Edit tour

Windows Analysis Report
m9u08f2pMF.msi

Overview

General Information

Sample name:	m9u08f2pMF.msi renamed because original name is a hash value
Original sample name:	1e5ce241801ccbef1583b30d15bc5340897f02797c496f524b56412515936fca.msi
Analysis ID:	1571709
MD5:	5d5bf0697a16502ad90c1a0945859215
SHA1:	756580443533d77296238335bef2d6553dfb8fdc
SHA256:	1e5ce241801ccbef1583b30d15bc5340897f02797c496f524b56412515936fca
Tags:	LegionLoadermsiRobotDroppertaco-keys-comuser-johnk3r
Infos:

Detection

Score:	44
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Bypasses PowerShell execution policy

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to get notified if a device is plugged in / out

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (might use process or thread times for sandbox detection)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious MsiExec Embedding Parent

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5372 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\m9u08f2pMF.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4500 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7008 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 4836 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

openvpn.exe (PID: 6868 cmdline: "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe" MD5: 5E807B5DAD1B6C81982037C714DC9AEF)

conhost.exe (PID: 2772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7008, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 4836, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7008, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 4836, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7008, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 4836, ProcessName: powershell.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7008, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 4836, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://taco-keys.com/licenseUser.phpAI_DATA_SETTER_4Params

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: m9u08f2pMF.msi

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1E520 NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,	8_2_00007FF673E1E520
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E54D00 SetConsoleOutputCP,memset,memset,__acrt_iob_func,__acrt_iob_func,CRYPTO_get_ex_new_index,OPENSSL_init_crypto,memset,malloc,calloc,	8_2_00007FF673E54D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E20C90 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,	8_2_00007FF673E20C90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1D7B0 BIO_new_mem_buf,_exit,PEM_read_bio,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	8_2_00007FF673E1D7B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9F380 malloc,EVP_CipherInit_ex,EVP_CipherUpdate,_exit,EVP_CipherFinal,malloc,malloc,EVP_MAC_init,_exit,EVP_MAC_update,EVP_MAC_update,EVP_MAC_CTX_get_mac_size,EVP_MAC_final,CRYPTO_memcmp,malloc,malloc,htonl,htonl,free,free,ERR_clear_error,free,free,	8_2_00007FF673E9F380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E3DB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,	8_2_00007FF673E3DB60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1DE90 EVP_CIPHER_CTX_new,EVP_des_ede3_ecb,EVP_EncryptInit_ex,EVP_EncryptUpdate,EVP_EncryptFinal,_exit,EVP_CIPHER_CTX_free,	8_2_00007FF673E1DE90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1E590 MultiByteToWideChar,malloc,MultiByteToWideChar,CertFindExtension,CryptDecodeObject,malloc,CryptDecodeObject,_stricmp,free,CryptFindOIDInfo,CryptFindOIDInfo,_stricmp,free,free,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,isxdigit,isxdigit,strncmp,CertFindCertificateInStore,CertVerifyTimeValidity,CertFindCertificateInStore,free,OBJ_sn2nid,EVP_PKEY_get_bits,NCryptSignHash,SetLastError,strcmp,NCryptSignHash,SetLastError,calloc,CertOpenStore,CertCloseStore,CertOpenStore,CertCloseStore,CertGetNameStringW,malloc,CertGetNameStringW,d2i_X509,CryptAcquireCertificatePrivateKey,X509_free,NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,free,free,X509_get_pubkey,free,free,	8_2_00007FF673E1E590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FA110 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,VirtualFree,EscapeCommFunction,DeleteFileTransactedW,CheckRemoteDebuggerPresent,GetCommConfig,FlsFree,UnhandledExceptionFilter,HeapQueryInformation,CompareStringW,GlobalFlags,CreateSemaphoreW,CloseHandle,FillConsoleOutputCharacterW,SetProcessDEPPolicy,QueryMemoryResourceNotification,ReadFile,VirtualUnlock,SetConsoleWindowInfo,SetFileValidData,FreeLibraryWhenCallbackReturns,GetStringTypeExW,WakeAllConditionVariable,CreateFileMappingFromApp,GetSystemTimeAdjustment,GetFileAttributesW,VerifyScripts,CreateFiber,InterlockedFlushSList,ReleaseMutexWhenCallbackReturns,GetMaximumProcessorGroupCount,AllocateUserPhysicalPages,CreateSemaphoreW,VerSetConditionMask,GetConsoleScreenBufferInfoEx,DeviceIoControl,EnumSystemLocalesW,DeleteFiber,SetNamedPipeHandleState,HeapUnlock,GetSystemFileCacheSize,CompareStringOrdinal,CreateEventExW,DeviceIoControl,PostQueuedCompletionStatus,GetCurrentProcessId,SystemTimeToFileTime,SetupComm,MultiByteToWideChar,VirtualProtect,EndUpdateResourceW,FindFirstFileExW,ExpandEnvironmentStringsW,GetModuleFileNameW,GetCalendarInfoW,GetProcAddress,WriteTapemark,ReadConsoleOutputW,FindFirstVolumeMountPointW,OpenProcess,QueryThreadProfiling,CreateMutexExW,SetConsoleCtrlHandler,GetThreadTimes,GetConsoleCP,GetNamedPipeClientComputerNameW,SetCommTimeouts,FindFirstVolumeW,AddDllDirectory,QueryDepthSList,GetCurrentProcessId,OpenFileById,GetEnvironmentStringsW,SetFirmwareEnvironmentVariableExW,OutputDebugStringA,	8_2_00007FFBA95FA110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A010 CryptGenRandom,	8_2_00007FFBA970A010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEDBD0 CRYPTO_memcmp,	8_2_00007FFBBAFEDBD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF91BE0 CRYPTO_zalloc,	8_2_00007FFBBAF91BE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF97BEE CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAF97BEE
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFABC10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	8_2_00007FFBBAFABC10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF93C40 ERR_clear_error,ERR_new,ERR_set_debug,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,SetLastError,BIO_read,BIO_ADDR_new,BIO_ctrl,BIO_ctrl,BIO_ADDR_free,BIO_write,BIO_ctrl,BIO_test_flags,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_ctrl,BIO_ADDR_clear,BIO_write,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,BIO_test_flags,BIO_ADDR_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FFBBAF93C40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDBC50 CRYPTO_free,	8_2_00007FFBBAFDBC50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF99C50 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	8_2_00007FFBBAF99C50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF91C50 CRYPTO_zalloc,	8_2_00007FFBBAF91C50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00BC70 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	8_2_00007FFBBB00BC70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFADAA0 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_new,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_memdup,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FFBBAFADAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF7AC0 ERR_new,ERR_set_debug,CRYPTO_malloc,COMP_expand_block,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAFF7AC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009B55 ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,	8_2_00007FFBBB009B55
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009B6C EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,OSSL_STORE_INFO_get_type,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,OSSL_STORE_INFO_get_type,CRYPTO_malloc,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	8_2_00007FFBBB009B6C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB7B60 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,ERR_new,ERR_set_debug,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	8_2_00007FFBBAFB7B60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009B83 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB009B83
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD19B0 CRYPTO_malloc,	8_2_00007FFBBAFD19B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC79E0 CRYPTO_malloc,memcpy,BIO_snprintf,BIO_snprintf,CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_new_file,BIO_free_all,CRYPTO_free,BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFC79E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009A2F memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBB009A2F
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF99A20 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	8_2_00007FFBBAF99A20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE1A39 CRYPTO_malloc,CRYPTO_free,	8_2_00007FFBBAFE1A39
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFBA40 CRYPTO_free,	8_2_00007FFBBAFFBA40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9DA50 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OSSL_STACK_OF_X509_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	8_2_00007FFBBAF9DA50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF1A60 CRYPTO_free,	8_2_00007FFBBAFF1A60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD1A70 CRYPTO_free,	8_2_00007FFBBAFD1A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA3A70 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OSSL_STACK_OF_X509_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFA3A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3A70 CRYPTO_get_ex_data,	8_2_00007FFBBAFB3A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB003A90 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	8_2_00007FFBBB003A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFBA90 CRYPTO_free,	8_2_00007FFBBAFFBA90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00B8B0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,RAND_bytes_ex,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	8_2_00007FFBBB00B8B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCB8E0 CRYPTO_free,CRYPTO_free,OSSL_ERR_STATE_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFCB8E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC78E0 BIO_free_all,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFC78E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF9900 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBAFF9900
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB005930 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB005930
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA1950 CRYPTO_free,CRYPTO_strdup,	8_2_00007FFBBAFA1950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFDFB0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	8_2_00007FFBBAFFDFB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC5FB0 CRYPTO_realloc,	8_2_00007FFBBAFC5FB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9BFF0 CRYPTO_THREAD_run_once,	8_2_00007FFBBAF9BFF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE8010 CRYPTO_zalloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FFBBAFE8010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD2010 CRYPTO_free,	8_2_00007FFBBAFD2010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD0020 CRYPTO_zalloc,CRYPTO_strdup,CRYPTO_free,	8_2_00007FFBBAFD0020
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBA040 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,	8_2_00007FFBBAFBA040
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB006050 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB006050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF8050 CRYPTO_malloc,COMP_expand_block,	8_2_00007FFBBAFF8050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB4070 CRYPTO_free,CRYPTO_memdup,	8_2_00007FFBBAFB4070
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDBEB0 CRYPTO_zalloc,	8_2_00007FFBBAFDBEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBDEB0 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	8_2_00007FFBBAFBDEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF91EC0 CRYPTO_free,	8_2_00007FFBBAF91EC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3F00 CRYPTO_free,CRYPTO_strdup,	8_2_00007FFBBAFB3F00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB9F40 OSSL_PROVIDER_do_all,CRYPTO_malloc,memcpy,	8_2_00007FFBBAFB9F40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3F60 CRYPTO_malloc,CRYPTO_free,	8_2_00007FFBBAFE3F60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009F76 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBB009F76
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE5F70 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FFBBAFE5F70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9DF70 CRYPTO_malloc,BIO_snprintf,	8_2_00007FFBBAF9DF70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00BF80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_is_a,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	8_2_00007FFBBB00BF80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF99F90 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	8_2_00007FFBBAF99F90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF97DA0 CRYPTO_free,	8_2_00007FFBBAF97DA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF95DB0 CRYPTO_malloc,	8_2_00007FFBBAF95DB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB019E10 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB019E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9DE10 i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAF9DE10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB9E10 CRYPTO_zalloc,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,	8_2_00007FFBBAFB9E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB001E40 CRYPTO_realloc,	8_2_00007FFBBB001E40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3E50 CRYPTO_free,CRYPTO_memdup,	8_2_00007FFBBAFB3E50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFFE60 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBAFFFE60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009E7A ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	8_2_00007FFBBB009E7A
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC9E70 OPENSSL_LH_free,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	8_2_00007FFBBAFC9E70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009E91 EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_CTX_copy_ex,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	8_2_00007FFBBB009E91
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE5E80 CRYPTO_free,	8_2_00007FFBBAFE5E80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD1E80 CRYPTO_realloc,	8_2_00007FFBBAFD1E80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCFCC0 CRYPTO_free,	8_2_00007FFBBAFCFCC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB9CD0 EVP_MAC_CTX_free,CRYPTO_free,	8_2_00007FFBBAFB9CD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009D1A memset,CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB009D1A
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009D03 EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestVerify,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	8_2_00007FFBBB009D03
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3D70 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,	8_2_00007FFBBAFB3D70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3D80 CRYPTO_zalloc,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFE3D80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF913A0 CRYPTO_free,	8_2_00007FFBBAF913A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDF3E0 CRYPTO_realloc,	8_2_00007FFBBAFDF3E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBD450 CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,CONF_parse_list,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFBD450
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB019470 EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB019470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB0012B0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB0012B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB32C0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	8_2_00007FFBBAFB32C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE52E0 BIO_free,CRYPTO_free,	8_2_00007FFBBAFE52E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCB2E0 CRYPTO_free,	8_2_00007FFBBAFCB2E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00B310 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	8_2_00007FFBBB00B310
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB9300 CRYPTO_realloc,memcpy,	8_2_00007FFBBAFB9300
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE5320 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,ERR_new,ERR_set_debug,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_CIPHER_is_a,EVP_MD_up_ref,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_free,ERR_new,ERR_set_debug,ERR_set_error,BIO_free,CRYPTO_free,	8_2_00007FFBBAFE5320
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBD320 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFBD320
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3350 OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_delete,CRYPTO_free,	8_2_00007FFBBAFE3350
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9D360 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAF9D360
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA7360 CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	8_2_00007FFBBAFA7360
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB0191A0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB0191A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB1B0 CRYPTO_free,	8_2_00007FFBBAFFB1B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC51F0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	8_2_00007FFBBAFC51F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB210 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAFFB210
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB1210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	8_2_00007FFBBAFB1210
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	8_2_00007FFBBAF9321D
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD3230 CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAFD3230
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF95240 CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAF95240
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE1277 CRYPTO_realloc,	8_2_00007FFBBAFE1277
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB011260 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBB011260
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEF280 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,	8_2_00007FFBBAFEF280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE30B0 EVP_EncryptUpdate,OPENSSL_LH_retrieve,	8_2_00007FFBBAFE30B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9B0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,	8_2_00007FFBBAF9B0B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC50E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	8_2_00007FFBBAFC50E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCD110 CRYPTO_free,	8_2_00007FFBBAFCD110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA9120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	8_2_00007FFBBAFA9120
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB007130 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB007130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF3130 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBAFF3130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDD140 CRYPTO_realloc,	8_2_00007FFBBAFDD140
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBD150 CRYPTO_free,CRYPTO_malloc,	8_2_00007FFBBAFBD150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFF170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	8_2_00007FFBBAFFF170
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3190 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,	8_2_00007FFBBAFE3190
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB7B0 CRYPTO_free,	8_2_00007FFBBAFFB7B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFD7C0 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,	8_2_00007FFBBAFFD7C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF97F0 CRYPTO_malloc,ERR_new,ERR_set_debug,	8_2_00007FFBBAFF97F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3820 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFE3820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA3820 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,CRYPTO_realloc,	8_2_00007FFBBAFA3820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB011820 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBB011820
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA5840 i2d_PUBKEY,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,d2i_PUBKEY,EVP_PKEY_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	8_2_00007FFBBAFA5840
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3840 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFB3840
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF99850 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	8_2_00007FFBBAF99850
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF7870 CRYPTO_free,	8_2_00007FFBBAFF7870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF97870 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	8_2_00007FFBBAF97870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB001880 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB001880
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFD6B0 ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBAFFD6B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB0076B0 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB0076B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF936C0 X509_VERIFY_PARAM_get0_peername,BIO_get_shutdown,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,	8_2_00007FFBBAF936C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC56E0 CRYPTO_zalloc,	8_2_00007FFBBAFC56E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF9700 OPENSSL_cleanse,CRYPTO_free,	8_2_00007FFBBAFF9700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA3700 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFA3700
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB01B730 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB01B730
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE7720 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFE7720
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF91740 CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAF91740
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB760 CRYPTO_free,	8_2_00007FFBBAFFB760
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF9770 CRYPTO_free,	8_2_00007FFBBAFF9770
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA5780 a2i_IPADDRESS,ASN1_OCTET_STRING_free,X509_VERIFY_PARAM_get1_ip_asc,CRYPTO_free,X509_VERIFY_PARAM_add1_host,	8_2_00007FFBBAFA5780
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF935C8 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,	8_2_00007FFBBAF935C8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB75C0 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	8_2_00007FFBBAFB75C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF915D0 CRYPTO_free,	8_2_00007FFBBAF915D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB5F0 CRYPTO_free,	8_2_00007FFBBAFFB5F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCB600 CRYPTO_free,	8_2_00007FFBBAFCB600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB001600 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	8_2_00007FFBBB001600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB3650 CRYPTO_THREAD_unlock,	8_2_00007FFBBAFB3650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFFB670 CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFFB670
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAD68B X509_VERIFY_PARAM_free,BIO_pop,BIO_free,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,OSSL_STACK_OF_X509_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,BIO_free_all,BIO_free_all,CRYPTO_free,	8_2_00007FFBBAFAD68B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFCB4C0 CRYPTO_zalloc,	8_2_00007FFBBAFCB4C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE34D0 CRYPTO_free,	8_2_00007FFBBAFE34D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB34E0 CRYPTO_THREAD_write_lock,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	8_2_00007FFBBAFB34E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9B500 CRYPTO_free,	8_2_00007FFBBAF9B500
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA5500 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	8_2_00007FFBBAFA5500
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB015530 ERR_new,i2d_PUBKEY,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBB015530
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00B540 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,RAND_bytes_ex,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	8_2_00007FFBBB00B540
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009570 ERR_new,ERR_set_debug,CRYPTO_clear_free,	8_2_00007FFBBB009570
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB5560 CRYPTO_malloc,CRYPTO_new_ex_data,ERR_new,ERR_set_debug,ERR_set_error,X509_up_ref,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	8_2_00007FFBBAFB5560
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF99590 CRYPTO_free,CRYPTO_memdup,	8_2_00007FFBBAF99590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB016BB0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	8_2_00007FFBBB016BB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC6BC0 CRYPTO_malloc,	8_2_00007FFBBAFC6BC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	8_2_00007FFBBAFAABF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB006C00 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBB006C00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEAC00 CRYPTO_realloc,	8_2_00007FFBBAFEAC00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF6C00 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBAFF6C00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF98C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	8_2_00007FFBBAF98C60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF92C60 CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAF92C60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDEAB0 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,	8_2_00007FFBBAFDEAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9CAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,	8_2_00007FFBBAF9CAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEAAD0 CRYPTO_zalloc,	8_2_00007FFBBAFEAAD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAAAD0 CRYPTO_set_ex_data,	8_2_00007FFBBAFAAAD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB002B00 CRYPTO_realloc,	8_2_00007FFBBB002B00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC6B40 CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFC6B40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9CB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	8_2_00007FFBBAF9CB70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9AB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	8_2_00007FFBBAF9AB80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB004B90 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FFBBB004B90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBCB90 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFBCB90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB00C9B0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	8_2_00007FFBBB00C9B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE89A0 CRYPTO_realloc,	8_2_00007FFBBAFE89A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBC9B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFBC9B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAE9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	8_2_00007FFBBAFAE9C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEA9E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFEA9E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA49F0 CRYPTO_memdup,CRYPTO_free,	8_2_00007FFBBAFA49F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB4A30 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAFB4A30
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB002A50 CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBB002A50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDAA60 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	8_2_00007FFBBAFDAA60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB01CA60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	8_2_00007FFBBB01CA60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA4A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAFA4A72
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC4A70 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	8_2_00007FFBBAFC4A70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF92A80 CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAF92A80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB01AA80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBB01AA80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA6A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	8_2_00007FFBBAFA6A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE08C0 CRYPTO_clear_free,CRYPTO_free,	8_2_00007FFBBAFE08C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFD68C0 CRYPTO_zalloc,CRYPTO_free,	8_2_00007FFBBAFD68C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEE8C0 CRYPTO_free,	8_2_00007FFBBAFEE8C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBA8C0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,	8_2_00007FFBBAFBA8C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE0920 CRYPTO_malloc,memcpy,CRYPTO_free,	8_2_00007FFBBAFE0920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDA920 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,	8_2_00007FFBBAFDA920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE6921 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,	8_2_00007FFBBAFE6921
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEE920 CRYPTO_free,	8_2_00007FFBBAFEE920
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF2940 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FFBBAFF2940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF92940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,	8_2_00007FFBBAF92940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE4950 OPENSSL_LH_delete,CRYPTO_free,	8_2_00007FFBBAFE4950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDE960 CRYPTO_zalloc,	8_2_00007FFBBAFDE960
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF96FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	8_2_00007FFBBAF96FC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB1000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FFBBAFB1000
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9D010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FFBBAF9D010
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF91030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,	8_2_00007FFBBAF91030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFE3050 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,	8_2_00007FFBBAFE3050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA5050 CRYPTO_set_ex_data,	8_2_00007FFBBAFA5050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB5050 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAFB5050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEF060 CRYPTO_malloc,CRYPTO_free,	8_2_00007FFBBAFEF060
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA5070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	8_2_00007FFBBAFA5070
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBCEE0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FFBBAFBCEE0

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F65C12FB-F21E-46AC-B40E-DA85278EC407}

Jump to behavior

Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1867271138.00007FFBA9DCC000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: m9u08f2pMF.msi
Source:	Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1870207640.00007FFBBCD51000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: m9u08f2pMF.msi, MSI906C.tmp.2.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: m9u08f2pMF.msi, MSI99B4.tmp.2.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: m9u08f2pMF.msi
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: m9u08f2pMF.msi, MSI99B4.tmp.2.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: m9u08f2pMF.msi, MSI906C.tmp.2.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: m9u08f2pMF.msi, MSI62FF.tmp.2.dr, MSI62A0.tmp.2.dr, MSI6231.tmp.2.dr, MSI6270.tmp.2.dr, MSI8C72.tmp.2.dr, MSI61B3.tmp.2.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95F8BD0 GetCurrentProcess,LocalFileTimeToFileTime,EraseTape,GetQueuedCompletionStatus,QueryProcessCycleTime,CancelWaitableTimer,GetStringTypeA,GetSystemWow64DirectoryW,BackupSeek,LockFileEx,CreateMemoryResourceNotification,VerifyScripts,MoveFileTransactedW,QueueUserAPC,GetProcessIoCounters,LeaveCriticalSection,ChangeTimerQueueTimer,SetEvent,AllocateUserPhysicalPagesNuma,GetTickCount,GetVolumePathNamesForVolumeNameW,GlobalAlloc,SetFileAttributesW,GetComputerNameW,EndMenu,EnumPropsW,EnumResourceNamesW,CreateSemaphoreW,GetForegroundWindow,SetProcessMitigationPolicy,WaitForMultipleObjectsEx,CreateFiberEx,GetThreadDesktop,IsCharLowerW,SetProcessRestrictionExemption,UnregisterDeviceNotification,ScrollDC,RegisterPointerInputTargetEx,SetPhysicalCursorPos,GetMenuStringW,SetKeyboardState,VkKeyScanExW,PostMessageW,GetDiskFreeSpaceExW,LCIDToLocaleName,LockFileEx,LocalFree,LockFile,QueryIdleProcessorCycleTime,InitializeSListHead,Wow64SetThreadContext,CreateDirectoryExW,GetNamedPipeServerProcessId,CreateSymbolicLinkTransactedW,GetVolumeInformationByHandleW,EnumResourceNamesExW,IsValidCodePage,GetModuleHandleW,CancelIo,HeapCompact,SwitchToFiber,ConvertThreadToFiberEx,GetNamedPipeInfo,AcquireSRWLockExclusive,InitOnceComplete,FormatMessageW,FlsAlloc,GetConsoleTitleW,SwitchToFiber,CreateDirectoryExW,CreatePrivateNamespaceW,QueryPerformanceCounter,PurgeComm,EnumUILanguagesW,CreateEventW,MoveFileWithProgressW,FindFirstFileW,CompareStringEx,IsBadStringPtrW,OfferVirtualMemory,GetCurrentThread,ExtSelectClipRgn,GetNamedPipeClientSessionId,LocalFileTimeToFileTime,RtlCaptureStackBackTrace,GetProcessHeap,CreateDirectoryW,RectVisible,FreeEnvironmentStringsW,SetFileAttributesW,AnimatePalette,CopyFile2,CreateDIBPatternBrush,SetThreadpoolThreadMaximum,CreateMutexExW,SetCommTimeouts,QueryThreadpoolStackInformation,GenerateConsoleCtrlEvent,SetThreadpoolStackInformation,AddDllDirectory,GetNativeSystemInfo,SetThreadpoolWait,SetFileAttributesW,SetDefaultDllDirectories,GetLocaleInfoW,GetOverlappedResult,OutputDebugStringW,CallNamedPipeW,RtlUnwind,SetCommTimeouts,GetProfileStringW,CreateEventExW,GetPrivateProfileIntW,WinExec,GetProfileStringW,EraseTape,FindNextVolumeW,QueryThreadCycleTime,ResetEvent,GetNamedPipeHandleStateW,DeleteFileW,CalculatePopupWindowPosition,GetWindowPlacement,IsCharAlphaW,GetConsoleAliasExesLengthW,InterlockedFlushSList,GetConsoleAliasExesW,ReadDirectoryChangesW,QueryPerformanceCounter,GetOverlappedResultEx,GetKBCodePage,GetActiveProcessorCount,GetMenuItemID,GetCommState,FindFirstFileW,DdeReconnect,CreateRemoteThread,GetRawInputData,GetNamedPipeInfo,GetAtomNameW,IsBadStringPtrW,RtlCaptureStackBackTrace,FindNextChangeNotification,HeapReAlloc,SetThreadErrorMode,EnterSynchronizationBarrier,GetLogicalDrives,ExitProcess,

8_2_00007FFBA95F8BD0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FC940 FreeLibraryWhenCallbackReturns,CloseThreadpool,GetLargePageMinimum,SetWindowsHookExW,ChangeClipboardChain,ReadConsoleOutputAttribute,RegisterApplicationRestart,EnableScrollBar,IsBadCodePtr,CharLowerBuffW,GetCommandLineW,SetConsoleTextAttribute,CreateMailslotW,GetAltTabInfoW,EnumDisplayDevicesW,AdjustWindowRectEx,GetDCEx,GetNLSVersionEx,GetProcessWorkingSetSizeEx,RemoveDirectoryW,GetCalendarInfoW,CreateRectRgnIndirect,DefineDosDeviceW,GetTextExtentPoint32W,WriteProfileSectionW,VerifyScripts,GetKerningPairsW,EnumResourceTypesExW,GetFinalPathNameByHandleW,CreateDiscardableBitmap,EnterCriticalSection,StretchDIBits,GetDefaultCommConfigW,GetCurrentPositionEx,CreateICW,GetConsoleTitleW,VirtualUnlock,EnterSynchronizationBarrier,InterlockedPushListSListEx,SetProcessPreferredUILanguages,AddSecureMemoryCacheCallback,ResetEvent,CreatePipe,GetNumaHighestNodeNumber,GetProcessAffinityMask,EnumDateFormatsW,HeapUnlock,SetConsoleActiveScreenBuffer,GetProcessMitigationPolicy,WaitNamedPipeW,GetNumaProcessorNode,LocalReAlloc,SetDllDirectoryW,lstrcatW,IsValidLocale,ApplicationRecoveryFinished,CreateFileMappingNumaW,NeedCurrentDirectoryForExePathW,SetThreadpoolWait,WriteTapemark,CreateDirectoryW,QueryIdleProcessorCycleTimeEx,CreateSemaphoreExW,SetConsoleActiveScreenBuffer,PathFileExistsA,UnhandledExceptionFilter,ApplicationRecoveryInProgress,TryAcquireSRWLockShared,IsDBCSLeadByte,ReadConsoleInputW,SwitchToFiber,FlushProcessWriteBuffers,AllocateUserPhysicalPagesNuma,SetConsoleActiveScreenBuffer,BackupWrite,SetFileApisToANSI,GetPriorityClass,GetConsoleProcessList,GetTapeStatus,GetVersionExW,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,ReleaseSemaphore,VirtualProtectEx,WriteProcessMemory,FindNextFileW,SetProtectedPolicy,EnumSystemFirmwareTables,OpenFileMappingW,GetNamedPipeServerSessionId,CreateFileW,CommConfigDialogW,GetFileType,FindNextChangeNotification,LocalAlloc,CreateDirectoryW,GetConsoleCursorInfo,CreateThreadpool,SetProcessAffinityUpdateMode,GetFileAttributesExW,CallbackMayRunLong,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,Wow64DisableWow64FsRedirection,GlobalReAlloc,DefWindowProcW,EnumSystemFirmwareTables,DialogBoxIndirectParamW,GetNumaNodeProcessorMask,GetConsoleCursorInfo,lstrcpyW,GetDllDirectoryW,LocalSize,FindNextStreamW,CreateNamedPipeW,WakeConditionVariable,TrackMouseEvent,Wow64DisableWow64FsRedirection,RegisterHotKey,GetActiveProcessorCount,FileTimeToSystemTime,GetNumaProximityNodeEx,ExitProcess,Concurrency::cancel_current_task,ExitProcess,	8_2_00007FFBA95FC940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FA110 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,VirtualFree,EscapeCommFunction,DeleteFileTransactedW,CheckRemoteDebuggerPresent,GetCommConfig,FlsFree,UnhandledExceptionFilter,HeapQueryInformation,CompareStringW,GlobalFlags,CreateSemaphoreW,CloseHandle,FillConsoleOutputCharacterW,SetProcessDEPPolicy,QueryMemoryResourceNotification,ReadFile,VirtualUnlock,SetConsoleWindowInfo,SetFileValidData,FreeLibraryWhenCallbackReturns,GetStringTypeExW,WakeAllConditionVariable,CreateFileMappingFromApp,GetSystemTimeAdjustment,GetFileAttributesW,VerifyScripts,CreateFiber,InterlockedFlushSList,ReleaseMutexWhenCallbackReturns,GetMaximumProcessorGroupCount,AllocateUserPhysicalPages,CreateSemaphoreW,VerSetConditionMask,GetConsoleScreenBufferInfoEx,DeviceIoControl,EnumSystemLocalesW,DeleteFiber,SetNamedPipeHandleState,HeapUnlock,GetSystemFileCacheSize,CompareStringOrdinal,CreateEventExW,DeviceIoControl,PostQueuedCompletionStatus,GetCurrentProcessId,SystemTimeToFileTime,SetupComm,MultiByteToWideChar,VirtualProtect,EndUpdateResourceW,FindFirstFileExW,ExpandEnvironmentStringsW,GetModuleFileNameW,GetCalendarInfoW,GetProcAddress,WriteTapemark,ReadConsoleOutputW,FindFirstVolumeMountPointW,OpenProcess,QueryThreadProfiling,CreateMutexExW,SetConsoleCtrlHandler,GetThreadTimes,GetConsoleCP,GetNamedPipeClientComputerNameW,SetCommTimeouts,FindFirstVolumeW,AddDllDirectory,QueryDepthSList,GetCurrentProcessId,OpenFileById,GetEnvironmentStringsW,SetFirmwareEnvironmentVariableExW,OutputDebugStringA,	8_2_00007FFBA95FA110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F47C0 GetTempPathA,GetTempFileNameA,RequestWakeupLatency,IsSystemResumeAutomatic,AngleArc,GetThreadUILanguage,DuplicateHandle,RtlUnwind,SetThreadPriorityBoost,FindFirstFileTransactedW,SetProcessDEPPolicy,GetTapeStatus,GetMemoryErrorHandlingCapabilities,FindFirstFileExW,GetHandleInformation,GetSystemWindowsDirectoryW,GlobalReAlloc,lstrcmpiW,SetThreadpoolWaitEx,AddFontMemResourceEx,CreateSemaphoreW,SetLayout,GetProfileIntW,ConvertDefaultLocale,GlobalUnlock,AttachConsole,CreateHardLinkW,GetModuleHandleW,GetDCBrushColor,GetFontLanguageInfo,SetThreadLocale,GetROP2,SetThreadErrorMode,GetNLSVersion,GetGeoInfoW,RemoveDirectoryW,GetTempFileNameW,GetTimeZoneInformation,GetProcessGroupAffinity,GetNumberFormatW,RegisterApplicationRestart,FlsSetValue,AssignProcessToJobObject,CreateThreadpoolIo,SetTapeParameters,BackupSeek,GlobalMemoryStatus,MoveFileW,CreateHardLinkW,SetDefaultDllDirectories,GetCurrentThread,WaitNamedPipeW,RegOpenKeyExA,CreateEventExW,VirtualFree,ReadFileEx,GetConsoleOriginalTitleW,ReadConsoleOutputW,CreateSemaphoreExW,RtlCaptureStackBackTrace,DebugSetProcessKillOnExit,GetCommMask,GetTempFileNameW,GetNumaNodeProcessorMaskEx,AddSIDToBoundaryDescriptor,HeapSize,GetProcAddress,GetNumaNodeProcessorMask,SetProcessWorkingSetSize,SetConsoleHistoryInfo,GetPrivateProfileSectionNamesW,CommConfigDialogW,lstrcpyW,QueryIdleProcessorCycleTimeEx,GetThreadPreferredUILanguages,AddScopedPolicyIDAce,RegQueryValueExA,HeapCompact,CheckTokenMembershipEx,lstrcatW,SetWaitableTimer,GetSystemWow64DirectoryW,GetConsoleTitleW,InterlockedPushListSListEx,SetTimeZoneInformation,GetActiveProcessorGroupCount,HeapValidate,GetConsoleScreenBufferInfoEx,FindFirstFileExW,GetConsoleCP,CreateDirectoryTransactedW,GetConsoleAliasW,HeapCreate,RemoveSecureMemoryCacheCallback,GetSystemTimeAsFileTime,GetFileMUIInfo,GetSystemWow64DirectoryW,InitializeCriticalSection,Wow64SuspendