 00007FFB1DE67915
Part of subcall function 00007FFB1DE677C0: SCT_LIST_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE67921
Part of subcall function 00007FFB1DE677C0: OCSP_BASICRESP_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE67929
Part of subcall function 00007FFB1DE677C0: OCSP_RESPONSE_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE67931

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE7014D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE70165
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE70198
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE701B0

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE700AB, 00007FFB1DE7015E, 00007FFB1DE701A9
ssl_validate_ct, xrefs: 00007FFB1DE7009F, 00007FFB1DE70152, 00007FFB1DE7019D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$L_sk_numP_resp_countT_free$E_freeL_sk_valueP_freeP_get1_ext_d2iP_resp_get0P_response_get1_basicX_freeX_new_exd2i_o2i_
String ID: ssl\ssl_lib.c$ssl_validate_ct
API String ID: 3789691588-3095674411
Opcode ID: 6861703e8e07fc3a7af925cf2e5a0dad8bd51a14b81fbf7e460197bd799a116d
Instruction ID: b862222b48ff4e7ac7a7dffd063e0a1d02ba47ed06ce1e6c84bcd2f6a7d8b666
Opcode Fuzzy Hash: 6861703e8e07fc3a7af925cf2e5a0dad8bd51a14b81fbf7e460197bd799a116d
Instruction Fuzzy Hash: 515111A7B09E5241FE95AA36D4542BF1662EF8CFB2F484031DE4D87796FE2CE5418380

Function 00007FFB1DE80CC0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80D3D
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE80D78
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80D88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE80D9A
BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80DAA
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE80E1D
BIO_dump_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80E2F
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE80E4B
BIO_dump_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80E5D

Strings

Uncompressed length=%d, xrefs: 00007FFB1DE80D90
Compression type=%s (0x%04x), xrefs: 00007FFB1DE80D6B
Compressed length=%d, Ratio=unknown, xrefs: 00007FFB1DE80E41
Compressed length=%d, Ratio=%f:1, xrefs: 00007FFB1DE80E0B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_printf$O_indent$O_dump_indent
String ID: Compressed length=%d, Ratio=%f:1$Compressed length=%d, Ratio=unknown$Compression type=%s (0x%04x)$Uncompressed length=%d
API String ID: 2695996789-2584780413
Opcode ID: da2546d46be6a3401da064b2f0c090d1a6c8d11e08c2c8f5727092ddb681fde4
Instruction ID: de3ed11e42cb65e0c73252ea9094eeca275312b024e7d978ef448e97ded3e59d
Opcode Fuzzy Hash: da2546d46be6a3401da064b2f0c090d1a6c8d11e08c2c8f5727092ddb681fde4
Instruction Fuzzy Hash: F9414993708EB145EE219A36D4056BE2E426F4ABE6F099031DC9D57782FE3CE142C710

Function 00007FFB1DEA7041 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 58COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA704B
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA706A
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7091
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA70A0
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA70CF
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA70E6
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
(app), xrefs: 00007FFB1DEA705C
Error Code: %llu, xrefs: 00007FFB1DEA7087
Reason: , xrefs: 00007FFB1DEA7096
Connection close, xrefs: 00007FFB1DEA7041
(transport), xrefs: 00007FFB1DEA7055

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Error Code: %llu$ Reason: $ (app)$ (transport)$Connection close
API String ID: 4098839300-216527848
Opcode ID: 41314268be5aa590959667c35542936b3c69ffa1aef92160b6e1cc8b36e1a73b
Instruction ID: 6124079883607bbc301eb88ca3d76fd5b13de227c1f5cd1d03697eea11bbd6f0
Opcode Fuzzy Hash: 41314268be5aa590959667c35542936b3c69ffa1aef92160b6e1cc8b36e1a73b
Instruction Fuzzy Hash: 422162D3B48E1384FE10EB35E8513BA6762AF4DBA6F855036CD4E46255FE3CD1458300

Function 00007FFB1DEDE090 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DED6360: ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFB1DECEB23), ref: 00007FFB1DED6431
Part of subcall function 00007FFB1DED6360: ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFB1DECEB23), ref: 00007FFB1DED6449
Part of subcall function 00007FFB1DED6360: CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFB1DECEB23), ref: 00007FFB1DED67A8
Part of subcall function 00007FFB1DED6360: EVP_PKEY_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFB1DECEB23), ref: 00007FFB1DED67B0

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DEDD092,?,?,?), ref: 00007FFB1DEDE0DA
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DEDD092,?,?,?), ref: 00007FFB1DEDE0F2

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DEDD092,?,?,?), ref: 00007FFB1DEDE11A
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DEDD092,?,?,?), ref: 00007FFB1DEDE132
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEDE17E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEDE196
EVP_PKEY_free.LIBCRYPTO-3-X64(?,00007FFB1DEDD092,?,?,?), ref: 00007FFB1DEDE2B6

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFB1DEDE0EB, 00007FFB1DEDE12B, 00007FFB1DEDE18F
tls_process_client_rpk, xrefs: 00007FFB1DEDE0DF, 00007FFB1DEDE11F, 00007FFB1DEDE183

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$Y_free$O_freeR_vset_error
String ID: ssl\statem\statem_srvr.c$tls_process_client_rpk
API String ID: 3941461471-483539336
Opcode ID: 4680b30837ba7c6d4d78eef1d7d9da205886d5785d1e7fdc35458dc223673852
Instruction ID: cd6ed037bc32168e43fe3e352542a511b2db782e7872e9a0d1df7413f4296534
Opcode Fuzzy Hash: 4680b30837ba7c6d4d78eef1d7d9da205886d5785d1e7fdc35458dc223673852
Instruction Fuzzy Hash: FE514FA3A08E4281EF40DB31D4496FA23A2FB88F95F544132DE8D87699EF38E4458710

Function 00007FFB1DE90F90 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 363COMMON

Download Yara Rule

Strings

QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFB1DE91115
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFB1DE910D9
RXKU cooldown internal error, xrefs: 00007FFB1DE91109
ssl\quic\quic_channel.c, xrefs: 00007FFB1DE910E5, 00007FFB1DE9114F
ch_rxku_tick, xrefs: 00007FFB1DE91143

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: QUIC error code: 0x%llx%s%s%s, reason: "%s"$RXKU cooldown internal error$ch_rxku_tick$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 0-2264542540
Opcode ID: ef2b3d2f4f29b3f807202e51f72cdf87f54178035ab2013d21d182d64645cc88
Instruction ID: d2f72e048a79dc75aef0bfee95c83065c3186a036b23afa9f8fb6fb4f51a458f
Opcode Fuzzy Hash: ef2b3d2f4f29b3f807202e51f72cdf87f54178035ab2013d21d182d64645cc88
Instruction Fuzzy Hash: ECF1A763A09F8142EE649B35E4443BB7392EB497B6F540239CAAE477D9EF3CE4418301

Function 00007FFB1DE82DE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

EVP_MD_get0_name.LIBCRYPTO-3-X64 ref: 00007FFB1DE82E25
OSSL_PARAM_construct_utf8_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE82E69
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64 ref: 00007FFB1DE82EA0
EVP_Q_mac.LIBCRYPTO-3-X64 ref: 00007FFB1DE82FA3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE82FAD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE82FC5
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE82FEC

Strings

properties, xrefs: 00007FFB1DE82E5A
ssl\tls13_enc.c, xrefs: 00007FFB1DE82FBE
HMAC, xrefs: 00007FFB1DE82F85
tls13_final_finish_mac, xrefs: 00007FFB1DE82FB2

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_get0_nameL_cleanseM_construct_endM_construct_utf8_stringQ_macR_newR_set_debug
String ID: HMAC$properties$ssl\tls13_enc.c$tls13_final_finish_mac
API String ID: 3095186593-1969053228
Opcode ID: a3ccedf04a60f091f5b0825d66c7b153fbd2032da6c74fce12e49171316e8de6
Instruction ID: 91aed3fe0682123fa07e939e93c8160351526d2f6a5f4ad0927910f7e040e5fb
Opcode Fuzzy Hash: a3ccedf04a60f091f5b0825d66c7b153fbd2032da6c74fce12e49171316e8de6
Instruction Fuzzy Hash: 95517C63A08F8681EB61DF25E4403EA67A1FB98B94F544136EE8C47B59EF38D185C740

Function 00007FFB1DE8ED69 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DEADBD0: CRYPTO_memcmp.LIBCRYPTO-3-X64(?,00007FFB1DE8EDA9), ref: 00007FFB1DEADC2A

Part of subcall function 00007FFB1DE8E520: memcmp.VCRUNTIME140 ref: 00007FFB1DE8E567

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EE08
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EE20
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EE72
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EE8A
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EE9B
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFB1DE8EEAF

Strings

QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFB1DE8EE62
ch_rx_handle_packet, xrefs: 00007FFB1DE8EE77
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFB1DE8EE0D
handling retry packet, xrefs: 00007FFB1DE8EE32
ssl\quic\quic_channel.c, xrefs: 00007FFB1DE8EE19, 00007FFB1DE8EE83

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveO_memcmpR_newR_set_errormemcmp
String ID: QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_rx_handle_packet$handling retry packet$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2112761334-3427577707
Opcode ID: dbd76bae90a40a217af2aa650bed19a6a4e05a9d87be5d6105111bd57091667c
Instruction ID: 55930ffff5e9f603067a53cf707a55205615e578352af4b2f92eb9b4f2cbcbee
Opcode Fuzzy Hash: dbd76bae90a40a217af2aa650bed19a6a4e05a9d87be5d6105111bd57091667c
Instruction Fuzzy Hash: 83415AA7719F8286EE50DB74E4403AB77A2EB48BA6F54403ADA8D43691EF3CE545C700

Function 00007FFB1DE65D50 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE65D94
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE65DAC
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE65DBD
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE65DD2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE65DEA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE65DFB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE65E13
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE65E2B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE65E3C

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE65DA5, 00007FFB1DE65DE3, 00007FFB1DE65E24
SSL_check_private_key, xrefs: 00007FFB1DE65D99, 00007FFB1DE65DD7, 00007FFB1DE65E18

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_check_private_key$ssl\ssl_lib.c
API String ID: 1552677711-56654757
Opcode ID: 3efe7a7df40da864e54f10b9bf9588ff119bf211e6b9b9239b8165bee2f6156f
Instruction ID: 7148262224c845e5ce2c8b3b97f93b4acca9a3a12c42e291f08ef1b8ef613a0e
Opcode Fuzzy Hash: 3efe7a7df40da864e54f10b9bf9588ff119bf211e6b9b9239b8165bee2f6156f
Instruction Fuzzy Hash: 3D2180A7F19D0242FE50E779C8562BB1352AF4CB66FA44435D40D82AA1FF2DF5468602

Function 00007FFB1DEC7D60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEC84CD
SetLastError.KERNEL32 ref: 00007FFB1DEC84D4
BUF_MEM_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC870E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC87D9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC87F1
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC880B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8823
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8834

Strings

ssl\statem\statem.c, xrefs: 00007FFB1DEC87EA, 00007FFB1DEC881C
state_machine, xrefs: 00007FFB1DEC87DE, 00007FFB1DEC8810

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$ErrorLastM_freeR_clear_errorR_set_error
String ID: ssl\statem\statem.c$state_machine
API String ID: 2605663294-1334640251
Opcode ID: ec611bc0e721421ba2220ae1615590289d24c7d24e80bc9563fbee26cabbc5df
Instruction ID: d7422d40a4e35a644692ea48690e4eb8df0e25bfba02f685757cef681dcf36fd
Opcode Fuzzy Hash: ec611bc0e721421ba2220ae1615590289d24c7d24e80bc9563fbee26cabbc5df
Instruction Fuzzy Hash: C541B5B3B08E4286FE649B31D5912BB2293EF4CBB2F984435DD4D86685FF3CE8418611

Function 00007FFB1DE7FD70 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 111COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE80920,?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE7FDA6
BIO_printf.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE80920,?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE7FDFA

Strings

client_verify_data, xrefs: 00007FFB1DE806B7, 00007FFB1DE806FC
server_verify_data, xrefs: 00007FFB1DE806DB
UNKNOWN, xrefs: 00007FFB1DE7FDC0
extension_type=%s(%d), length=%d, xrefs: 00007FFB1DE7FDE9
<EMPTY>, xrefs: 00007FFB1DE8071F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_indentO_printf
String ID: <EMPTY>$UNKNOWN$client_verify_data$extension_type=%s(%d), length=%d$server_verify_data
API String ID: 1860387303-127224826
Opcode ID: 5b8106dcc271e2d498b286ce1fafd286a774c79badce65027f6b94ff30efa206
Instruction ID: d265108e6781e090e299bc77ff5d8b755ed61a73efbb4ac2618c85a00ee2500c
Opcode Fuzzy Hash: 5b8106dcc271e2d498b286ce1fafd286a774c79badce65027f6b94ff30efa206
Instruction Fuzzy Hash: 8441E4B3A08E9685EE209B21E4005BB7752FB4DBA1F954131DE8D03795EF3DE502CB40

Function 00007FFB1DECADF0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE5D250: OBJ_nid2sn.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D287
Part of subcall function 00007FFB1DE5D250: EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D2AC
Part of subcall function 00007FFB1DE5D250: OBJ_nid2sn.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D2DE
Part of subcall function 00007FFB1DE5D250: EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D2E9
Part of subcall function 00007FFB1DE5D250: OBJ_nid2ln.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D2F4
Part of subcall function 00007FFB1DE5D250: EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DE7B8FA,00000000,?,00000000,?,?,?,00000001,00007FFB1DE7CAC7,?,00007FFB1DE57658), ref: 00007FFB1DE5D2FF

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5), ref: 00007FFB1DECAE5A
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5), ref: 00007FFB1DECAE72

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECAEAE
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECAEC6
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECAF1E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECAF36
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5,?,?,?,?,?,?), ref: 00007FFB1DECAF43
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5,?,?,?,?,?,?), ref: 00007FFB1DECAF5B

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECAE6B, 00007FFB1DECAEBF, 00007FFB1DECAF2F, 00007FFB1DECAF54
ssl3_check_cert_and_algorithm, xrefs: 00007FFB1DECAE5F, 00007FFB1DECAEB3, 00007FFB1DECAF23, 00007FFB1DECAF48

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$Y_is_a$J_nid2sn$J_nid2lnR_vset_error
String ID: ssl3_check_cert_and_algorithm$ssl\statem\statem_clnt.c
API String ID: 75950454-762223334
Opcode ID: 1401734b55bdca3ae5d03bf9a025fd6e45b9c1e8d434cdbb5e93c678d0f46468
Instruction ID: 359da5116b900c5b393ceefe411f9262e6e9e07712665622e7093aeb91d7729b
Opcode Fuzzy Hash: 1401734b55bdca3ae5d03bf9a025fd6e45b9c1e8d434cdbb5e93c678d0f46468
Instruction Fuzzy Hash: E44166A3A18E8241FF509735E8457BB2752DF8CBA5F840131EA5D47696FF2CE9818701

Function 00007FFB1DEC9E63 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5CD8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5CF0

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5D15
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5D2D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5D56
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5D6E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DED5DA4
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DED5DBC

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFB1DED5CE9, 00007FFB1DED5D26, 00007FFB1DED5D67, 00007FFB1DED5DB5
tls_process_change_cipher_spec, xrefs: 00007FFB1DED5CDD, 00007FFB1DED5D1A, 00007FFB1DED5D5B, 00007FFB1DED5DA9

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ssl\statem\statem_lib.c$tls_process_change_cipher_spec
API String ID: 4275876640-357517272
Opcode ID: a561854a95483960081977292c53ca0494a81ebfc7e8cbe4a17889bce4e45c52
Instruction ID: f6c27bd1942569380f395cf28b6749c29fb2608c2ed2ea25c27bbea63f5ad065
Opcode Fuzzy Hash: a561854a95483960081977292c53ca0494a81ebfc7e8cbe4a17889bce4e45c52
Instruction Fuzzy Hash: 8C4153B3A08E4286EF569B71D8557FB2752EF4DBA6F440032C90C82695FF2CE985C711

Function 00007FFB1DE70D20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE72894
BIO_s_file.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE728EF
BIO_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE728F7
ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE72904
ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE7291C
ERR_set_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE72AD5
X509_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE72ADF
BIO_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFB1DE72AE7

Strings

use_certificate_chain_file, xrefs: 00007FFB1DE72909
ssl\ssl_rsa.c, xrefs: 00007FFB1DE72915

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_freeO_newO_s_fileR_clear_errorR_newR_set_debugR_set_errorX509_free
String ID: ssl\ssl_rsa.c$use_certificate_chain_file
API String ID: 3845249754-2175753170
Opcode ID: 757e52527158bb9be4d3e69b21cc42e1de8a95b2466b321fcdf14eea8471f64f
Instruction ID: c2289df636cb2b888a49df5be64269017ef3b9446f7dc63f97d53c0f90f0a94e
Opcode Fuzzy Hash: 757e52527158bb9be4d3e69b21cc42e1de8a95b2466b321fcdf14eea8471f64f
Instruction Fuzzy Hash: 7A21C4A3E09E4242FE51A736D8411BF6292AF8DBE1F148035ED8C87B95FE3CE5428700

Function 00007FFB1DE5EDF0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE0E
CONF_parse_list.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE38
OPENSSL_sk_num.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE44
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE4D
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE65
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE76
OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE7E
OPENSSL_sk_free.LIBCRYPTO-3-X64(?,00007FFB1DE5E91E), ref: 00007FFB1DE5EE98

Strings

ssl\ssl_ciph.c, xrefs: 00007FFB1DE5EE5E
set_ciphersuites, xrefs: 00007FFB1DE5EE52

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_free$F_parse_listL_sk_new_nullL_sk_numR_newR_set_debugR_set_error
String ID: set_ciphersuites$ssl\ssl_ciph.c
API String ID: 1606736437-3779594500
Opcode ID: 74cd8c45dab4f5d06589385cb069255406096ce4423b885fc32600575174654a
Instruction ID: 08f90356c1ac1f61222cfde2eee0dd04085c9e76a56c9368aa8baa6e703053ef
Opcode Fuzzy Hash: 74cd8c45dab4f5d06589385cb069255406096ce4423b885fc32600575174654a
Instruction Fuzzy Hash: CD1151A6A18E4241FA519B35E8052BF6362AF8DB95F544431EE8C8379AFF3DE4518700

Function 00007FFB1C890520 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8905D2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8905FA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C890627
std::_Facet_Register.LIBCPMT ref: 00007FFB1C8906A0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8906BA

Strings

ios_base::failbit set, xrefs: 00007FFB1C8907D7
ios_base::eofbit set, xrefs: 00007FFB1C8907DE
ios_base::badbit set, xrefs: 00007FFB1C8907CB

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 459529453-1866435925
Opcode ID: a9b60e1219816011269aa4f4e5aa7f8d844616b8cf419fbefa170f6073ba4b13
Instruction ID: aef2d6ddc86d54a1196f5508458d81895b76abcd8edaf3e328bd7bc2c6c88548
Opcode Fuzzy Hash: a9b60e1219816011269aa4f4e5aa7f8d844616b8cf419fbefa170f6073ba4b13
Instruction Fuzzy Hash: 3F917CE2608F8681EB11CB25D4883F967A2FBC5BA4F254136DA5D437A9DF3CD846C740

Function 00007FFB1C8841B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32 ref: 00007FFB1C884242
SetWindowTextA.USER32 ref: 00007FFB1C8842FE
PostQuitMessage.USER32 ref: 00007FFB1C884326
GetModuleHandleW.KERNEL32 ref: 00007FFB1C884341
CreateWindowExA.USER32 ref: 00007FFB1C884396
GetModuleHandleW.KERNEL32 ref: 00007FFB1C8843A5
CreateWindowExA.USER32 ref: 00007FFB1C8843F4

Strings

EDIT, xrefs: 00007FFB1C88438A, 00007FFB1C8843E8
f, xrefs: 00007FFB1C8843B5

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Window$CreateHandleModuleText$MessagePostQuit
String ID: EDIT$f
API String ID: 1731620494-2612293861
Opcode ID: e44b27a9ecdc64e82d61b27cdc36a523f3f2407cdc228850f612a80c1071dcf9
Instruction ID: 45fa234f3a936f5fc51a6b7ce617b3196a7bed2c47d08a8d887c426eec538ded
Opcode Fuzzy Hash: e44b27a9ecdc64e82d61b27cdc36a523f3f2407cdc228850f612a80c1071dcf9
Instruction Fuzzy Hash: 795197F2A18FC681EB618B34F4583EA67A2FBC57A4FA04235D69D46A99DF7CD044C700

Function 00007FFB1DEBFCB0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFD40
OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFB1DEBFD55

Strings

tls_construct_ctos_use_srtp, xrefs: 00007FFB1DEBFDB0, 00007FFB1DEBFDFF, 00007FFB1DEBFE12
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBFDBC, 00007FFB1DEBFE1E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_numL_sk_value
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_use_srtp
API String ID: 557030205-2467558331
Opcode ID: d40b4c82b3f29d6f8a1e7c1a9a986afcad233030b82276f43fe5456bc43c1b55
Instruction ID: 775854faf7ee809ec1c766adf040cf50196f984dc7917abb5146d593541c3fbc
Opcode Fuzzy Hash: d40b4c82b3f29d6f8a1e7c1a9a986afcad233030b82276f43fe5456bc43c1b55
Instruction Fuzzy Hash: CF4182A7A0CE4245FE60A732D5416BB6292AF8DBE5F544131DE4D87B8AFE2EF4418700

Function 00007FFB1DEC9D4E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9D67
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9D7F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9DCD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9DE5

Part of subcall function 00007FFB1DE85020: RAND_priv_bytes_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE85054
Part of subcall function 00007FFB1DE85020: BN_bin2bn.LIBCRYPTO-3-X64 ref: 00007FFB1DE8506E
Part of subcall function 00007FFB1DE85020: OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE85084
Part of subcall function 00007FFB1DE85020: SRP_Calc_A.LIBCRYPTO-3-X64 ref: 00007FFB1DE8509E

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9DFC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9E14

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DEC9D78, 00007FFB1DEC9DDE, 00007FFB1DEC9E0D
tls_process_server_done, xrefs: 00007FFB1DEC9D6C
tls_process_initial_server_flight, xrefs: 00007FFB1DEC9DD2, 00007FFB1DEC9E01

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$Calc_D_priv_bytes_exL_cleanseN_bin2bn
String ID: ssl\statem\statem_clnt.c$tls_process_initial_server_flight$tls_process_server_done
API String ID: 3406187375-2542494847
Opcode ID: 6975dec2cd59426e34e067c514fd6b0767b1c898d775caf6fd1e5c168472c19c
Instruction ID: 8843479ca89efcc5f2832274fb62f3d387bcadb3cc574e95d5bc6c1604d19dae
Opcode Fuzzy Hash: 6975dec2cd59426e34e067c514fd6b0767b1c898d775caf6fd1e5c168472c19c
Instruction Fuzzy Hash: B6311AA3B08E4281FE519B36D8453BB6792AF98BA7F880131CD5D472D6FF2CE9458301

Function 00007FFB1DE56EF0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F06
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F0E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F1B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F33

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

BIO_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F60
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F77
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE56F9C

Strings

ssl3_init_finished_mac, xrefs: 00007FFB1DE56F20
ssl\s3_enc.c, xrefs: 00007FFB1DE56F2C

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_memR_newR_set_debugR_vset_errorX_free
String ID: ssl3_init_finished_mac$ssl\s3_enc.c
API String ID: 3393778312-3380058700
Opcode ID: 09635b7fd435f3e81e537f927d662769ac43fccf5dd9fd695c8e4ff2da5e3960
Instruction ID: 3a1a1d4442e2b341ee8492c8e082f18bcdb42542d7ec444803dd9c9a5063b35f
Opcode Fuzzy Hash: 09635b7fd435f3e81e537f927d662769ac43fccf5dd9fd695c8e4ff2da5e3960
Instruction Fuzzy Hash: 9A117073A08E8241EF51EB71E9557FF2251EB4CB95F440130ED4C8768AFE39D4448700

Function 00007FFB1DEA6E67 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6E71
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6E90
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6EBD
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
(Bidi), xrefs: 00007FFB1DEA6E82
(Uni), xrefs: 00007FFB1DEA6E7B
Max Data: %llu, xrefs: 00007FFB1DEA6EB3
Streams blocked, xrefs: 00007FFB1DEA6E67

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Max Data: %llu$ (Bidi)$ (Uni)$Streams blocked
API String ID: 4098839300-1226786348
Opcode ID: d1b49f794bb5b00e714316660cd153fc87882a4daa1e4cae55da6d4c0a43be9e
Instruction ID: 1492e07a2351ea68eeb2612fee2d78f9770e1ae6b5bb0758f6cab79d31ebe991
Opcode Fuzzy Hash: d1b49f794bb5b00e714316660cd153fc87882a4daa1e4cae55da6d4c0a43be9e
Instruction Fuzzy Hash: 940121D3B08E5385FE10EB75E8913BB13A2EB497A6F545036CD4E86695FE3CD5858300

Function 00007FFB1DEA6D85 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D8F
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6DAE
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6DDB
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
(Bidi), xrefs: 00007FFB1DEA6DA0
Max Streams: %llu, xrefs: 00007FFB1DEA6DD1
(Uni), xrefs: 00007FFB1DEA6D99
Max streams , xrefs: 00007FFB1DEA6D85

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Max Streams: %llu$ (Bidi)$ (Uni)$Max streams
API String ID: 4098839300-73837845
Opcode ID: a758f144d879cb7c9ba7d12f2c6adad74b7f00bdf8b31296939da68c7ec94da2
Instruction ID: 910ed7724d94f0da6f6e5b3131a2d997cb5615fdaa24a5fa90b6f59522da9e6c
Opcode Fuzzy Hash: a758f144d879cb7c9ba7d12f2c6adad74b7f00bdf8b31296939da68c7ec94da2
Instruction Fuzzy Hash: 79011EE3B48E5384FF10EB75E8513BB23A2EB497B6F445436C94E86695FE7CD1858200

Function 00007FFB1C8EE078 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8EE0B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8EE480
_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8EE71F

Strings

p, xrefs: 00007FFB1C8EE1C2
p, xrefs: 00007FFB1C8EE15D
f, xrefs: 00007FFB1C8EE305
f, xrefs: 00007FFB1C8EE150
f, xrefs: 00007FFB1C8EE1BA

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47833bed55cd5f9ce051d42473c1711052dc742df4958170f231bc47a6a14847
Instruction ID: ae60afc98c29cb5316e05298daa47bcfdcc95ba6c80cf09539f35646a297e4be
Opcode Fuzzy Hash: 47833bed55cd5f9ce051d42473c1711052dc742df4958170f231bc47a6a14847
Instruction Fuzzy Hash: EC1294E2E0C94386FB249A25E09C6FA7763FB81774FA44135E699466C4DF3CE980CB10

Function 00007FFB1C8A3660 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8A36C8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C8A3710
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8A384D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8A3866
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8A3879

Strings

true, xrefs: 00007FFB1C8A37B5
false, xrefs: 00007FFB1C8A3783
bad locale name, xrefs: 00007FFB1C8A386C

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Concurrency::cancel_current_taskLockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 461674175-1062449267
Opcode ID: 46d2d0ad9d4809274bd685029942ab2637e1b6ba810f0bffa205d9806f4cd334
Instruction ID: 985e8802768ec35d90b45d185e7205cb049b3005a8de4a4ecdb8b7f846f2be27
Opcode Fuzzy Hash: 46d2d0ad9d4809274bd685029942ab2637e1b6ba810f0bffa205d9806f4cd334
Instruction Fuzzy Hash: 09513CA2B0AB4189FB15DBB0D4943FC23A6EF40B68F240134DE4D67A99DF78E416D354

Function 00007FFB1DE68D90 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE68DB4
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE68DCC
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE68DDD

Strings

ossl_quic_get_value_uint, xrefs: 00007FFB1DE96307
ssl\ssl_lib.c, xrefs: 00007FFB1DE68DC5
SSL_get_value_uint, xrefs: 00007FFB1DE68DB9
expect_quic, xrefs: 00007FFB1DE95E0D
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE95E16, 00007FFB1DE9630E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_get_value_uint$expect_quic$ossl_quic_get_value_uint$ssl\quic\quic_impl.c$ssl\ssl_lib.c
API String ID: 1552677711-4117907438
Opcode ID: d54b8e4b5da6b5b82f7cbf6085916cc6ba1ad3a0538288a191a7f02584e11c6a
Instruction ID: 7e9838c5638396d8457a06d7aa023000799c975a7019f91e7b1f44cb9f9e175d
Opcode Fuzzy Hash: d54b8e4b5da6b5b82f7cbf6085916cc6ba1ad3a0538288a191a7f02584e11c6a
Instruction Fuzzy Hash: C351BBB3A19E4186EB14DB35D8442AE36A6FB4C7A9F540136EE4C43B98EF3DE545CB00

Function 00007FFB1DEC0F10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0F62
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC0F7A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC109F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC10B7

Strings

tls_parse_stoc_psk, xrefs: 00007FFB1DEC0F67, 00007FFB1DEC0FDB, 00007FFB1DEC10A4
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEC0F73, 00007FFB1DEC0FE7, 00007FFB1DEC10B0

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_psk
API String ID: 193678381-2745014102
Opcode ID: 0c8431bafd0d3eda5a1cadb54d3a57096c7ad5571d7dc658ced5db7334c3cbbe
Instruction ID: 35e55c9ee441313ce9dcdbb17b8ae2a2aaefad5d6aaba15fbb452e9b86cf96f1
Opcode Fuzzy Hash: 0c8431bafd0d3eda5a1cadb54d3a57096c7ad5571d7dc658ced5db7334c3cbbe
Instruction Fuzzy Hash: E141A5A3A08E8285FB819F34D4513BF37A2EF48B59F949131DA4C4B686EF38E4D58700

Function 00007FFB1DED0DF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

BUF_MEM_grow_clean.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0E60
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0E6A
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0E82
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0EF5
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0F01
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DED19E6,?,?,?,?,?,00007FFB1DED1F46,00000000,?,?,?,?,?,00000000,00007FFB1DED1CBD), ref: 00007FFB1DED0F19

Strings

ssl\statem\statem_dtls.c, xrefs: 00007FFB1DED0E7B, 00007FFB1DED0F12
dtls1_preprocess_fragment, xrefs: 00007FFB1DED0E6F, 00007FFB1DED0F0B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$M_grow_clean
String ID: dtls1_preprocess_fragment$ssl\statem\statem_dtls.c
API String ID: 3867660093-338339041
Opcode ID: 1da9671f54c1831d0795c4009c5fdd379a9752621122e0239797dcd0ac42778c
Instruction ID: 4ce38885ed27344b5cd9adb492aa6d1ef73e0110a7c7245c736885a5748985d0
Opcode Fuzzy Hash: 1da9671f54c1831d0795c4009c5fdd379a9752621122e0239797dcd0ac42778c
Instruction Fuzzy Hash: D83182B3A08E9185EF509B35D4443BE2B62FB5CB95F584132DE8C87796EF2CE5428710

Function 00007FFB1DE64CA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE602B0: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE60384

OPENSSL_sk_num.LIBCRYPTO-3-X64(?,00007FFB1DE6176B), ref: 00007FFB1DE64CF0
OPENSSL_sk_value.LIBCRYPTO-3-X64(?,00007FFB1DE6176B), ref: 00007FFB1DE64D05
OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE64D1E

Strings

SSL_CTX_set_cipher_list, xrefs: 00007FFB1DE64D45
ssl\ssl_lib.c, xrefs: 00007FFB1DE64D51

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_num$L_sk_valueO_malloc
String ID: SSL_CTX_set_cipher_list$ssl\ssl_lib.c
API String ID: 860447857-2435423952
Opcode ID: f0708b0e89e7c00b17960120374979127807768c227e9004b873dbe918009407
Instruction ID: ba88182107c4022d7b03851191946ed40c8745d0c9895618d504e9c6564d9634
Opcode Fuzzy Hash: f0708b0e89e7c00b17960120374979127807768c227e9004b873dbe918009407
Instruction Fuzzy Hash: DD21A7B3A18E5182EB119B39E4412EB63A2EF8CB95F540035DB4C877A6EF3DD5428600

Function 00007FFB1DEA6E0B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6E15
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6E4A
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6E5D
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Stream id: %llu, xrefs: 00007FFB1DEA6E40
Max Data: %llu, xrefs: 00007FFB1DEA6E53
Stream data blocked, xrefs: 00007FFB1DEA6E0B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Max Data: %llu$ Stream id: %llu$Stream data blocked
API String ID: 3964688267-2016883709
Opcode ID: 0e709f39ef4af9806a769fee8d106aa3e8aab87837fcfc74b5b665a8ddb8f7b8
Instruction ID: bc6ab913ea9b56f26ddf900a1868b9d050a402e9c909a5e16d09823c5344f7f3
Opcode Fuzzy Hash: 0e709f39ef4af9806a769fee8d106aa3e8aab87837fcfc74b5b665a8ddb8f7b8
Instruction Fuzzy Hash: B2010CE3B48E5384FE10EB75E8513FE23A2AB497A6F441036CD4E56695FE7CD1468340

Function 00007FFB1DE69CD0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE69CFA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE69D12
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE69D23
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE69D41
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE69D59
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE69D65

Strings

SSL_sendfile, xrefs: 00007FFB1DE69D04, 00007FFB1DE69D46
ssl\ssl_lib.c, xrefs: 00007FFB1DE69D0B, 00007FFB1DE69D52

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$R_set_error
String ID: SSL_sendfile$ssl\ssl_lib.c
API String ID: 3026104281-989972824
Opcode ID: 939347fd670bc021c0c23a894fad911e2321ebb6fce38c98c2ce8356a90a1213
Instruction ID: 41549ac0a7b931db48610534b1e3b50331a979d9e3947e6172c3b756a8398427
Opcode Fuzzy Hash: 939347fd670bc021c0c23a894fad911e2321ebb6fce38c98c2ce8356a90a1213
Instruction Fuzzy Hash: F1016DA3A19E4645FE41A738C8593FB2652EF4C732F504635C05D82AD2FF2CA546C601

Function 00007FFB1C8E9BB4 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFB1C8E9C11

Part of subcall function 00007FFB1C8EBF74: __GetUnwindTryBlock.LIBCMT ref: 00007FFB1C8EBFB7
Part of subcall function 00007FFB1C8EBF74: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFB1C8EBFDC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFB1C8E9CE9
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFB1C8E9F37
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFB1C8EA044

Strings

csm, xrefs: 00007FFB1C8E9C2B
csm, xrefs: 00007FFB1C8E9D0C
csm, xrefs: 00007FFB1C8E9C92

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 91e99f75a28f144aaffb8785e9fb5fbc7f0288b1ebc1cafdba031944da0a9de3
Instruction ID: 37e4cb5cf49060c0dfda0c037de53998bb76ce38a3eb14aa39d113e757c4acf5
Opcode Fuzzy Hash: 91e99f75a28f144aaffb8785e9fb5fbc7f0288b1ebc1cafdba031944da0a9de3
Instruction Fuzzy Hash: F8D14EF2A08B8186EB209B75D4893FD67A2FB55BA8F204135EE4D57B95CF78E181C700

Function 00007FFB1C8FD7EC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFB1C8FD968
GetProcAddress.KERNEL32 ref: 00007FFB1C8FD974

Strings

api-ms-, xrefs: 00007FFB1C8FD8B2
ext-ms-, xrefs: 00007FFB1C8FD8C5

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 76964555390cb39ec7f833c25d8ab8d7b7668303fb72422c652e11cff557cbbf
Instruction ID: cc1d7ea7546538f8f4f66a4dbdd8e8ff72eb3fe16f22e0e2538e7b279fc1bcd9
Opcode Fuzzy Hash: 76964555390cb39ec7f833c25d8ab8d7b7668303fb72422c652e11cff557cbbf
Instruction Fuzzy Hash: 4841E3E1B29E1281EB16CF76D8881B52392BF45BF0F245536DE2D87798EE3CE4018741

Function 00007FFB1DEAFCE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(-0000003F,00007FFB1DED09ED), ref: 00007FFB1DEAFD13
ERR_set_debug.LIBCRYPTO-3-X64(-0000003F,00007FFB1DED09ED), ref: 00007FFB1DEAFD2B

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEAFD8A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEAFDA2

Strings

dtls1_write_bytes, xrefs: 00007FFB1DEAFD18
ssl\record\rec_layer_d1.c, xrefs: 00007FFB1DEAFD24, 00007FFB1DEAFD9B, 00007FFB1DEAFE15
do_dtls1_write, xrefs: 00007FFB1DEAFD8F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: do_dtls1_write$dtls1_write_bytes$ssl\record\rec_layer_d1.c
API String ID: 4275876640-3094033661
Opcode ID: 123be57dfd2d37954520370bea584c5f6b819af4cdf1d5f872a34311ab6715ee
Instruction ID: 361c3c1933facc9f56c33f00618b6be0437970f7e1d7030817bef7c9efa4fada
Opcode Fuzzy Hash: 123be57dfd2d37954520370bea584c5f6b819af4cdf1d5f872a34311ab6715ee
Instruction Fuzzy Hash: 80416EB3A08E46C6EF509B35D5443AA7762FB88BA6F104135EA4C47A99EF3DD441C700

Function 00007FFB1DEB7050 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB70A0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB70B8
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DEB70D9
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB712C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB7144

Strings

tls_release_record, xrefs: 00007FFB1DEB70A5, 00007FFB1DEB7131
ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB70B1, 00007FFB1DEB713D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$L_cleanse
String ID: ssl\record\methods\tls_common.c$tls_release_record
API String ID: 4083992426-1180888099
Opcode ID: b2dbb5e87f0c29bcad81080800a5fa3d4aef8425c9f2cc82b7f5072ef8202fa0
Instruction ID: f2cf81c25e84c30882fb4c58f4fd95370498b7e097ca63a440dc439a5dca6495
Opcode Fuzzy Hash: b2dbb5e87f0c29bcad81080800a5fa3d4aef8425c9f2cc82b7f5072ef8202fa0
Instruction Fuzzy Hash: EA31A763A08F8241EF50AB35D5443BE2352FB48BA5F585632DA4D07ED9EF6CE8918310

Function 00007FFB1DEC5EC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5F13
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5F2B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5F66
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5F72
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5F8A

Strings

tls_parse_ctos_maxfragmentlen, xrefs: 00007FFB1DEC5F1D, 00007FFB1DEC5F77
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC5F24, 00007FFB1DEC5F83

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_maxfragmentlen
API String ID: 476316267-3496052083
Opcode ID: bd287e5976c80d88a488bebedb3541ee283e54ada2b78649c9efddde8e5e4830
Instruction ID: fd33f5469478b10959e1ebc542a082b3d5b561827e50de586dc0ae3de55130aa
Opcode Fuzzy Hash: bd287e5976c80d88a488bebedb3541ee283e54ada2b78649c9efddde8e5e4830
Instruction Fuzzy Hash: D0216DA2A08E8281FF569770D8553FA2752EB48B62F988432DA4C47792FF2CE595C301

Function 00007FFB1DE69E50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EVP_PKEY_get_security_bits.LIBCRYPTO-3-X64(?,00007FFB1DE57B6E), ref: 00007FFB1DE69E85
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE57B6E), ref: 00007FFB1DE69EA6
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE57B6E), ref: 00007FFB1DE69EBE
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE57B6E), ref: 00007FFB1DE69ECF
EVP_PKEY_free.LIBCRYPTO-3-X64(?,00007FFB1DE57B6E), ref: 00007FFB1DE69EEC

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE69EB7
SSL_set0_tmp_dh_pkey, xrefs: 00007FFB1DE69EAB

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_errorY_freeY_get_security_bits
String ID: SSL_set0_tmp_dh_pkey$ssl\ssl_lib.c
API String ID: 2486296959-933563172
Opcode ID: 93ab1687a164fd1e16b77856bbba2fa57239cde26efe25b1c09b06f92ece4fe8
Instruction ID: f0a30ece0adf2197fdf4bd794ce8ff728839be1ecfb8b85afc6f1d52fe98e2e3
Opcode Fuzzy Hash: 93ab1687a164fd1e16b77856bbba2fa57239cde26efe25b1c09b06f92ece4fe8
Instruction Fuzzy Hash: 091194A3B08D4242EF80D735E9412BA6392DF9CBE5F584031DE4C87B96FE2DD9418700

Function 00007FFB1DE9AF00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE8FA30), ref: 00007FFB1DE9AF22
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE8FA30), ref: 00007FFB1DE9AF3A
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE8FA30), ref: 00007FFB1DE9AF50
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64(?,00007FFB1DE8FA30), ref: 00007FFB1DE9AF59

Strings

ssl\quic\quic_port.c, xrefs: 00007FFB1DE9AF33
ossl_quic_port_raise_net_error, xrefs: 00007FFB1DE9AF27
port failed due to network BIO I/O error, xrefs: 00007FFB1DE9AF3F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: E_saveR_newR_set_debugR_set_error
String ID: ossl_quic_port_raise_net_error$port failed due to network BIO I/O error$ssl\quic\quic_port.c
API String ID: 3894926980-3295190829
Opcode ID: 1dc73971fc9b413f8f575d2d690e552b550094afbf15641c671da4d6277e3351
Instruction ID: cc8ca7463fc1688717f78c745a1593ef94be200dfb89ea1a2fdb3e02f6afffbe
Opcode Fuzzy Hash: 1dc73971fc9b413f8f575d2d690e552b550094afbf15641c671da4d6277e3351
Instruction Fuzzy Hash: 70115EE3B09E0245EE59AB34D5443FB6792DF8CFA5F480031E94D8669EEE2CE8418240

Function 00007FFB1DE72F90 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

d2i_RSAPrivateKey.LIBCRYPTO-3-X64 ref: 00007FFB1DE72FB2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE72FBF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE72FD5
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE72FE5
RSA_free.LIBCRYPTO-3-X64 ref: 00007FFB1DE73007

Strings

SSL_use_RSAPrivateKey_ASN1, xrefs: 00007FFB1DE72FC4
ssl\ssl_rsa_legacy.c, xrefs: 00007FFB1DE72FCE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: A_freePrivateR_newR_set_debugR_set_errord2i_
String ID: SSL_use_RSAPrivateKey_ASN1$ssl\ssl_rsa_legacy.c
API String ID: 3102899966-1071993388
Opcode ID: 401df9b19d321d156ff059eb592fb347c2d3d15844c3af0f53dfe5096910732d
Instruction ID: eb7da7cdeb41c6a6811d9f1c7dde0e0f1d816072381b11b0231bcf09e3aa34b2
Opcode Fuzzy Hash: 401df9b19d321d156ff059eb592fb347c2d3d15844c3af0f53dfe5096910732d
Instruction Fuzzy Hash: FA01F7A3B18E0242EE44A735E5851BA5292EF4CBD0F441431F58D83A9AFE2CE5944700

Function 00007FFB1C8F8030 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8F8073
_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8F8460
_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8F86FC

Strings

f, xrefs: 00007FFB1C8F8195
p, xrefs: 00007FFB1C8F819D
p, xrefs: 00007FFB1C8F8125

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 03d55e367ab389e9976e01b60564d7a503353a681fb22da65b418983acbbbbfb
Instruction ID: aa20c0b1265b9051c9dc752cd7aeee834a1e043a3e143a0d874fe1ee1f6c4774
Opcode Fuzzy Hash: 03d55e367ab389e9976e01b60564d7a503353a681fb22da65b418983acbbbbfb
Instruction Fuzzy Hash: 391282E1E2CA6386FB205B24D0DC2FA7793FB42764FA44535E689476C4DB7CE9848B00

Function 00007FFB1C900A4C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C900E79

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 704a4e05f047316d552bd4de412b41c83938a6ee19a58c73f503546dddee0e8f
Instruction ID: d9516c1636523aa092080a1803ad0063300c3f329f38b203d994339d7ae0348a
Opcode Fuzzy Hash: 704a4e05f047316d552bd4de412b41c83938a6ee19a58c73f503546dddee0e8f
Instruction Fuzzy Hash: 1CC1D2E2A0CF8691E7A29B34D8582FD3B5AEB80BE0F255131DA4D07791CE7CE8658301

Function 00007FFB1C882460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8824CB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C882513
_Getctype.LIBCPMT ref: 00007FFB1C88252B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8825E3
_Getwctype.LIBCPMT ref: 00007FFB1C882631

Strings

bad locale name, xrefs: 00007FFB1C882606

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 4507bed2b4928513f2accb410c134653636f1984cb884dd125993ba23fb1c522
Instruction ID: 1ca45619b42b6d44cbdcba90f8b5f10d5b9483eb2852eeab1693e9c9a99cb14c
Opcode Fuzzy Hash: 4507bed2b4928513f2accb410c134653636f1984cb884dd125993ba23fb1c522
Instruction Fuzzy Hash: 3F5197A2B09F418AFB10DBB0D4A42FD3372EF84768F244134DE4D26A9ADF38E5568354

Function 00007FFB1DE54F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE52360: GetSystemTime.KERNEL32 ref: 00007FFB1DE52381
Part of subcall function 00007FFB1DE52360: SystemTimeToFileTime.KERNEL32 ref: 00007FFB1DE52391

BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE55039
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE55068
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE55080
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFB1DE55149

Strings

dtls1_check_timeout_num, xrefs: 00007FFB1DE5506D
ssl\d1_lib.c, xrefs: 00007FFB1DE55079

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Time$O_ctrlSystem$FileR_newR_set_debug
String ID: dtls1_check_timeout_num$ssl\d1_lib.c
API String ID: 1274549389-4185249889
Opcode ID: 83e9cf8a9400b736ef0c09377947e836b9f890858aa99334c5f3f0a169be9259
Instruction ID: 934133cf686845b4242b7d9b376890647d6b6061456714514fcba0285b3ec166
Opcode Fuzzy Hash: 83e9cf8a9400b736ef0c09377947e836b9f890858aa99334c5f3f0a169be9259
Instruction Fuzzy Hash: D4517DB7A19A8582EF949B35D0847FE23A2FB89BD5F540036DB4E47785EF29E4428300

Function 00007FFB1DEC2EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC2F21
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC2F39
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC3019
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC3031

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

tls_construct_stoc_client_cert_type, xrefs: 00007FFB1DEC2F26, 00007FFB1DEC301E
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC2F32, 00007FFB1DEC302A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_client_cert_type
API String ID: 4275876640-3371044479
Opcode ID: fab2805ac4ee20d7bdde39de65d796f3704e674cde6bc36f57642705309e6f8d
Instruction ID: 2c6ddbbbdb5c70a40871def520d6c5937a45305d2f963c7d58c4bf9f731fe595
Opcode Fuzzy Hash: fab2805ac4ee20d7bdde39de65d796f3704e674cde6bc36f57642705309e6f8d
Instruction Fuzzy Hash: 07416DA3B08E8285EF51A771D5123BB2692EB4A7A5F840031DE4C8A586FF7DE951C701

Function 00007FFB1C8EC4DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFB1C8EC561
GetLastError.KERNEL32 ref: 00007FFB1C8EC56F
LoadLibraryExW.KERNEL32 ref: 00007FFB1C8EC599
FreeLibrary.KERNEL32 ref: 00007FFB1C8EC607
GetProcAddress.KERNEL32 ref: 00007FFB1C8EC613

Strings

api-ms-, xrefs: 00007FFB1C8EC581

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ee3fedbbed816305e940a2fa37c06e51b0183695f87775410d6d8f63a405f42f
Instruction ID: 1f80663df2c70a8da16f5d498906c114f2c0abcd2b94daf815c0976db55fcfed
Opcode Fuzzy Hash: ee3fedbbed816305e940a2fa37c06e51b0183695f87775410d6d8f63a405f42f
Instruction Fuzzy Hash: 4431E6F1B1AF01D1EE129B22D8885B92796BF48BB0F690535DD1D4A795EF3CE440C740

Function 00007FFB1DEBDD10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBDD46
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBDD5E

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

tls_construct_ctos_ec_pt_formats, xrefs: 00007FFB1DEBDD4B, 00007FFB1DEBDE0F
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBDD57, 00007FFB1DEBDE1B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_ec_pt_formats
API String ID: 1390262125-950089143
Opcode ID: e728e959ea8dd07dd44b24fa19d21b2ffdec9932d476b12d5b4ecaf8716da528
Instruction ID: d1d6e13868a160b7255076231d9561c171b5f2c0ff658fe0356c0406230324dd
Opcode Fuzzy Hash: e728e959ea8dd07dd44b24fa19d21b2ffdec9932d476b12d5b4ecaf8716da528
Instruction Fuzzy Hash: 4631A5A3B08E4241EE609736E5012BB6752EF8C7E5F444231EE4D4BB8AFE2DE5418B40

Function 00007FFB1DECDCD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DECADF0: ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5), ref: 00007FFB1DECAE5A
Part of subcall function 00007FFB1DECADF0: ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DECE3A5), ref: 00007FFB1DECAE72

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDD1C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECDD34
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECDD5D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECDD75

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECDD2D, 00007FFB1DECDD6E
tls_process_initial_server_flight, xrefs: 00007FFB1DECDD21, 00007FFB1DECDD62

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\statem\statem_clnt.c$tls_process_initial_server_flight
API String ID: 193678381-2981156782
Opcode ID: 8e0ecbf08279e2ab7a15daff625ffeaa8c5ce819dc274012882572c2dccb49e2
Instruction ID: e999146a03bdeb8444333bb9a9f23767d8e3df24a302c7db88f35dab5d52c892
Opcode Fuzzy Hash: 8e0ecbf08279e2ab7a15daff625ffeaa8c5ce819dc274012882572c2dccb49e2
Instruction Fuzzy Hash: 462190A3F08E4281FF919B75E8417BB1752EF8C7A6F881231D95C87295FF2DE4808200

Function 00007FFB1C8F8F60 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFB1C8F8F6F
FlsGetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8F84
FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FA5
FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FD2
FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FE3
FlsSetValue.KERNEL32(?,?,00000000,00007FFB1C8F4945), ref: 00007FFB1C8F8FF4
SetLastError.KERNEL32 ref: 00007FFB1C8F900F

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d7dd87d960a52d7d3b39f90614eaf56e13c71ca89724e29d3683e23b0650f381
Instruction ID: c07773fe7fa88583810d59f3d5cfda8548f672ebc29d16ea2c8f7de5984ae4d8
Opcode Fuzzy Hash: d7dd87d960a52d7d3b39f90614eaf56e13c71ca89724e29d3683e23b0650f381
Instruction Fuzzy Hash: 5E21ACE0B0CE9246FB296B31D59D0F953439F847F0F300235E93E07ADADE2CA4014600

Function 00007FFB1DE9AFE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

BIO_get_rpoll_descriptor.LIBCRYPTO-3-X64(?,00007FFB1DE988F5,?,00007FFB1DE93562), ref: 00007FFB1DE9B018
ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE988F5,?,00007FFB1DE93562), ref: 00007FFB1DE9B02F
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE988F5,?,00007FFB1DE93562), ref: 00007FFB1DE9B047
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE988F5,?,00007FFB1DE93562), ref: 00007FFB1DE9B058

Strings

ssl\quic\quic_port.c, xrefs: 00007FFB1DE9B040
validate_poll_descriptor, xrefs: 00007FFB1DE9B034

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_get_rpoll_descriptorR_newR_set_debugR_set_error
String ID: ssl\quic\quic_port.c$validate_poll_descriptor
API String ID: 820539120-2791221739
Opcode ID: e4d12133616dd12c6d0784c6f50957994bfd70f0e1f66ec48fb6d074d09f25d2
Instruction ID: f41307bab48443a9ba43bc961cddee41fdc7ee4376b36be37a0c59805d3c8df9
Opcode Fuzzy Hash: e4d12133616dd12c6d0784c6f50957994bfd70f0e1f66ec48fb6d074d09f25d2
Instruction Fuzzy Hash: 2411B9A3A19E42C2EE64D730E58137B7362FF8C795F944231EA9C86599FF3CD5908600

Function 00007FFB1C90BDD4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFB1C90BE05
GetLastError.KERNEL32 ref: 00007FFB1C90BE11
CloseHandle.KERNEL32 ref: 00007FFB1C90BE29
CreateFileW.KERNEL32 ref: 00007FFB1C90BE54
WriteConsoleW.KERNEL32 ref: 00007FFB1C90BE73

Strings

CONOUT$, xrefs: 00007FFB1C90BE35

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: e4a6e05229c5cd8db1ed04ece2e1cc91c46c676c02bf60fd5c377322ed5de9a7
Instruction ID: b4bf46b36d10f142c7a9249bfc4efe3c83afe21b39e36c7379c3a0c7beeb0b55
Opcode Fuzzy Hash: e4a6e05229c5cd8db1ed04ece2e1cc91c46c676c02bf60fd5c377322ed5de9a7
Instruction Fuzzy Hash: 541184E1618F41C6E7518B62E85836973A6FB88BF4F204234DA5D87798CF7CD4148744

Function 00007FFB1DEB7F90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB7FA9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB7FC1

Part of subcall function 00007FFB1DEB76D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFB1DEB34A0,?,00007FFB1DEB2DD6), ref: 00007FFB1DEB76FE

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB7FFE
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB8016

Strings

ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB7FBA, 00007FFB1DEB800F
tls_default_validate_record_header, xrefs: 00007FFB1DEB7FAE, 00007FFB1DEB8003

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ssl\record\methods\tls_common.c$tls_default_validate_record_header
API String ID: 4275876640-3396681412
Opcode ID: b54aea56f105e6acc2fbde1932f767692d3960efea79d93e55d2a421b6d4426b
Instruction ID: f1ee3793b646ec22d48afa1c3c8f03e2adceffb0673210912b92819f8f35c9c9
Opcode Fuzzy Hash: b54aea56f105e6acc2fbde1932f767692d3960efea79d93e55d2a421b6d4426b
Instruction Fuzzy Hash: B0118EE2E14D4287FF41AB71DC827FA1692DF8C762F940531D94C866C2FE6CE9C68610

Function 00007FFB1DEA6D3C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D46
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D7B
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Max stream data, xrefs: 00007FFB1DEA6D3C
Max Stream Data: %llu, xrefs: 00007FFB1DEA6D71

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Max Stream Data: %llu$Max stream data
API String ID: 4098839300-2997325953
Opcode ID: 5c96035cea866a3699caec1e7907ae77c64124e2ad45f1ec4ce0e7033a92fdbe
Instruction ID: fd4f117f79fed69c6a97188a6a9536a353acc68bd6f8aaf2b1f5d7c1eb1809cc
Opcode Fuzzy Hash: 5c96035cea866a3699caec1e7907ae77c64124e2ad45f1ec4ce0e7033a92fdbe
Instruction Fuzzy Hash: 5C011EE3B48E5384FF10EB75E8513FA23A2AF487A6F441036CD4E46595EE7CD1818200

Function 00007FFB1DE96E60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE96EB8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE96ED0
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE96EE1

Strings

ossl_quic_reset, xrefs: 00007FFB1DE96EBD
expect_quic, xrefs: 00007FFB1DE96E98
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE96EA4, 00007FFB1DE96EC9

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: expect_quic$ossl_quic_reset$ssl\quic\quic_impl.c
API String ID: 1552677711-1634402930
Opcode ID: 79c33f25fa26c4eb6878d0b49aa63c12b9dec249f8002b37ce4493b16d489b7d
Instruction ID: 6d57b20ee7a2153c5d9b87b6c329afd6b9410894086046f742ae1eaa4bfce5ad
Opcode Fuzzy Hash: 79c33f25fa26c4eb6878d0b49aa63c12b9dec249f8002b37ce4493b16d489b7d
Instruction Fuzzy Hash: A10144A3A09D4283FF59A774D5556BB3653EF4C362F50003BD98D82695FE2DE644CE00

Function 00007FFB1DEA6DE5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D32
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6DEF
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Data blocked, xrefs: 00007FFB1DEA6DE5
Max Data: %llu, xrefs: 00007FFB1DEA6D28

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Max Data: %llu$Data blocked
API String ID: 4098839300-2931694649
Opcode ID: 41c3d789797a9784e7e21284a145ebb06d72a738e98f7f2cb646516f2a68ede4
Instruction ID: e424ca39ca29df869f0fafdca929f017064922c4863e0bca98d7aa3df328f4a0
Opcode Fuzzy Hash: 41c3d789797a9784e7e21284a145ebb06d72a738e98f7f2cb646516f2a68ede4
Instruction Fuzzy Hash: 5C01FFD3A48E5384FE10EB75E8513FB13A2AB497B6F545036CD4E4A585FE7CE185C210

Function 00007FFB1DEA6CFB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D05
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6D32
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Max data, xrefs: 00007FFB1DEA6CFB
Max Data: %llu, xrefs: 00007FFB1DEA6D28

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Max Data: %llu$Max data
API String ID: 4098839300-1929194112
Opcode ID: f3cc13ead1e906fafe4e086ce465cd3bc9db352f2b10b3fcbb2b4d1cfdce11fd
Instruction ID: c5bacfde76cebab6f76eccfce9853f7b85f9e5999de936a8867a69ebdb84ab5a
Opcode Fuzzy Hash: f3cc13ead1e906fafe4e086ce465cd3bc9db352f2b10b3fcbb2b4d1cfdce11fd
Instruction Fuzzy Hash: AD0162D3B48E5380FE10EB75E8513BB1392AF487B6F441036CD4E86585FE7CD1818200

Function 00007FFB1DEA701E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7014
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7028
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Data: %016llx, xrefs: 00007FFB1DEA700A
Path response, xrefs: 00007FFB1DEA701E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Data: %016llx$Path response
API String ID: 4098839300-2557722110
Opcode ID: 7252ae1a8e4432dd863947d1d78bdfc3d66ecb00e79ae9e770568c1ce47c84bc
Instruction ID: c978dc2f4ed2875370cf879a716174ced5927da7cef160fe9831bb1878503ef3
Opcode Fuzzy Hash: 7252ae1a8e4432dd863947d1d78bdfc3d66ecb00e79ae9e770568c1ce47c84bc
Instruction Fuzzy Hash: 04014FE3B08E5380FE10EB35E8513FB13A2AB49BB6F941036CD0E46585BE3CD582C200

Function 00007FFB1DEA6FDD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6FE7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7014
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Data: %016llx, xrefs: 00007FFB1DEA700A
Path challenge, xrefs: 00007FFB1DEA6FDD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Data: %016llx$Path challenge
API String ID: 4098839300-2103380131
Opcode ID: 56b9a5933ca75fdc0ec84f975b21a8d8c9d0dfe736529b12101d4ad2aff32b9c
Instruction ID: de3e370136d53ace1b8d21d4373457474061dafc1310f2ff1734f30ddfe5e6f4
Opcode Fuzzy Hash: 56b9a5933ca75fdc0ec84f975b21a8d8c9d0dfe736529b12101d4ad2aff32b9c
Instruction Fuzzy Hash: FB0112E3B48E5384FE14EB75E8513BB1392AB497B6F545036CD4E46585FE3CD5828200

Function 00007FFB1DEAADB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RAND_bytes_ex.LIBCRYPTO-3-X64(00000001,00007FFB1DE9A67B,?,?,?,?,?,00007FFB1DE9A9B2,00007FFB1DE8C599), ref: 00007FFB1DEAADDA
ERR_new.LIBCRYPTO-3-X64(00000001,00007FFB1DE9A67B,?,?,?,?,?,00007FFB1DE9A9B2,00007FFB1DE8C599), ref: 00007FFB1DEAADE4
ERR_set_debug.LIBCRYPTO-3-X64(00000001,00007FFB1DE9A67B,?,?,?,?,?,00007FFB1DE9A9B2,00007FFB1DE8C599), ref: 00007FFB1DEAADFC
ERR_set_error.LIBCRYPTO-3-X64(00000001,00007FFB1DE9A67B,?,?,?,?,?,00007FFB1DE9A9B2,00007FFB1DE8C599), ref: 00007FFB1DEAAE0D

Strings

ssl\quic\quic_types.c, xrefs: 00007FFB1DEAADF5
ossl_quic_gen_rand_conn_id, xrefs: 00007FFB1DEAADE9

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_bytes_exR_newR_set_debugR_set_error
String ID: ossl_quic_gen_rand_conn_id$ssl\quic\quic_types.c
API String ID: 10171931-2593383686
Opcode ID: c1da001f0d841a807ee88bc4944877409260ec15931bc94d220e142284f8f2c4
Instruction ID: 0181fc6a01c71428224d077fc38b4b3b7abe685375eb6daa73bfbcef9704f3fa
Opcode Fuzzy Hash: c1da001f0d841a807ee88bc4944877409260ec15931bc94d220e142284f8f2c4
Instruction Fuzzy Hash: 50F096E3A18E4286FF91A734D8853BE1652DB1D762F944031D54C82696FE2C99948722

Function 00007FFB1DEA6FA2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6FAC
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DEA6FD3
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFB1DEA7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFB1DEA710F
Sequence Number: %llu, xrefs: 00007FFB1DEA6FC9
Retire conn id, xrefs: 00007FFB1DEA6FA2

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: <unexpected trailing frame data skipped>$ Sequence Number: %llu$Retire conn id
API String ID: 4098839300-1651143614
Opcode ID: f3ba0d224e0f808a539f2aa8c4e8b7b91ab682e48afb2e27b91c74ac24c15592
Instruction ID: bac680eed3bbd5de57e99fdee5cb01d05e9bd932a2ab71eb0fe07d81c46850d0
Opcode Fuzzy Hash: f3ba0d224e0f808a539f2aa8c4e8b7b91ab682e48afb2e27b91c74ac24c15592
Instruction Fuzzy Hash: C9F03CD3B48E5384FE10EB35E8513BB1392AF49BB6F945036DD4E86295FE3CE5828200

Function 00007FFB1DE73F80 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE73F93
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE73FAB
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE73FBC
memcpy.VCRUNTIME140 ref: 00007FFB1DE73FE6

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE73FA4
SSL_SESSION_set1_id, xrefs: 00007FFB1DE73F98

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_errormemcpy
String ID: SSL_SESSION_set1_id$ssl\ssl_sess.c
API String ID: 1331007688-2106578281
Opcode ID: 321de72004554882e99c587b90b7982736c869f6a5ab84696c644771324cf5ad
Instruction ID: 1e78ccc2e295772cf04b1e8520782e0a6c14407ef2870681750cc4d991ca31a2
Opcode Fuzzy Hash: 321de72004554882e99c587b90b7982736c869f6a5ab84696c644771324cf5ad
Instruction Fuzzy Hash: B6F05497F19D5242FFD5A374C84A7FA11529F497A2F904531E40C82ED2FE2DA9464A01

Function 00007FFB1DE74000 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE74013
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7402B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE7403C
memcpy.VCRUNTIME140 ref: 00007FFB1DE7405E

Strings

ssl\ssl_sess.c, xrefs: 00007FFB1DE74024
SSL_SESSION_set1_id_context, xrefs: 00007FFB1DE74018

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_errormemcpy
String ID: SSL_SESSION_set1_id_context$ssl\ssl_sess.c
API String ID: 1331007688-3304994481
Opcode ID: 3c5c1bc07914caa146229ccc400f9cb5c995afa6efecd344b3df076daa775832
Instruction ID: 62049ac0837710d85557f131c1726085b23139322a62307768ed8e430f45084b
Opcode Fuzzy Hash: 3c5c1bc07914caa146229ccc400f9cb5c995afa6efecd344b3df076daa775832
Instruction Fuzzy Hash: C0F082A7F19C5242FF90A374C84B7BA12529F4C762FD00431E10D82A96FD1D654A4A02

Function 00007FFB1DE6ED40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

X509_get_key_usage.LIBCRYPTO-3-X64 ref: 00007FFB1DE6ED5A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6ED63
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6ED7B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE6ED8C

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE6ED74
ssl_check_srvr_ecc_cert_and_alg, xrefs: 00007FFB1DE6ED68

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_errorX509_get_key_usage
String ID: ssl\ssl_lib.c$ssl_check_srvr_ecc_cert_and_alg
API String ID: 3895051433-1092151
Opcode ID: 21bd7cf063ddb34ba0f1549e315c99f8af28101ec2405df4443b722d901e618a
Instruction ID: 664209dd0f9e0804f81f8de850cb70b5e2ad875e75e02eb000128d6c0195f0fb
Opcode Fuzzy Hash: 21bd7cf063ddb34ba0f1549e315c99f8af28101ec2405df4443b722d901e618a
Instruction Fuzzy Hash: 40F0A0E7E18D4242FF94A738C84A3FA1753AF8CB62FC04071D44C82AD2FF1DA5498600

Function 00007FFB1C8E6814 Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFB1C8E6884
MultiByteToWideChar.KERNEL32 ref: 00007FFB1C8E6922
LCMapStringEx.KERNEL32 ref: 00007FFB1C8E698B
LCMapStringEx.KERNEL32 ref: 00007FFB1C8E69DD
LCMapStringEx.KERNEL32 ref: 00007FFB1C8E6A82
WideCharToMultiByte.KERNEL32 ref: 00007FFB1C8E6ADC

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 4f429350822d38cf741f274bf522f6251560daf0dca7a84c274542efc040da1f
Instruction ID: 8893ac0b301fd416266b54e0ba015dde527ab423592048c8f805433d450450b8
Opcode Fuzzy Hash: 4f429350822d38cf741f274bf522f6251560daf0dca7a84c274542efc040da1f
Instruction Fuzzy Hash: DB8181F2A08B4586EB209F35E5882B967A6FB54BF8F644235EA5D47BD8DF3CD4018700

Function 00007FFB1C897DA0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C897DB5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C897DDA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C897E04
std::_Facet_Register.LIBCPMT ref: 00007FFB1C897E7B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C897E95
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C897EA8

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2078caa9b0906595447c9fed7b8b9ffcad9e240a892721c42b097956612d8035
Instruction ID: e908739f3db37e69ebd4f3909dd3db23b1ef6a9bccf48e2b83677af516a1131e
Opcode Fuzzy Hash: 2078caa9b0906595447c9fed7b8b9ffcad9e240a892721c42b097956612d8035
Instruction Fuzzy Hash: F43164E2A08E4681EA15AB75E8881FD6363FF84BB4F7C0131DA5D076A9DF7CE8418314

Function 00007FFB1C89B5A0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89B5B5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89B5DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89B604
std::_Facet_Register.LIBCPMT ref: 00007FFB1C89B67B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89B695
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C89B6A8

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: f2efa162d41545452703f3155940ade073451798512bbe2669487118baa27ae3
Instruction ID: 0c8d14c68378efdb7ec69855dc0139e9939c8a6bd3b334abcca8a60195aad11d
Opcode Fuzzy Hash: f2efa162d41545452703f3155940ade073451798512bbe2669487118baa27ae3
Instruction Fuzzy Hash: 4C3186E1A09E4685EA669F35E4881F96362EF84BB4F780131DA1D07799DE7CF842C310

Function 00007FFB1C89AE20 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89AE35
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89AE5A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89AE84
std::_Facet_Register.LIBCPMT ref: 00007FFB1C89AEFB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89AF15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C89AF28

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e8e5846501c7e3c7a0e0eb6600411b619242743885585e5fd94a8f2eab9b8084
Instruction ID: 6f1e8dc7bf0e58feb7290c104b04b6f8ad56fdd8f0f5061968ec0edd0ab28ef7
Opcode Fuzzy Hash: e8e5846501c7e3c7a0e0eb6600411b619242743885585e5fd94a8f2eab9b8084
Instruction Fuzzy Hash: 183160E2A08E4681EE169B35E8891FDB362EB847B4F780132DA1D07699EF3CE4418310

Function 00007FFB1C89A250 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89A265
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C89A28A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89A2B4
std::_Facet_Register.LIBCPMT ref: 00007FFB1C89A32B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C89A345
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C89A358

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d5e4cd09fca282295036a35705e86cefbddc80434b9620f3fb130aabe91c18d3
Instruction ID: 6918f7b8fef26aed27b31bde8731e437401495ad09860b819c481e81cb75424c
Opcode Fuzzy Hash: d5e4cd09fca282295036a35705e86cefbddc80434b9620f3fb130aabe91c18d3
Instruction Fuzzy Hash: C13192E2A08E4680EE15DB75E8C91F9A362EF94BB4F7C0131DA1D0769ADE7CE4418314

Function 00007FFB1C8EA084 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFB1C8EA222
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFB1C8EA54B

Strings

csm, xrefs: 00007FFB1C8EA249
csm, xrefs: 00007FFB1C8EA169
csm, xrefs: 00007FFB1C8EA1CB

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: abf34aaf3991cee643d7471f95007a6c40fb5a1d943a9ff926477079697fe416
Instruction ID: c28905e168446c54d8a63b1a84a3c7f9ad5905869e807c7d551600189a3fa0d5
Opcode Fuzzy Hash: abf34aaf3991cee643d7471f95007a6c40fb5a1d943a9ff926477079697fe416
Instruction Fuzzy Hash: 44E1B1F2908A828AEB10DF78D4892FD7BA2FB45B68F244135DE8D57656DF38E485C700

Function 00007FFB1DEC8E20 Relevance: 9.1, APIs: 6, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE6EF20: ERR_set_mark.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF4C
Part of subcall function 00007FFB1DE6EF20: OBJ_nid2sn.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF53
Part of subcall function 00007FFB1DE6EF20: EVP_MD_fetch.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF61
Part of subcall function 00007FFB1DE6EF20: ERR_pop_to_mark.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF69

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8E73
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8E9F
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8EB8
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8ECC
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8ED8

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Digest$Update$D_fetchFinal_exJ_nid2snR_pop_to_markR_set_markX_freeX_new
String ID:
API String ID: 2716796635-0
Opcode ID: 9295ca6018dc4c825da65ec4fe024c19c56108a43e67eafccc1d80f831976607
Instruction ID: d48860574660a5a355232c3f97d75c8577752d898ccdd13e671c8147731e1af8
Opcode Fuzzy Hash: 9295ca6018dc4c825da65ec4fe024c19c56108a43e67eafccc1d80f831976607
Instruction Fuzzy Hash: B221AF92B18F4244EE54E636EA452BF52929F89FE1F441031EE8D8778BFE2CE8414304

Function 00007FFB1C8F90D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFB1C8F90E7
FlsSetValue.KERNEL32(?,?,0000A21CA32B4EEC,00007FFB1C8F3BE5,?,?,?,?,00007FFB1C902EDA,?,?,00000000,00007FFB1C904DEF,?,?,?), ref: 00007FFB1C8F911D
FlsSetValue.KERNEL32(?,?,0000A21CA32B4EEC,00007FFB1C8F3BE5,?,?,?,?,00007FFB1C902EDA,?,?,00000000,00007FFB1C904DEF,?,?,?), ref: 00007FFB1C8F914A
FlsSetValue.KERNEL32(?,?,0000A21CA32B4EEC,00007FFB1C8F3BE5,?,?,?,?,00007FFB1C902EDA,?,?,00000000,00007FFB1C904DEF,?,?,?), ref: 00007FFB1C8F915B
FlsSetValue.KERNEL32(?,?,0000A21CA32B4EEC,00007FFB1C8F3BE5,?,?,?,?,00007FFB1C902EDA,?,?,00000000,00007FFB1C904DEF,?,?,?), ref: 00007FFB1C8F916C
SetLastError.KERNEL32 ref: 00007FFB1C8F9187

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 96a8689b5cc5df9bb2f01ed0f57851bf63e2101454e26158d78152ee653b5782
Instruction ID: 0ed84330320a4d007f19ba4933cd3d09c4b844d02e5618907731094038260183
Opcode Fuzzy Hash: 96a8689b5cc5df9bb2f01ed0f57851bf63e2101454e26158d78152ee653b5782
Instruction Fuzzy Hash: AA114DE4B0CE8252FA65AB31D99E0F953535F847F0F341635E93E07BDAEE2CA4814211

Function 00007FFB1C882150 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8821BB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C882203
_Getctype.LIBCPMT ref: 00007FFB1C88221B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8822AB

Strings

bad locale name, xrefs: 00007FFB1C8822CE

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: bb14e5893a69a69c079fbe3f155af292fc3924f0443e29ea029a21211c15d3ee
Instruction ID: 10687aed4f911ae75656f8013694a295352fc1586d597102f96965e6846fd28b
Opcode Fuzzy Hash: bb14e5893a69a69c079fbe3f155af292fc3924f0443e29ea029a21211c15d3ee
Instruction Fuzzy Hash: 5B4169A2B09F4189FB11DFB0D4942FC2366EF44758F244038DE4D66A9ADF38E5169344

Function 00007FFB1DE7B020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE7B11A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE7B132
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE7B141

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE7B12B
tls12_copy_sigalgs, xrefs: 00007FFB1DE7B11F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ssl\t1_lib.c$tls12_copy_sigalgs
API String ID: 1552677711-2385470557
Opcode ID: cad1d36bf26bdcf973611120ef3c5fbb5d9c51e3370ada3b2ae1c355723738f8
Instruction ID: 053c62b159d89db551e0891c42e65a8be7782be15446519d084a7f8c0bd1d42b
Opcode Fuzzy Hash: cad1d36bf26bdcf973611120ef3c5fbb5d9c51e3370ada3b2ae1c355723738f8
Instruction Fuzzy Hash: 9B31A7A3F08E5282EF948E35D54427B67A2EB48BA5F144035DF4C87695FE3CD981C780

Function 00007FFB1DEC4D80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4E07
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4E68

Strings

tls_parse_ctos_client_cert_type, xrefs: 00007FFB1DEC4E5A
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC4E61

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_client_cert_type
API String ID: 193678381-2187535903
Opcode ID: ab24fd5171186243c8273706c224f691be03150e33add73807dfaab2d2786a57
Instruction ID: 1d33336392829ccdbc1facbc1d8b4aaa46f7bc5f155af0cc87f721777a2b1702
Opcode Fuzzy Hash: ab24fd5171186243c8273706c224f691be03150e33add73807dfaab2d2786a57
Instruction Fuzzy Hash: A321F3E3B09A8185EF418BB1D4043FB2792EF19799F449031EE8D4B696FF2CE4958302

Function 00007FFB1DEC7040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC70D8
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC70EF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC7107

Strings

tls_parse_ctos_sig_algs_cert, xrefs: 00007FFB1DEC70F9
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC7100

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_sig_algs_cert
API String ID: 476316267-1652955096
Opcode ID: 8766831d10dac0fe0c9deaafde48de162cfaad53655b032c95e9abf08b5ef9c9
Instruction ID: f81861bcfb165ad1aeaf8fc4ae4832483318cc1a09cdb3b9acf01348f52104ac
Opcode Fuzzy Hash: 8766831d10dac0fe0c9deaafde48de162cfaad53655b032c95e9abf08b5ef9c9
Instruction Fuzzy Hash: 8921A7A3E18D9686EF619B34D4026BB6752EB5C395F444131EACC46682FF3CE2D0C700

Function 00007FFB1DEC6F50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6FE5
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6FFC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC7014

Strings

ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC700D
tls_parse_ctos_sig_algs, xrefs: 00007FFB1DEC7006

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_sig_algs
API String ID: 476316267-1893274837
Opcode ID: 68b0abc332a915ced68e79ed37ddb5688f2f83613fca72185eace0611321763f
Instruction ID: 5490d9709b0d4351bb4ac7db02fe608be26b8c687654b142a8972a89990773fe
Opcode Fuzzy Hash: 68b0abc332a915ced68e79ed37ddb5688f2f83613fca72185eace0611321763f
Instruction Fuzzy Hash: 9821C5A3A189D242EF619B34D411ABB6792EB5C3A5F404130E98C46A91FF3CE290CB01

Function 00007FFB1DECCDE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE51DB0: memcpy.VCRUNTIME140 ref: 00007FFB1DE51E0E

memset.VCRUNTIME140 ref: 00007FFB1DECCE5A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECCE74
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECCE8C

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECCE85
tls_construct_next_proto, xrefs: 00007FFB1DECCE79

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugmemcpymemset
String ID: ssl\statem\statem_clnt.c$tls_construct_next_proto
API String ID: 2334240134-950454232
Opcode ID: dfb4b621e1924b2c4a270b5a4b097522b02e0f09d67b0914293e7dfc81d1cd31
Instruction ID: 1e59de012946d05412656465b3bb7e0c44589b4b2a21fd5a39efd31f5b106252
Opcode Fuzzy Hash: dfb4b621e1924b2c4a270b5a4b097522b02e0f09d67b0914293e7dfc81d1cd31
Instruction Fuzzy Hash: C11181A3B18E8181EF40D722E8457AB6621EB89BD5F440131EE4D87B9AEF2DD5818700

Function 00007FFB1DE81086 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE810CA
BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810E4
BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810FF

Strings

%02X, xrefs: 00007FFB1DE810F5
%s (len=%d): , xrefs: 00007FFB1DE810D4

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_printf$O_indent
String ID: %02X$%s (len=%d):
API String ID: 1715996925-4138326432
Opcode ID: 3e906853c1422aeca90b5493b95a4838faa1308926f9c9ee9d3866027da7554d
Instruction ID: 3e4dcdd4cde4b829a3eacb55030f9db859bcdbca7bc6c49a9b14ae6fb8306d4b
Opcode Fuzzy Hash: 3e906853c1422aeca90b5493b95a4838faa1308926f9c9ee9d3866027da7554d
Instruction Fuzzy Hash: 8811C2A7B08E9385EE109B61D44017A6762EB8DFE1F544030EA4D47B8AEE7CE5028700

Function 00007FFB1DE6C070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C268
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C280
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C291

Strings

SSL_write_early_data, xrefs: 00007FFB1DE6C272
ssl\ssl_lib.c, xrefs: 00007FFB1DE6C279

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_write_early_data$ssl\ssl_lib.c
API String ID: 1552677711-3931977519
Opcode ID: 32bbe175b4eabcbe7fde1636ae99d0cd9228b7a8b768dd4655aa14606380449a
Instruction ID: 70a8b9fa4af7d6a0b1ba48ecf2cf7848fae10ff467446dca95c0d390c69cc882
Opcode Fuzzy Hash: 32bbe175b4eabcbe7fde1636ae99d0cd9228b7a8b768dd4655aa14606380449a
Instruction Fuzzy Hash: 1E0104A3B08E0146EA41DF6AE9416BB6762FF49BE1F584831ED4C83A55FE3CD492C640

Function 00007FFB1DE83E20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,00007FFB1DE57BE9), ref: 00007FFB1DE83E46
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFB1DE57BE9), ref: 00007FFB1DE83E5E
ERR_set_error.LIBCRYPTO-3-X64(?,00007FFB1DE57BE9), ref: 00007FFB1DE83E6F

Strings

ssl_set_tmp_ecdh_groups, xrefs: 00007FFB1DE83E4B
ssl\tls_depr.c, xrefs: 00007FFB1DE83E57

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ssl\tls_depr.c$ssl_set_tmp_ecdh_groups
API String ID: 1552677711-458883015
Opcode ID: 41461e935c2e4ebe6772fbc43e0abf513e4f829c0847211bb31f6c840e58102a
Instruction ID: 2d6d2d2d7d7cb291c005d09cb774eae24ee9aba8d54175369668c36871f703cb
Opcode Fuzzy Hash: 41461e935c2e4ebe6772fbc43e0abf513e4f829c0847211bb31f6c840e58102a
Instruction Fuzzy Hash: 3D01A7A3B18E4241EE40E775F9552BF52529F8CBE1F940431E94CC3B97FE2CE9414601

Function 00007FFB1DE64D90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE64DC2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE64DDA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE64DEB

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE64DD3
SSL_CTX_set_ct_validation_callback, xrefs: 00007FFB1DE64DC7

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_CTX_set_ct_validation_callback$ssl\ssl_lib.c
API String ID: 1552677711-2040829678
Opcode ID: 365b8302c3871323631ae1f1862b7bb40db991334e675d206f0f34822a21de67
Instruction ID: e8eae44d3ae481af3b7d00e1a60b0cb8d0d3c40cba0bd63abcb86f8bdb3f3b7a
Opcode Fuzzy Hash: 365b8302c3871323631ae1f1862b7bb40db991334e675d206f0f34822a21de67
Instruction Fuzzy Hash: 6F017573A18E8141FB80D725E9452AE6366EF5CBD1F544031FE4D87B9AEF2CD9518700

Function 00007FFB1DE9DD70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(00000000,00007FFB1DE9BE4B,?,00007FFB1DE9109E), ref: 00007FFB1DE9DDB6
ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFB1DE9BE4B,?,00007FFB1DE9109E), ref: 00007FFB1DE9DDCE
ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFB1DE9BE4B,?,00007FFB1DE9109E), ref: 00007FFB1DE9DDDF

Part of subcall function 00007FFB1DE9D750: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(00000000,00007FFB1DE9E3AD,?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9D7BD
Part of subcall function 00007FFB1DE9D750: OPENSSL_cleanse.LIBCRYPTO-3-X64(00000000,00007FFB1DE9E3AD,?,?,?,?,?,00000000,?,00000000,00007FFB1DE9EA40,00007FFB1DE9FFEC,?,00000000), ref: 00007FFB1DE9D7DB

Strings

ssl\quic\quic_record_shared.c, xrefs: 00007FFB1DE9DDC7
ossl_qrl_enc_level_set_key_update_done, xrefs: 00007FFB1DE9DDBB

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_cleanseR_newR_set_debugR_set_errorX_free
String ID: ossl_qrl_enc_level_set_key_update_done$ssl\quic\quic_record_shared.c
API String ID: 3103327723-2425047315
Opcode ID: 8a09111afc41bf56adf566cf300c79b5d0d382fbd4e344e79eb3d4da9e6d78cf
Instruction ID: 4f13a7897adfeb6805f84a1cd471e4a157554ce20b940c426252c44c55d7d5d2
Opcode Fuzzy Hash: 8a09111afc41bf56adf566cf300c79b5d0d382fbd4e344e79eb3d4da9e6d78cf
Instruction Fuzzy Hash: 69F0CDE3F09C0243FF54A374D9463FA22139F4A326F500032D44C8A6CAFE2DE8818250

Function 00007FFB1C8F7070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFB1C8F7095
GetProcAddress.KERNEL32 ref: 00007FFB1C8F70AB
FreeLibrary.KERNEL32 ref: 00007FFB1C8F70D2

Strings

mscoree.dll, xrefs: 00007FFB1C8F708C
CorExitProcess, xrefs: 00007FFB1C8F70A4

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 02a51184f0ad60d451aac1f2bf2828ed4a1fa822c78cdcaa76b18dbf709fc541
Instruction ID: 31fe20074f8cfcf34cff8bea75d34914f292b78f1b623f33eae2a7992f48a244
Opcode Fuzzy Hash: 02a51184f0ad60d451aac1f2bf2828ed4a1fa822c78cdcaa76b18dbf709fc541
Instruction Fuzzy Hash: 93F062E2B19F0281FB119B34E4883B95322EF857B1F640639C56E8A5E8CF2CD048C300

Function 00007FFB1DE6C000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C012
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C02A
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE6C03B

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE6C023
SSL_write, xrefs: 00007FFB1DE6C017

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_write$ssl\ssl_lib.c
API String ID: 1552677711-192829535
Opcode ID: 31756dda6754f021c9e3ee2afa6fa01cfc7681e29585fb95f98949b5827e85ca
Instruction ID: 9bb0e8f44767f0d5e10e577f10b443f2aa030b6adb9db6b57b6a41b54719ce3c
Opcode Fuzzy Hash: 31756dda6754f021c9e3ee2afa6fa01cfc7681e29585fb95f98949b5827e85ca
Instruction Fuzzy Hash: A5F089A3F18E8143EE51A378D8576A72711AF88362F900135F64D82EE2FF2CD615CA01

Function 00007FFB1DEA5DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5DFE
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5E16
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5E27

Strings

ssl\quic\quic_tls.c, xrefs: 00007FFB1DEA5E0F
quic_increment_sequence_ctr, xrefs: 00007FFB1DEA5E03

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: quic_increment_sequence_ctr$ssl\quic\quic_tls.c
API String ID: 1552677711-2984182107
Opcode ID: 2bda01d62cd7fc7580ba1e648df4c5818702b613ffabc4c6d2f031ed0ed249b0
Instruction ID: 758729d42302e449bfce71ec4cb7f3df9026b37d5dbc31ef3b66c10964bd09e4
Opcode Fuzzy Hash: 2bda01d62cd7fc7580ba1e648df4c5818702b613ffabc4c6d2f031ed0ed249b0
Instruction Fuzzy Hash: 09F0A7E3B05D4286FF90E774C88A3BB2692DF08736F944030D94D82691FF2CA486C601

Function 00007FFB1DEA5D70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5D8E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5DA6
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5DB7

Strings

quic_get_max_record_overhead, xrefs: 00007FFB1DEA5D93
ssl\quic\quic_tls.c, xrefs: 00007FFB1DEA5D9F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: quic_get_max_record_overhead$ssl\quic\quic_tls.c
API String ID: 1552677711-2775230731
Opcode ID: b07683987a82af6a9afa90e891e9d533406289f5581da0ca5182e7fbe888a508
Instruction ID: 7853fe846fb292b3a7c566a8b975ba6ee261f435cccf70e0ac901d3e083cd917
Opcode Fuzzy Hash: b07683987a82af6a9afa90e891e9d533406289f5581da0ca5182e7fbe888a508
Instruction Fuzzy Hash: F5F0A7E3B04D428AFF90E770D88A3BB1752DF48722F544431D94D86691FF2CE4858A01

Function 00007FFB1DEA5D00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5D1E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5D36
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DEA5D47

Strings

ssl\quic\quic_tls.c, xrefs: 00007FFB1DEA5D2F
quic_app_data_pending, xrefs: 00007FFB1DEA5D23

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: quic_app_data_pending$ssl\quic\quic_tls.c
API String ID: 1552677711-2758597072
Opcode ID: 5dca2a2c7a1737ca4f7713e785542bb2b81d1c38b09afef6cfaa673e105f6e9b
Instruction ID: 3b88284e849b3b83ff37c4b3bc96ebe0a1821677ba54c0c94c75e41479b8f4b1
Opcode Fuzzy Hash: 5dca2a2c7a1737ca4f7713e785542bb2b81d1c38b09afef6cfaa673e105f6e9b
Instruction Fuzzy Hash: A3F0A7E3B05D4286FF90D770C88A3BB1652DF08722F545030D94D82692FF2CE4868601

Function 00007FFB1DE77E00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE77E12
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE77E2A
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE77E3B

Strings

ssl\t1_lib.c, xrefs: 00007FFB1DE77E23
SSL_CTX_set_tlsext_max_fragment_length, xrefs: 00007FFB1DE77E17

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_CTX_set_tlsext_max_fragment_length$ssl\t1_lib.c
API String ID: 1552677711-1083014569
Opcode ID: e71796e5b9daf09064d6366a82eba239663b4108bfcea90810ffdad401a1be2b
Instruction ID: 891d0a625ab792b774e19de7652ecf65df12c8c1be9b27d2c447d6ebf729c1ef
Opcode Fuzzy Hash: e71796e5b9daf09064d6366a82eba239663b4108bfcea90810ffdad401a1be2b
Instruction Fuzzy Hash: 51E01297E19C8242FB41B334DD4B3FA16139F58722FE04471E04C916D2FE1D958A8A11

Function 00007FFB1DE65E50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(00007FFB1DE5318B), ref: 00007FFB1DE65E66
ERR_set_debug.LIBCRYPTO-3-X64(00007FFB1DE5318B), ref: 00007FFB1DE65E7E
ERR_set_error.LIBCRYPTO-3-X64(00007FFB1DE5318B), ref: 00007FFB1DE65E8F

Strings

ssl\ssl_lib.c, xrefs: 00007FFB1DE65E77
SSL_clear, xrefs: 00007FFB1DE65E6B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_clear$ssl\ssl_lib.c
API String ID: 1552677711-283065258
Opcode ID: 2257ca574d6040777a07f9f7943df03ed387cf86179245e7968518ea74f158f8
Instruction ID: 622edcdd68c2265b3c2a3bdd25b69f7352d539fd9cdef952cd6ec11c4ee18cda
Opcode Fuzzy Hash: 2257ca574d6040777a07f9f7943df03ed387cf86179245e7968518ea74f158f8
Instruction Fuzzy Hash: A1E092A7F19D01C2FE50A739C8462BA1262EF4C712F900035D00C82B91FF2CE6468601

Function 00007FFB1DE6FDD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE6FDDD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE6FDF5
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE6FE06

Strings

ssl_undefined_void_function, xrefs: 00007FFB1DE6FDE2
ssl\ssl_lib.c, xrefs: 00007FFB1DE6FDEE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ssl\ssl_lib.c$ssl_undefined_void_function
API String ID: 1552677711-906180228
Opcode ID: b5ef6486a82893b31f0dfb5e8b3ca82c3df79b5c5a08878b73d24f5bebbba630
Instruction ID: 814b64ec0449fa6bc4c19404184913330351d5822b7c103f3cc9a9dd747da780
Opcode Fuzzy Hash: b5ef6486a82893b31f0dfb5e8b3ca82c3df79b5c5a08878b73d24f5bebbba630
Instruction Fuzzy Hash: 40E012A7E29D4283EA40B779DC5B5FB1212DF4C722FD04435E44DC2A96FE2DE54A8601

Function 00007FFB1C8E9484 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFB1C8E95A7
__AdjustPointer.LIBCMT ref: 00007FFB1C8E95F2

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 02ba805e0a4b883095b28d2556daf4f6aa36844bd0038181826c7de427818c46
Instruction ID: 0c742d550536e4a041855553776dba7ae748e35389e9c442ec4d04d15f063e11
Opcode Fuzzy Hash: 02ba805e0a4b883095b28d2556daf4f6aa36844bd0038181826c7de427818c46
Instruction Fuzzy Hash: 41B1B4E2A09ED281EE659F36D4C85F86396AF44BA4F298436DE4D07795DFBCE441C300

Function 00007FFB1C8FFB08 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFB1C8FFB47
_set_statfp.LIBCMT ref: 00007FFB1C8FFB65
_set_statfp.LIBCMT ref: 00007FFB1C8FFB8E
_set_statfp.LIBCMT ref: 00007FFB1C8FFDCA

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 2d270502b19851da16d4132b72e91039797d776068c17c82afa3843bf6cf12f1
Instruction ID: f52d14c3f5fae605c71be05b85d013a5a0bda275c30dc0011f48794bc293836b
Opcode Fuzzy Hash: 2d270502b19851da16d4132b72e91039797d776068c17c82afa3843bf6cf12f1
Instruction Fuzzy Hash: D481F3E2908E5686F7729F35E8983FE6792AF453F8F244331EE4D26594DF3CA4818640

Function 00007FFB1DE52D50 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFB1DE52DFA
BIO_set_retry_reason.LIBCRYPTO-3-X64 ref: 00007FFB1DE52E9A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_set_flagsO_set_retry_reason
String ID:
API String ID: 599196049-0
Opcode ID: bc74afbb446ccee2a6dc1b2145f0ceb463e15f8e8be36053ed4b98a66c89d4a7
Instruction ID: 8907c9893f74e26341579138b74df760bd3c64273b585e4ece54d641d885b798
Opcode Fuzzy Hash: bc74afbb446ccee2a6dc1b2145f0ceb463e15f8e8be36053ed4b98a66c89d4a7
Instruction Fuzzy Hash: F641C6B7A0CE1242EE65AA36E54527F6253AF4DFE2F104431ED4D47B8EEE3CE4528640

Function 00007FFB1C90CEFC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFB1C90CF24
_set_statfp.LIBCMT ref: 00007FFB1C90CF3F
_set_statfp.LIBCMT ref: 00007FFB1C90CF5B
_set_statfp.LIBCMT ref: 00007FFB1C90CF97

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction ID: fdd867880ac54d485f62f24610ae175648734ef8132677564ab56a88d7bafa05
Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction Fuzzy Hash: 651160E2E18F8355F6D61938DD4A3F5124B6F543F4E780A34E76E162D69E1CA8B04107

Function 00007FFB1C8F91A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFB1C8F362F,?,?,00000000,00007FFB1C8F38CA,?,?,?,?,?,00007FFB1C8F3856), ref: 00007FFB1C8F91BF
FlsSetValue.KERNEL32(?,?,?,00007FFB1C8F362F,?,?,00000000,00007FFB1C8F38CA,?,?,?,?,?,00007FFB1C8F3856), ref: 00007FFB1C8F91DE
FlsSetValue.KERNEL32(?,?,?,00007FFB1C8F362F,?,?,00000000,00007FFB1C8F38CA,?,?,?,?,?,00007FFB1C8F3856), ref: 00007FFB1C8F9206
FlsSetValue.KERNEL32(?,?,?,00007FFB1C8F362F,?,?,00000000,00007FFB1C8F38CA,?,?,?,?,?,00007FFB1C8F3856), ref: 00007FFB1C8F9217
FlsSetValue.KERNEL32(?,?,?,00007FFB1C8F362F,?,?,00000000,00007FFB1C8F38CA,?,?,?,?,?,00007FFB1C8F3856), ref: 00007FFB1C8F9228

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ff98a68c00233d23bf4277dcab5cbe86b933014db5a5e86d30f265948e56147f
Instruction ID: b4ae6d3a205e1f19571eaba0fe09a12eb1dfbb7591100afffdabfa981615a024
Opcode Fuzzy Hash: ff98a68c00233d23bf4277dcab5cbe86b933014db5a5e86d30f265948e56147f
Instruction Fuzzy Hash: 1A113AE0B0CE8241FA599B75D5DA1F963436F843F0F245339E93D07ADADE2CA4528611

Function 00007FFB1C8F9034 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFB1C8F4945), ref: 00007FFB1C8F9045
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFB1C8F4945), ref: 00007FFB1C8F9064
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFB1C8F4945), ref: 00007FFB1C8F908C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFB1C8F4945), ref: 00007FFB1C8F909D
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFB1C8F4945), ref: 00007FFB1C8F90AE

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7f2325419ec8957819a8f486822e8a015fe792097882926f3c249474aab5be9d
Instruction ID: d68516b2e9e6fd0ae36567ed440b880251286efc9733e64163a6c2de0bb1594a
Opcode Fuzzy Hash: 7f2325419ec8957819a8f486822e8a015fe792097882926f3c249474aab5be9d
Instruction Fuzzy Hash: 741115D4A0CE8741FA69AB71C4AA1FA13534F813B0F381739E93E0BAD2DD2EB4418611

Function 00007FFB1C901D44 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C902023

Part of subcall function 00007FFB1C909B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C909B3D

Strings

UTF-8, xrefs: 00007FFB1C901FA2
ccs, xrefs: 00007FFB1C901F5E
UTF-16LEUNICODE, xrefs: 00007FFB1C901FC1

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: e6e90d98cd2fa8d97f1f90236d009788bcf0434551d9a942541881f42287f5e1
Instruction ID: 7eee01e0e1f48d48137e3bf5289dab11c18314d12461111462b24ca9f7ce7a49
Opcode Fuzzy Hash: e6e90d98cd2fa8d97f1f90236d009788bcf0434551d9a942541881f42287f5e1
Instruction Fuzzy Hash: 428181F2E08E0285FBE74FB5C9582F837AAEB117E4F758035DB0957294DB2DA9319201

Function 00007FFB1C883340 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FFB1C883390

Part of subcall function 00007FFB1C8E5B98: AreFileApisANSI.KERNEL32 ref: 00007FFB1C8E5BAA

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFB1C883638

Strings

: ", xrefs: 00007FFB1C8834B6
", ", xrefs: 00007FFB1C8834E9

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ApisFile__std_exception_destroy__std_fs_code_page
String ID: ", "$: "
API String ID: 376971205-747220369
Opcode ID: fd93db0896dd713633c0e279ad32f8ebd9ef9d34f5a163e6efce9bbd08f8b77f
Instruction ID: b3c4dc66b35a73c3b98b8f4c3fd075275ef900b42c4a9490e34269abfbce0882
Opcode Fuzzy Hash: fd93db0896dd713633c0e279ad32f8ebd9ef9d34f5a163e6efce9bbd08f8b77f
Instruction Fuzzy Hash: E4919AE2B14B5285EB049BB5D4883FD2362FB84BE8F608535DE5D27B99DF78D4918300

Function 00007FFB1C901A80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C901D29

Part of subcall function 00007FFB1C909D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C909D25

Strings

ccs, xrefs: 00007FFB1C901C75
UTF-16LEUNICODE, xrefs: 00007FFB1C901CCD
UTF-8, xrefs: 00007FFB1C901CAC

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 0dbf5c3460b9fd9c36beeffc2a58a49274306e5bd6dde5503b8835b746cd4fe8
Instruction ID: 27f379d993558293edbb07f2598cf2c796222d214f1ce7f437059ef0b76c2b70
Opcode Fuzzy Hash: 0dbf5c3460b9fd9c36beeffc2a58a49274306e5bd6dde5503b8835b746cd4fe8
Instruction Fuzzy Hash: C681D5F1E0CA5285FBE74AB8CA5C3F92B9B9F117E4F355034CA0E52295DA1DE821D301

Function 00007FFB1C8A4980 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8A4C0E

Part of subcall function 00007FFB1C8E52D4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFB1C8E52DD

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB1C8A4C14

Strings

true, xrefs: 00007FFB1C8A4ABA
false, xrefs: 00007FFB1C8A4A0D

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID: false$true
API String ID: 1173176844-2658103896
Opcode ID: 9ec97af12e964b6aace62ceb9a84500b33c538701714855e2a5da709bf416a4a
Instruction ID: b2715f4db888eb51647469a56ace615f5d8c8b046554cdd34c1f42919954f652
Opcode Fuzzy Hash: 9ec97af12e964b6aace62ceb9a84500b33c538701714855e2a5da709bf416a4a
Instruction Fuzzy Hash: 7F81AEB2B19B4585EB108F75D4882F933AAFB88798F251135EE4C43B99EF38E506C304

Function 00007FFB1C8E8DF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C8E8E1B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFB1C8E8EB2
RtlUnwindEx.KERNEL32 ref: 00007FFB1C8E8F0C

Strings

csm, xrefs: 00007FFB1C8E8E99

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: e1910066c909e61b8da74eeb045bd545ce587b152b8db281873e246e91865a53
Instruction ID: 916dfc298a45d379968f3719a2a69531dd0ce4728c4dc368e3f1fc836f3d85d1
Opcode Fuzzy Hash: e1910066c909e61b8da74eeb045bd545ce587b152b8db281873e246e91865a53
Instruction Fuzzy Hash: 725197F2B29A028ADB54DB29D488ABD7393FB54BA4F604135EA4D47788DF7DE841C700

Function 00007FFB1C8EAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C8EADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFB1C8EAE88

Strings

csm, xrefs: 00007FFB1C8EADC2
csm, xrefs: 00007FFB1C8EAEDA

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 579e62d5dcf39bef7f008a15abfd323536aee67e4db651f3353792bacddaa7c4
Instruction ID: 2f69df4331f498509bf186adb525e96175e28c0cd3df8f926a06885393d3f7ca
Opcode Fuzzy Hash: 579e62d5dcf39bef7f008a15abfd323536aee67e4db651f3353792bacddaa7c4
Instruction Fuzzy Hash: 455171F2A08A828ADB648B31D0C92F9BBA2EB54FA5F284135DA5D47795CF3CE450C700

Function 00007FFB1C8EA588 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFB1C8EA5E7
_CallSETranslator.LIBVCRUNTIME ref: 00007FFB1C8EA633

Strings

RCC, xrefs: 00007FFB1C8EA603
MOC, xrefs: 00007FFB1C8EA5FB

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a92587d75cc93cabdcf4f3f2b962bbd85e36e0aa47eb487fde9cf508de37bb43
Instruction ID: 17d5b8d7eecb5fb225571cfee202967e881381b24147ac46d3867904512c6348
Opcode Fuzzy Hash: a92587d75cc93cabdcf4f3f2b962bbd85e36e0aa47eb487fde9cf508de37bb43
Instruction Fuzzy Hash: B1616CB2908BC585DA60DB25E4853FABBA1FB85BA4F144235EA9C03B55DF7CD194CB00

Function 00007FFB1DE94FD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

BIO_free_all.LIBCRYPTO-3-X64 ref: 00007FFB1DE95194
BIO_free_all.LIBCRYPTO-3-X64 ref: 00007FFB1DE9519D

Strings

expect_quic, xrefs: 00007FFB1DE9501F
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE9502B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_free_all
String ID: expect_quic$ssl\quic\quic_impl.c
API String ID: 310313773-2248945671
Opcode ID: 58609376920fe9830b25da79e57e0c5deb655e785a879b1b57598548105d98f6
Instruction ID: 3e6e2d2dda78abbceff84163e31de0cb6880437817ff203d751ad0eb794c4f82
Opcode Fuzzy Hash: 58609376920fe9830b25da79e57e0c5deb655e785a879b1b57598548105d98f6
Instruction Fuzzy Hash: EE5113A7B09D4292EE14AB36D5512BF6352FB89BA1F040032DB8E4779AEF2DF4518340

Function 00007FFB1C8A3A00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8A3A6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C8A3AB3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8A3B43

Strings

bad locale name, xrefs: 00007FFB1C8A386C, 00007FFB1C8A3B66

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 8cbd0fc6996597c055b788eb7eb55d40133d75a4f9689f80e5253e84b833e26c
Instruction ID: 32fa831f9d41e92589d6ced0b78519497188dc876461d9138a7a2dd6bbddfc6e
Opcode Fuzzy Hash: 8cbd0fc6996597c055b788eb7eb55d40133d75a4f9689f80e5253e84b833e26c
Instruction Fuzzy Hash: AD4178B2B0AE4199EB10DFB0D4E43FC23A6EF44B18F184534EA4D66A99DF38D5229344

Function 00007FFB1C8A3B80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8A3BEB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C8A3C33
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8A3CC3

Strings

bad locale name, xrefs: 00007FFB1C8A3CE6

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: cd33b751c80d95aa30cca1794e2014743943cf54d188cc9f309773096eb92f7d
Instruction ID: 35949b9d4348c7569b2b3f8111f419dd0d35e190a84ed6acacce1ff5a2c9810c
Opcode Fuzzy Hash: cd33b751c80d95aa30cca1794e2014743943cf54d188cc9f309773096eb92f7d
Instruction Fuzzy Hash: 0E41A9B2B4AE4199EB10DFB0D8E42FC23A6EF44B58F290034DE4D67A59DF38D5229344

Function 00007FFB1C8A3880 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8A38EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C8A3933
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8A39C3

Strings

bad locale name, xrefs: 00007FFB1C8A39E6

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: d71730aa56dedfcfd4fb73ccda19d58bc38f3a746f847c72f537ecc65e5be52c
Instruction ID: 35b21c6eb61de2a262f0ec097e1432f630eb9416e40cc0c17401c8c022b5bce7
Opcode Fuzzy Hash: d71730aa56dedfcfd4fb73ccda19d58bc38f3a746f847c72f537ecc65e5be52c
Instruction Fuzzy Hash: 884169B2B0AA4189FB14DF70D4D43FC23A5EF44B58F280534DA4D66A99DF38E5259348

Function 00007FFB1C8A34D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFB1C8A353F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFB1C8A3587
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFB1C8A362E

Strings

bad locale name, xrefs: 00007FFB1C8A3651

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 726bb79908c8521064fae70be110fc702adb41f1a2f479b6f35cee9791912d9d
Instruction ID: 19b968b0ba3f9ab2f9d5ecf8c05e3dd54be0a1132805155278e2f3329b5553c9
Opcode Fuzzy Hash: 726bb79908c8521064fae70be110fc702adb41f1a2f479b6f35cee9791912d9d
Instruction Fuzzy Hash: 584169B2B0AA4189EB14DFB0D4A42FC23A5EF44B68F140134EE4D67A59DF38D525D354

Function 00007FFB1DE6A090 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFB1DE9437F

Part of subcall function 00007FFB1DE992F0: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DE9935D
Part of subcall function 00007FFB1DE992F0: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DE9936A
Part of subcall function 00007FFB1DE992F0: ERR_vset_error.LIBCRYPTO-3-X64 ref: 00007FFB1DE99382

Strings

ossl_quic_conn_set_initial_peer_addr, xrefs: 00007FFB1DE94340
expect_quic, xrefs: 00007FFB1DE942C9
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE942D5, 00007FFB1DE94355

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_clearR_newR_set_debugR_vset_error
String ID: expect_quic$ossl_quic_conn_set_initial_peer_addr$ssl\quic\quic_impl.c
API String ID: 2693550024-1504762518
Opcode ID: b92dd67e8eecdd7d320e26fd2c7dd8993febef07b7ba88b2c019005e4c189bc2
Instruction ID: 6c1e3fb503cb59051796997a8d175000923d13b77f0e0c3ffd1dd54b6419e148
Opcode Fuzzy Hash: b92dd67e8eecdd7d320e26fd2c7dd8993febef07b7ba88b2c019005e4c189bc2
Instruction Fuzzy Hash: D541B373E19F8182EA54CB39E04036E7362FB49BA4F144235EA8C47B99EF2DD581CB00

Function 00007FFB1DEB2FE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB30D7
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB30EF

Part of subcall function 00007FFB1DE51C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE51C95

Strings

ssl\record\methods\dtls_meth.c, xrefs: 00007FFB1DEB30E8
dtls_prepare_record_header, xrefs: 00007FFB1DEB30DC

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_zallocR_newR_set_debug
String ID: dtls_prepare_record_header$ssl\record\methods\dtls_meth.c
API String ID: 905617597-237605659
Opcode ID: a7a681025f57bf6a4821249d9ca66c32590454ea60e188642d74bb92edb62e97
Instruction ID: e9ed39f3b7a0154dfae440e026cc10ed4f155d55c90848a49840e9432ddf972a
Opcode Fuzzy Hash: a7a681025f57bf6a4821249d9ca66c32590454ea60e188642d74bb92edb62e97
Instruction Fuzzy Hash: 7D3185A6B08E5241FE509B32D9057BB6292AF49BD2F044131EF8D57B8AFE7DE4018700

Function 00007FFB1DEBF040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

tls_construct_ctos_server_name, xrefs: 00007FFB1DEBF12B
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBF137

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_server_name
API String ID: 0-3351240862
Opcode ID: d2cafb206ee9e42dbf643c9a3589d5378b9ffd153b9731fabcfa5a78a8077ce1
Instruction ID: 0103b002fb403420fa2cb672c6ca94b1b4ee4afd94bf9f1e615eaedf50c33d0b
Opcode Fuzzy Hash: d2cafb206ee9e42dbf643c9a3589d5378b9ffd153b9731fabcfa5a78a8077ce1
Instruction Fuzzy Hash: E32180A3F18D4241FF54A636E9013B722929F497E1F086230DA4D8A6C7FE2EE8518700

Function 00007FFB1DEBECA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBED76
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBED8E

Part of subcall function 00007FFB1DE51C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE51C95

Strings

tls_construct_ctos_psk_kex_modes, xrefs: 00007FFB1DEBED7B
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBED87

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_zallocR_newR_set_debug
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_psk_kex_modes
API String ID: 905617597-4063274569
Opcode ID: 4d3ef443dd32738ef94f9ffc49a17d44597f35406d956151f950636e28ef5d21
Instruction ID: 8ff64b9ac4d88a154b2f1496f1944fa0503d0a811ce2d3744d306d361facc129
Opcode Fuzzy Hash: 4d3ef443dd32738ef94f9ffc49a17d44597f35406d956151f950636e28ef5d21
Instruction Fuzzy Hash: 1E2121A7B08E4242FF649732D9017BB62929F89BD5F084130DE1D8B69AFE7DF8518740

Function 00007FFB1C882B00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFB1C882BB8

Part of subcall function 00007FFB1C8E8D20: RtlPcToFileHeader.KERNEL32 ref: 00007FFB1C8E8D70
Part of subcall function 00007FFB1C8E8D20: RaiseException.KERNEL32 ref: 00007FFB1C8E8DB1

Strings

ios_base::failbit set, xrefs: 00007FFB1C882A40, 00007FFB1C882B3B
ios_base::eofbit set, xrefs: 00007FFB1C882B42
ios_base::badbit set, xrefs: 00007FFB1C882B2F

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise__std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3973727643-1866435925
Opcode ID: 90d032a7ffa9cabd8ff71a74c4c956678094a2cea39eda2cc76b34acadda3a6d
Instruction ID: 79a875773b3f7b3f122a2f13c3ce113f626cdf538660b3804aefa88b984d2300
Opcode Fuzzy Hash: 90d032a7ffa9cabd8ff71a74c4c956678094a2cea39eda2cc76b34acadda3a6d
Instruction Fuzzy Hash: D72190E2A29F8791EB058F20E5C51F96362FB54794FB88131DA4C42A65EF3CE595C340

Function 00007FFB1DEB6F20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEB700E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEB7026

Strings

tls_read_record, xrefs: 00007FFB1DEB7013
ssl\record\methods\tls_common.c, xrefs: 00007FFB1DEB701F

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\record\methods\tls_common.c$tls_read_record
API String ID: 193678381-823199972
Opcode ID: 446d2d018dd0ad8f0e2f5bfaa6bf016003014cfd997c1eb5f989a1bf0b888c26
Instruction ID: 93d2e173fc360cb23b3007d8a38a61ff1021d555df58e60231e4c315dedd1c4f
Opcode Fuzzy Hash: 446d2d018dd0ad8f0e2f5bfaa6bf016003014cfd997c1eb5f989a1bf0b888c26
Instruction Fuzzy Hash: 023139B3609F8181DB10DF25E4802A97762FB98BA4F444532EE8D47BA8EF38D490C710

Function 00007FFB1DEC2DE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

tls_construct_stoc_alpn, xrefs: 00007FFB1DEC2E97
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC2EA3

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_alpn
API String ID: 0-2562604191
Opcode ID: 989120ea1205a1928d3b71d70ca704b230b2ae8e3ea4f8ea9a1cea44732d8d8c
Instruction ID: 4343e1402f9c1d84e6790b73628e0fac06513f35bdd90cdc69e2d876bf8292b4
Opcode Fuzzy Hash: 989120ea1205a1928d3b71d70ca704b230b2ae8e3ea4f8ea9a1cea44732d8d8c
Instruction Fuzzy Hash: AE216DA2B08D4242FE55A732E9553FB2352AF487E5F484531EE4D8B6C6FE2DE8518700

Function 00007FFB1DEC4060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4107
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC411F

Part of subcall function 00007FFB1DE51DB0: memcpy.VCRUNTIME140 ref: 00007FFB1DE51E0E

Strings

tls_construct_stoc_next_proto_neg, xrefs: 00007FFB1DEC410C
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC4118

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugmemcpy
String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_next_proto_neg
API String ID: 3246248616-633186760
Opcode ID: ad9d770aaf187cdb11f3294e58328c9f563c265e627c52a0db9c7f25b599f4b5
Instruction ID: 78460048d20334bd5601a92ea1e06acd41ce1c2ae0cac808ec50e385f9540970
Opcode Fuzzy Hash: ad9d770aaf187cdb11f3294e58328c9f563c265e627c52a0db9c7f25b599f4b5
Instruction Fuzzy Hash: 112162A7B0898282EF509B26E5817BB6761EB48BD9F444031DF4C47795FE2DE545CB00

Function 00007FFB1DEBBFA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBBFDA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBBFF2

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

ssl\statem\extensions.c, xrefs: 00007FFB1DEBBFEB
final_early_data, xrefs: 00007FFB1DEBBFDF

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: final_early_data$ssl\statem\extensions.c
API String ID: 1390262125-3185048299
Opcode ID: b17a828907952493b5178d3e066592b38d33a091caaec5c2d7efd8a2ae591b1d
Instruction ID: 18d4e909bd59d09635a79b8c95f890a39d5ad5a694e41c5bc28ac52cd675cfe2
Opcode Fuzzy Hash: b17a828907952493b5178d3e066592b38d33a091caaec5c2d7efd8a2ae591b1d
Instruction Fuzzy Hash: 1121C9B3B0DA4286FF918774C4493FA21A2DF0876AF188235C54D4A6D0EF7DA4D7C610

Function 00007FFB1DEC3F70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC4007
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC401F

Part of subcall function 00007FFB1DE51C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFB1DE51C95

Strings

tls_construct_stoc_maxfragmentlen, xrefs: 00007FFB1DEC400C
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC4018

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_zallocR_newR_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_maxfragmentlen
API String ID: 905617597-899864512
Opcode ID: c7f7ae93b32aef7a1b4cdc8b35a7b3a29a1a523d37c6ccf042c85313c0a2b8ce
Instruction ID: 6d5053ff6f31291b9145cbba227ad6f39bb965e979c64f99f6eec72592b06764
Opcode Fuzzy Hash: c7f7ae93b32aef7a1b4cdc8b35a7b3a29a1a523d37c6ccf042c85313c0a2b8ce
Instruction Fuzzy Hash: B911A2A7B1898242EF559732E9427BB1752EB4C7D6F484130EE5C87AC6FE2EE5808700

Function 00007FFB1DEBEF50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

tls_construct_ctos_server_cert_type, xrefs: 00007FFB1DEBEFF8
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBF004

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_server_cert_type
API String ID: 0-252892011
Opcode ID: cbdcd37dca3ce416939be0065871b8dae0fb502d0ec97fd28b8052f09e835d60
Instruction ID: 5e523a9e2303cd8379513bba18a55f6d969ac2aab93ab8aeedd93635bd9e30af
Opcode Fuzzy Hash: cbdcd37dca3ce416939be0065871b8dae0fb502d0ec97fd28b8052f09e835d60
Instruction Fuzzy Hash: CB1190A2B0C98281EF509736E5453FB1652AF49BE5F080130EE4C8BAC6FE6DE4828750

Function 00007FFB1DE79D20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

OSSL_PARAM_construct_utf8_string.LIBCRYPTO-3-X64 ref: 00007FFB1DE79D61
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64 ref: 00007FFB1DE79D87
EVP_MAC_init.LIBCRYPTO-3-X64 ref: 00007FFB1DE79DBC

Strings

digest, xrefs: 00007FFB1DE79D52

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: C_initM_construct_endM_construct_utf8_string
String ID: digest
API String ID: 3272910289-219324594
Opcode ID: e7b5f8ab2ab733d37771a91d645c23a3792098325b06a6c25927c6d261164597
Instruction ID: dc4f08c53731b64f7ee33ef294b88f0c812b9769a434434f1b54a509221af8cd
Opcode Fuzzy Hash: e7b5f8ab2ab733d37771a91d645c23a3792098325b06a6c25927c6d261164597
Instruction Fuzzy Hash: EB21A363A08F8981E6218B35D4013AAA361FF99BD4F549631EF8C53656EF38E181C700

Function 00007FFB1DEBEDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

tls_construct_ctos_renegotiate, xrefs: 00007FFB1DEBEE5B
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBEE67

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_renegotiate
API String ID: 0-652228395
Opcode ID: b133081cee10f899bcbd6569f8c70c2d281cf1822bf7873539e7bd84d54d7b9b
Instruction ID: 0ab3f062d79a42879b69386dde3ba64c4e802795db688bc8eb533a6be0434ec1
Opcode Fuzzy Hash: b133081cee10f899bcbd6569f8c70c2d281cf1822bf7873539e7bd84d54d7b9b
Instruction Fuzzy Hash: 5C11B6A2B18D4382FF549732E5457BB12929F4DBE5F041130EE5D8B6C6FE6DE4818700

Function 00007FFB1DE93FE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

BIO_free_all.LIBCRYPTO-3-X64(?,00007FFB1DE69F9F,00000000,00007FFB1DE6A6AC,00000000,00007FFB1DEA621A,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE94069
BIO_ctrl.LIBCRYPTO-3-X64(?,00007FFB1DE69F9F,00000000,00007FFB1DE6A6AC,00000000,00007FFB1DEA621A,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE94085

Strings

expect_quic, xrefs: 00007FFB1DE94021
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE9402D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_ctrlO_free_all
String ID: expect_quic$ssl\quic\quic_impl.c
API String ID: 2139435285-2248945671
Opcode ID: bf960a43dfa119094f1049f365a7c77dfff2a509f3941942da96589e4e667ef1
Instruction ID: 3db7a459c1b1a3443fb3afec8d899a80b4a3bb00da867360f6a3b5a213daebc3
Opcode Fuzzy Hash: bf960a43dfa119094f1049f365a7c77dfff2a509f3941942da96589e4e667ef1
Instruction Fuzzy Hash: 67115EA3A09D0281EF589F39D59067B73A3EB48BA5F144031E94D4769AFE2ED841C705

Function 00007FFB1DE93F10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

BIO_free_all.LIBCRYPTO-3-X64(00000000,00007FFB1DE6A6A1,00000000,00007FFB1DEA621A,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE93F99
BIO_ctrl.LIBCRYPTO-3-X64(00000000,00007FFB1DE6A6A1,00000000,00007FFB1DEA621A,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE93FB5

Strings

expect_quic, xrefs: 00007FFB1DE93F51
ssl\quic\quic_impl.c, xrefs: 00007FFB1DE93F5D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_ctrlO_free_all
String ID: expect_quic$ssl\quic\quic_impl.c
API String ID: 2139435285-2248945671
Opcode ID: a4a44e0a911c00668f43f79b2454886779599e16895e2de67dcc8c1ceea34f26
Instruction ID: 82e6d4658ee2ba241c209eac526770fdeebd83f16c9a7305f833b622f0c92320
Opcode Fuzzy Hash: a4a44e0a911c00668f43f79b2454886779599e16895e2de67dcc8c1ceea34f26
Instruction Fuzzy Hash: E1116FA3A0AE0282EF599B39D1406BA72A3EF48BE5F145131EE4D4669DFE2DE4018700

Function 00007FFB1DEBDF00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

tls_construct_ctos_etm, xrefs: 00007FFB1DEBDF72
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBDF7E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_etm
API String ID: 0-2945823714
Opcode ID: 0c9d0d304773c739a15f1abdf8cbc165089eebf17c8ad48843e4358b09565c4b
Instruction ID: 960380c7c1ae38558457ddcfffcb3d989c032fdc8cdaa54042d98b17ffa64aa3
Opcode Fuzzy Hash: 0c9d0d304773c739a15f1abdf8cbc165089eebf17c8ad48843e4358b09565c4b
Instruction Fuzzy Hash: 7701C8A3B1884142FF509736E9456FB6352DF4C7E1F440130EA4C8B686FD1DE9818700

Function 00007FFB1DEBDE50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

tls_construct_ctos_ems, xrefs: 00007FFB1DEBDEBE
ssl\statem\extensions_clnt.c, xrefs: 00007FFB1DEBDECA

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID:
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_ems
API String ID: 0-3466209177
Opcode ID: c53574d073b0664670c5933581eba5be49694e4d3caa5702a9c1e844b52574ed
Instruction ID: e6773eba6b64a3be8016c8787a3b540367f9b0ab72edd2124deb56929a1181bc
Opcode Fuzzy Hash: c53574d073b0664670c5933581eba5be49694e4d3caa5702a9c1e844b52574ed
Instruction Fuzzy Hash: 8801C4A3F1894242EF519736E9456FB22529F4C7E5F480131EE4C8B687FE2DE8918700

Function 00007FFB1DEBBF10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEBBF51
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEBBF69

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

final_sig_algs, xrefs: 00007FFB1DEBBF56
ssl\statem\extensions.c, xrefs: 00007FFB1DEBBF62

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: final_sig_algs$ssl\statem\extensions.c
API String ID: 1390262125-2473619387
Opcode ID: 7adad123db141f47db6e0bc36bdfaf928832bc1899966b1e50a801eeee6d1c63
Instruction ID: 7452766ebb143cc7f73813460de61f57c53c2f2a7a8c75b38f1f3268e1384f94
Opcode Fuzzy Hash: 7adad123db141f47db6e0bc36bdfaf928832bc1899966b1e50a801eeee6d1c63
Instruction Fuzzy Hash: 0701F2E3E04D4282EF6287B5CC457BA3692DF0C762F54A131D90C82691FE1CE8C18B01

Function 00007FFB1DEC6ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6F02
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6F1A

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

tls_parse_ctos_session_ticket, xrefs: 00007FFB1DEC6F07
ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC6F13

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_session_ticket
API String ID: 1390262125-1807010212
Opcode ID: c2bc48c5b015485ed25abcb9031bb7e21a2580543d48e6c3d6e6e74f2edbc6aa
Instruction ID: 758425012ee6246fd3b407362112456a3187aa9f8342cdbbe6139ba8b5461ecb
Opcode Fuzzy Hash: c2bc48c5b015485ed25abcb9031bb7e21a2580543d48e6c3d6e6e74f2edbc6aa
Instruction Fuzzy Hash: 79F062A3B25E4242EF519775C8556B612529F4CBA1F880031DD0C877A1FE1DE591C700

Function 00007FFB1DEC8F20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC9132
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC914A

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DEC9143
ossl_statem_client13_write_transition, xrefs: 00007FFB1DEC913C

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ossl_statem_client13_write_transition$ssl\statem\statem_clnt.c
API String ID: 193678381-1511665306
Opcode ID: e910985e989c7380df3dd25c8681c6457797ca7c7d55ed76a21ce95935016e15
Instruction ID: 3f8d354976dec729954a9ce40c0029f895087af02f8edbead278301fee6aff10
Opcode Fuzzy Hash: e910985e989c7380df3dd25c8681c6457797ca7c7d55ed76a21ce95935016e15
Instruction Fuzzy Hash: 15F0BBA3E05C8246FF019774D8996FA2752DF4D7A6F944531D50CC62A2FE1CE542C300

Function 00007FFB1DECCD60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DECCD82
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DECCD9A

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DECCD93
tls_construct_end_of_early_data, xrefs: 00007FFB1DECCD87

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\statem_clnt.c$tls_construct_end_of_early_data
API String ID: 1390262125-1184863746
Opcode ID: 7afc51ac036726d851f8b1882a57b2ba4cff9e1da9f8b23a9a1d2d85de70a7e6
Instruction ID: e849142739915b2f552b37bfd9402c9d06f940721d3c90d29a1ce1c4fcc1a18e
Opcode Fuzzy Hash: 7afc51ac036726d851f8b1882a57b2ba4cff9e1da9f8b23a9a1d2d85de70a7e6
Instruction Fuzzy Hash: 76F0E2E2E0498283FF40A775C8497FA2611DF48765F984531D91C862E1FF2CA8868300

Function 00007FFB1DE80F7D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE80FBA
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE80FED

Part of subcall function 00007FFB1DE810A0: BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE810CA
Part of subcall function 00007FFB1DE810A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810E4
Part of subcall function 00007FFB1DE810A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFB1DE7ECED), ref: 00007FFB1DE810FF

Strings

%s (%d), xrefs: 00007FFB1DE80FE0
unexpected value, xrefs: 00007FFB1DE80F91

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_printf$O_indent
String ID: %s (%d)$unexpected value
API String ID: 1715996925-1289549259
Opcode ID: da6196416a8857c8029abf91222ec516bc4e28eb46644b9a8529e54ac426eb56
Instruction ID: 76760c201664185cad26f4db11e499e59bec9f6e19d642def452df34fb2f9839
Opcode Fuzzy Hash: da6196416a8857c8029abf91222ec516bc4e28eb46644b9a8529e54ac426eb56
Instruction Fuzzy Hash: B7F0C2F3B0CE6281EE208B74C4401BA2A03AF48BA6F604031E94D137A5FE3CE542C310

Function 00007FFB1DEC5FE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC5FF9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC6011

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

ssl\statem\extensions_srvr.c, xrefs: 00007FFB1DEC600A
tls_parse_ctos_post_handshake_auth, xrefs: 00007FFB1DEC5FFE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_post_handshake_auth
API String ID: 1390262125-358320714
Opcode ID: d002d42a0717af06ec275ab89906253092fefdc74a38b7683cdd0b72673074a3
Instruction ID: 60f0bc243beba36eb6e78866b978ccb3caccb39f841ce9d053c81fb694482c36
Opcode Fuzzy Hash: d002d42a0717af06ec275ab89906253092fefdc74a38b7683cdd0b72673074a3
Instruction Fuzzy Hash: E3F0A0E3E04D4282FB41A771D85A3F71652EF487A6F840430D60C8A6D2FF6DA9868700

Function 00007FFB1DEC8F96 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFB1DEC8FA3
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFB1DEC914A

Part of subcall function 00007FFB1DEC7DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFB1DEB23E4), ref: 00007FFB1DEC7E0F

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFB1DEC9143
ossl_statem_client13_write_transition, xrefs: 00007FFB1DEC913C

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ossl_statem_client13_write_transition$ssl\statem\statem_clnt.c
API String ID: 1390262125-1511665306
Opcode ID: 367b53fa34919b52e6a6bf3a357187ebd8e3599f6bdd932cb4a981d35dab045c
Instruction ID: 4ea65214407825e13a5013d7635a877130ab36bccb408cb71e7a594a56763949
Opcode Fuzzy Hash: 367b53fa34919b52e6a6bf3a357187ebd8e3599f6bdd932cb4a981d35dab045c
Instruction Fuzzy Hash: 60E039B3E0894283FF529B75D8567FA26529F89766F840031C95C8A2A1FE6DA9C68700

Function 00007FFB1C8FAF4C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFB1C8FAFCB
WriteFile.KERNEL32 ref: 00007FFB1C8FB293
WriteFile.KERNEL32 ref: 00007FFB1C8FB2D9
GetLastError.KERNEL32 ref: 00007FFB1C8FB38F

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1b13ea7ef29764190e5130648e7837a51e5dbd03c563d7dc5bad05565c1a1d29
Instruction ID: aa5039f6066720742f1576a9c66abf4e21c4633e58ebe9f2739a9f2ebfadad3c
Opcode Fuzzy Hash: 1b13ea7ef29764190e5130648e7837a51e5dbd03c563d7dc5bad05565c1a1d29
Instruction Fuzzy Hash: 96D1BEB2B18A8189E711CF75D4842FC37B6FB447E8B244226DE5D97B99DE38E816C340

Function 00007FFB1C8FB90C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00007FFB1C8FBA28
GetLastError.KERNEL32 ref: 00007FFB1C8FBAB3

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9f3edb27f8b31eb2ec0a72f73709640f9e87e9b43b4a35538b8b0267bdfc69d3
Instruction ID: a8708f6a408d8e335aa215dc33fe765c66b575e2c98f751131980476796b2242
Opcode Fuzzy Hash: 9f3edb27f8b31eb2ec0a72f73709640f9e87e9b43b4a35538b8b0267bdfc69d3
Instruction Fuzzy Hash: 1591B8E2B08E5195F7518F75D4886FD2BA2AB04BA8F744139DE4E67E99DE38D842C300

Function 00007FFB1DEC1CC0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE67B30: OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE67BB8
Part of subcall function 00007FFB1DE67B30: OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFB1DE67BC6
Part of subcall function 00007FFB1DE67B30: OPENSSL_sk_new_null.LIBCRYPTO-3-X64 ref: 00007FFB1DE67BEB
Part of subcall function 00007FFB1DE67B30: OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFB1DE67BFE
Part of subcall function 00007FFB1DE67B30: OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFB1DE67C0C

OPENSSL_sk_num.LIBCRYPTO-3-X64(?,?,?,?,?,?,00000000,00007FFB1DEBDD7C), ref: 00007FFB1DEC1D04
OPENSSL_sk_value.LIBCRYPTO-3-X64(?,?,?,?,?,?,00000000,00007FFB1DEBDD7C), ref: 00007FFB1DEC1D17
OPENSSL_sk_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,00000000,00007FFB1DEBDD7C), ref: 00007FFB1DEC1D3A
OPENSSL_sk_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,00000000,00007FFB1DEBDD7C), ref: 00007FFB1DEC1D5B

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_num$L_sk_freeL_sk_value$L_sk_new_nullL_sk_push
String ID:
API String ID: 3149758348-0
Opcode ID: d40ca176a159fd29ccd3f2a9ec703aa16744afa5c8ccacc70bb08c28235174e6
Instruction ID: f0fa39c19a562d8f171b5623ee26a3312f7df4c1a9396abc71aebfa38691f782
Opcode Fuzzy Hash: d40ca176a159fd29ccd3f2a9ec703aa16744afa5c8ccacc70bb08c28235174e6
Instruction Fuzzy Hash: CF3188A3A0CA5241FE509636E54067B6A92BF8CBE6F940630EE8D47796FF3CD0428641

Function 00007FFB1DE6CCD0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-3-X64(00000000,00007FFB1DE671EC,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB1DE534DD), ref: 00007FFB1DE6CD12
OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,00007FFB1DE671EC,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB1DE534DD), ref: 00007FFB1DE6CD63

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: L_sk_new_nullL_sk_num
String ID:
API String ID: 3899727731-0
Opcode ID: a8a9eb027bff06b91739f95119659a1b6626953d83473f96f4779d0cb8b884ef
Instruction ID: 7df232bd7ca380d90752542a99ba5101afdefff5eb5604c09bc739095d3c941c
Opcode Fuzzy Hash: a8a9eb027bff06b91739f95119659a1b6626953d83473f96f4779d0cb8b884ef
Instruction Fuzzy Hash: 972192A2F08E4244EE50EB76D54517B6A92AF8DBE1F484431EE8D83B86FE3DE0518700

Function 00007FFB1C8E5BC0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FFB1C8E5C09
GetLastError.KERNEL32 ref: 00007FFB1C8E5C17
WideCharToMultiByte.KERNEL32 ref: 00007FFB1C8E5C4C
GetLastError.KERNEL32 ref: 00007FFB1C8E5C5A

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: f6c9a901370e54f437e18f5f2df0edc04c4e11dd690c89b411a0d0678a92b0d3
Instruction ID: acd6d430af444e229bf1e222a22903371327255cf911684509e39bb62347cabd
Opcode Fuzzy Hash: f6c9a901370e54f437e18f5f2df0edc04c4e11dd690c89b411a0d0678a92b0d3
Instruction Fuzzy Hash: F82138B2A28B8186E3108F21E44836EB7B5F788FA4F240139DB8957B58DF38D5418B44

Function 00007FFB1DE85020 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

RAND_priv_bytes_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE85054
BN_bin2bn.LIBCRYPTO-3-X64 ref: 00007FFB1DE8506E
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFB1DE85084
SRP_Calc_A.LIBCRYPTO-3-X64 ref: 00007FFB1DE8509E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: Calc_D_priv_bytes_exL_cleanseN_bin2bn
String ID:
API String ID: 2662037904-0
Opcode ID: d1202a039ce44e58266fa0aa3b103805e35b0abcbdc655ae16e47fa9f0cfebc8
Instruction ID: 1d1e2f3298ca7a8503fac25f07783a0beb8a630f49f1deeb5ee1d39a1772c77e
Opcode Fuzzy Hash: d1202a039ce44e58266fa0aa3b103805e35b0abcbdc655ae16e47fa9f0cfebc8
Instruction Fuzzy Hash: 1C114FA3719E8182EF509B35D4662AA73A1FB8CB99F440036ED4DC7745EE28D5418B10

Function 00007FFB1C8E7944 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB1C8E7970
GetCurrentThreadId.KERNEL32 ref: 00007FFB1C8E797E
GetCurrentProcessId.KERNEL32 ref: 00007FFB1C8E798A
QueryPerformanceCounter.KERNEL32 ref: 00007FFB1C8E799A

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: bdc0c2f7c2fb88879892b74a8b0aec03099dbd58f0d2bd6ddc502c4ce17573ee
Instruction ID: e64bc08f2336a23df9b893fa7a2cba66f71b5b9ecdf1fb33451586f64d30633a
Opcode Fuzzy Hash: bdc0c2f7c2fb88879892b74a8b0aec03099dbd58f0d2bd6ddc502c4ce17573ee
Instruction Fuzzy Hash: 8F114CA2B14F018AEB008F70E8492F833A4FB197B8F041E35DA6D467A8DF38D1548340

Function 00007FFB0BC8BB48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB0BC8BB74
GetCurrentThreadId.KERNEL32 ref: 00007FFB0BC8BB82
GetCurrentProcessId.KERNEL32 ref: 00007FFB0BC8BB8E
QueryPerformanceCounter.KERNEL32 ref: 00007FFB0BC8BB9E

Memory Dump Source

Source File: 0000000A.00000002.1644206997.00007FFB0BA68000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB0B940000, based on PE: true

Associated: 0000000A.00000002.1644167020.00007FFB0B940000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1644206997.00007FFB0B941000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1646484400.00007FFB0BC8C000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1646968266.00007FFB0BD87000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1647078208.00007FFB0BD8B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000A.00000002.1647191338.00007FFB0BD8F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb0b940000_openvpn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
Instruction ID: 6bdf6cc41f6443e68bd6cf3b66dde7898ffb11eccd5c1048e2730a26b5119569
Opcode Fuzzy Hash: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
Instruction Fuzzy Hash: 7E115E62B14F05A9EB00CF70E8546B933A4FB19B58F440E35DA6E86BB4DF38D1548340

Function 00007FFB1DE64FC0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

X509_STORE_add_lookup.LIBCRYPTO-3-X64 ref: 00007FFB1DE64FE2
ERR_set_mark.LIBCRYPTO-3-X64 ref: 00007FFB1DE64FFA
X509_LOOKUP_ctrl_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE65029
ERR_pop_to_mark.LIBCRYPTO-3-X64 ref: 00007FFB1DE6502E

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: X509_$E_add_lookupP_ctrl_exR_pop_to_markR_set_mark
String ID:
API String ID: 3663983608-0
Opcode ID: d9da7823e7eb195ddc56c5281a668b8646b54cc147d64c4b1a09aecad0e315ef
Instruction ID: 2d506bf657ea346c0c4b68b256f999eb77f1cae22344b1d6494e64c0aec8e44b
Opcode Fuzzy Hash: d9da7823e7eb195ddc56c5281a668b8646b54cc147d64c4b1a09aecad0e315ef
Instruction Fuzzy Hash: 32F062A7A08F4141EB509765F04579A62A1EB4CBE5F545135EA8C4778AFE3CD4404604

Function 00007FFB1DE6EE40 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE83F50: ENGINE_finish.LIBCRYPTO-3-X64(?,00007FFB1DE6EE67,?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE83F82

ERR_set_mark.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE6C
OBJ_nid2sn.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE73
EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE81
ERR_pop_to_mark.LIBCRYPTO-3-X64(?,00007FFB1DE5F901,?,?,?,?,?,00007FFB1DE57023), ref: 00007FFB1DE6EE89

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: E_finishJ_nid2snR_fetchR_pop_to_markR_set_mark
String ID:
API String ID: 3538331334-0
Opcode ID: 6f99aa79a39ac488807f094e67bd8af2ee37af823756ec83a541005c17199b89
Instruction ID: 4ab11d90efd851e501515dcfca1d3b0da8473948089f5fdbabee13aa6abe533b
Opcode Fuzzy Hash: 6f99aa79a39ac488807f094e67bd8af2ee37af823756ec83a541005c17199b89
Instruction Fuzzy Hash: 37F08252B08F4141ED446772E5451AE5556AF4CFD1F485034FE8D877DBFD2CD4010200

Function 00007FFB1DE6EF20 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1DE83FA0: ENGINE_finish.LIBCRYPTO-3-X64(?,00007FFB1DE6EF47,?,00007FFB1DE569A9), ref: 00007FFB1DE83FD2

ERR_set_mark.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF4C
OBJ_nid2sn.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF53
EVP_MD_fetch.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF61
ERR_pop_to_mark.LIBCRYPTO-3-X64(?,00007FFB1DE569A9), ref: 00007FFB1DE6EF69

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_fetchE_finishJ_nid2snR_pop_to_markR_set_mark
String ID:
API String ID: 1050435054-0
Opcode ID: 460f94fcbe86b42aaa6213ad78df64cd835f4078cbfa394baa36523017781f14
Instruction ID: 26d1f58325090e130a9a480cfe881a68449278bd085656e4de20b63c42ac1002
Opcode Fuzzy Hash: 460f94fcbe86b42aaa6213ad78df64cd835f4078cbfa394baa36523017781f14
Instruction Fuzzy Hash: 9BF08C92F08F8201ED446772E4491AA9652AF8CFE1F588034FE8D87BDBFE2CE4020600

Function 00007FFB1C8EA7F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFB1C8EA868

Strings

MOC, xrefs: 00007FFB1C8EA87C
RCC, xrefs: 00007FFB1C8EA884

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d8ee0bd0de1db41c08bcf532f3b774fe9a4c3ab175046947bb24ea0adece9153
Instruction ID: 33c0e02944ea7cc2f3d82bc671e85423d85928573f124f3475aa1c8143756a3d
Opcode Fuzzy Hash: d8ee0bd0de1db41c08bcf532f3b774fe9a4c3ab175046947bb24ea0adece9153
Instruction Fuzzy Hash: 0D91BCB3A08B918AE711CB75E4852FCBBA1FB44B98F20413AEA4D17B55DF38D191C700

Function 00007FFB1C8EAFB0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C8EAFDA

Strings

csm, xrefs: 00007FFB1C8EB16E
csm, xrefs: 00007FFB1C8EAFFF

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: c8f466a1bfaa004de5fa7e9fc9265149288ce3c5d8da1a2e2648ee9258e7460f
Instruction ID: ae873e5a7158939a9281defcef25f859bdf72879a5afc523eb81dbec60106341
Opcode Fuzzy Hash: c8f466a1bfaa004de5fa7e9fc9265149288ce3c5d8da1a2e2648ee9258e7460f
Instruction Fuzzy Hash: 9871C2F2908A9286DB658F75D0887BC7BA2EB40BA5F248135DE4C47E89CF3CD491C754

Function 00007FFB1C8FF278 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8F3A0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFB1C8F3A3F

_get_daylight.LIBCMT ref: 00007FFB1C8FF390
_get_daylight.LIBCMT ref: 00007FFB1C8FF3A1

Strings

?, xrefs: 00007FFB1C8FF321

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: ca6a068797de3c1994877bc28d64bc541d8f8a2745aaa288c56dd6ff82cda860
Instruction ID: 04c92802dd5dd4667701db8c8f686f27f68c9b7ba8116c86e3e8daebff934c92
Opcode Fuzzy Hash: ca6a068797de3c1994877bc28d64bc541d8f8a2745aaa288c56dd6ff82cda860
Instruction Fuzzy Hash: 9B41E2E2A08A8246FB609B35E4893BE6792EF91BB4F304235EE5D07AD5DE3CD4418740

Function 00007FFB1C8EB648 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C8EB6F2
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFB1C8EB71B

Strings

csm, xrefs: 00007FFB1C8EB81B

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: a1b05f8e544a6628c0df4361e2b9ee54bfe9403ef06bd2c31c9fb5d2cdbed299
Instruction ID: 465cda8951f79741ef528a84510d6d285365e8bd2904528a9e35ea8e1c355efa
Opcode Fuzzy Hash: a1b05f8e544a6628c0df4361e2b9ee54bfe9403ef06bd2c31c9fb5d2cdbed299
Instruction Fuzzy Hash: B9515EF6A18B5186E620EB25E4852FE77A5FB89BA0F200135EF8D07B55CF39E450CB00

Function 00007FFB1C8FB5E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFB1C8FB6FB
GetLastError.KERNEL32 ref: 00007FFB1C8FB71D

Strings

U, xrefs: 00007FFB1C8FB6A7

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 6f4087d78de70994593cde8addadcce4615979aaebc1520473e2839f7ccbe689
Instruction ID: 96518615756eb7d5b12be9333884e7b7d977e0748266a564dbf433f79014cb8f
Opcode Fuzzy Hash: 6f4087d78de70994593cde8addadcce4615979aaebc1520473e2839f7ccbe689
Instruction Fuzzy Hash: D24194A2B18A4582DB109F35E4883F967A1FB987E4F614035EE4D87B58DF3CD841CB40

Function 00007FFB1DE59E90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFB1DE59EE0
RAND_bytes_ex.LIBCRYPTO-3-X64 ref: 00007FFB1DE59F1D

Strings

DOWNGRD, xrefs: 00007FFB1DE59F58

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: D_bytes_ex_time64
String ID: DOWNGRD
API String ID: 2101710396-2922851170
Opcode ID: 595a958ad84377dace5618307c0e2aff7eb6f449cf125978b5fc4b4e2de27990
Instruction ID: 89e2a1dd1c3bed2e064e2a3382937c1c03a5e9b84caffa0d2b25bbc0ff21b32f
Opcode Fuzzy Hash: 595a958ad84377dace5618307c0e2aff7eb6f449cf125978b5fc4b4e2de27990
Instruction Fuzzy Hash: F4210A67B0CA8282DB458725E95007E6762FB8EBD1F448035EB4F87B59EF2CD450C310

Function 00007FFB1DE7FFEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE8005B
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE8008D
BIO_dump_indent.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE80920,?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE80746

Strings

%s (%d), xrefs: 00007FFB1DE80083

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_dump_indentO_indentO_printf
String ID: %s (%d)
API String ID: 2723189173-2206749211
Opcode ID: 93791a2dcc674734336d11f463d41cdb8fc98dbb6e5f72923db4c161c1276840
Instruction ID: b9ac3c4088ecaf8d5d4b2f71d7e63258640737c238ef7b6df22e45e9337a2698
Opcode Fuzzy Hash: 93791a2dcc674734336d11f463d41cdb8fc98dbb6e5f72923db4c161c1276840
Instruction Fuzzy Hash: 8C11A5A3F0CEA185EE619631D4052BB2E93AB49BB2F694432DD4D07781FD3EE542C750

Function 00007FFB1DE65EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

OSSL_PARAM_construct_uint64.LIBCRYPTO-3-X64(00000000,00007FFB1DEA6170,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE65EFA
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(00000000,00007FFB1DEA6170,?,00007FFB1DE8F4E2,?,00007FFB1DE90F50), ref: 00007FFB1DE65F20

Strings

options, xrefs: 00007FFB1DE65EEE

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: M_construct_endM_construct_uint64
String ID: options
API String ID: 1971014382-3493198471
Opcode ID: 78fddee31014e87954bc70ecee1412cde6d75da54e5acff020a3a6618cbbac25
Instruction ID: 3bba12de66895118c05efa6ce0cf8f022f4f1327673d1f3c343e921f0cd2b6b1
Opcode Fuzzy Hash: 78fddee31014e87954bc70ecee1412cde6d75da54e5acff020a3a6618cbbac25
Instruction Fuzzy Hash: FF219F67A09FC982EA658B38E4413EEB371FB997A4F544231DB8C42656FF28E1D58700

Function 00007FFB1DE7FE3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FE8D
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FEBF
BIO_dump_indent.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE80920,?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE80746

Strings

%s (%d), xrefs: 00007FFB1DE7FEB5

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_dump_indentO_indentO_printf
String ID: %s (%d)
API String ID: 2723189173-2206749211
Opcode ID: a11a3fcb02c6e97845b30586de4320ae0ec78b09274aa0a165d373123f2a6340
Instruction ID: cf7ce1bd8f955dc953ade30ee04d05ba1e45db7233fd0807d1b9ac5db4a93807
Opcode Fuzzy Hash: a11a3fcb02c6e97845b30586de4320ae0ec78b09274aa0a165d373123f2a6340
Instruction Fuzzy Hash: 231182A3F1CE9289EE918A31D4001BF2A53EB497B5F554032DD4D07756EE3DE5428750

Function 00007FFB1DE7FF5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FFA2
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FFD7
BIO_dump_indent.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFB1DE80920,?,?,?,?,?,?,00007FFB1DE7EEF8), ref: 00007FFB1DE80746

Strings

%s (%d), xrefs: 00007FFB1DE7FFCD

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_dump_indentO_indentO_printf
String ID: %s (%d)
API String ID: 2723189173-2206749211
Opcode ID: 874b60bea013bf62d85bc01c93f9a073eca7368aa71d4d4dc5420f2d1dbe5bf2
Instruction ID: 5119a660e12a758468b531b47efbef343bdb2de9167e07c65f4ceb9168832ece
Opcode Fuzzy Hash: 874b60bea013bf62d85bc01c93f9a073eca7368aa71d4d4dc5420f2d1dbe5bf2
Instruction Fuzzy Hash: AC11C6B3B1CEA685EE508A31D4000BB5B53E74ABB5F544031CE4D07795EE3DE5438750

Function 00007FFB1C8E8D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFB1C8E8D70
RaiseException.KERNEL32 ref: 00007FFB1C8E8DB1

Strings

csm, xrefs: 00007FFB1C8E8D9E

Memory Dump Source

Source File: 0000000A.00000002.1647484408.00007FFB1C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1C880000, based on PE: true

Associated: 0000000A.00000002.1647359793.00007FFB1C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647942345.00007FFB1C911000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1647963809.00007FFB1C912000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648036779.00007FFB1C98B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.1648056460.00007FFB1C991000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1c880000_openvpn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 5ee49b7aecac36941fe072b55b4bcf135add3bff28fdc2fdbc736ec53eda26ac
Instruction ID: 55a784b6c267677f469974da01ce27ee3c7be16feeefa5e60460783cd3f83ecf
Opcode Fuzzy Hash: 5ee49b7aecac36941fe072b55b4bcf135add3bff28fdc2fdbc736ec53eda26ac
Instruction Fuzzy Hash: 99115EB2618F8182EB218F29E4442A977E2FB88B94F284235EE8D07758DF3CC5518B00

Function 00007FFB1DE7FEDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FF11
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFB1DE7FF47

Strings

%s (%d), xrefs: 00007FFB1DE7FF3D

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: O_indentO_printf
String ID: %s (%d)
API String ID: 1860387303-2206749211
Opcode ID: 5e54ca49d7790a2b746f09515fdb902cd763b4a104e8eb40ee273034994cae05
Instruction ID: eca8d2e8fdf324cfe14bfb5a8d75966cd75f68e1f9775aef21a7bc0a362af738
Opcode Fuzzy Hash: 5e54ca49d7790a2b746f09515fdb902cd763b4a104e8eb40ee273034994cae05
Instruction Fuzzy Hash: 7C0180B7B18E9685EE549B21E4001BB6B52FB4ABB2F458031CE4D43795EE3DE0438750

Function 00007FFB1DE6B020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

OSSL_PARAM_construct_int.LIBCRYPTO-3-X64 ref: 00007FFB1DE6B061
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64 ref: 00007FFB1DE6B087

Strings

read_ahead, xrefs: 00007FFB1DE6B05A

Memory Dump Source

Source File: 0000000A.00000002.1648103865.00007FFB1DE51000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFB1DE50000, based on PE: true

Associated: 0000000A.00000002.1648085529.00007FFB1DE50000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648167186.00007FFB1DEE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648197220.00007FFB1DF0D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648218409.00007FFB1DF10000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.1648237907.00007FFB1DF11000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb1de50000_openvpn.jbxd

Similarity

API ID: M_construct_endM_construct_int
String ID: read_ahead
API String ID: 984625892-3142057140
Opcode ID: 93fdfce576af0e6425acce1a07cd850d557476fcbd057104d2d27deb545539a7
Instruction ID: ef7c3b9e5efd8238863f8a9daf2924437bf20e9bef4d7854b2f4e80c2d2e41ca
Opcode Fuzzy Hash: 93fdfce576af0e6425acce1a07cd850d557476fcbd057104d2d27deb545539a7
Instruction Fuzzy Hash: 6D115E67908FC986EB218F38D0513EAB771FB99759F449231DB8D06616EF38D185CB00

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6b85d3.rbs

C:\ProgramData\vlc.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\licenseUser[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hix3epg.dpk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmmx3cuo.xyy.ps1

C:\Users\user\AppData\Local\Temp\msiE101.txt

C:\Users\user\AppData\Local\Temp\pssE113.ps1

C:\Users\user\AppData\Local\Temp\scrE102.ps1

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll

Windows Analysis Report
Setup.msi

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre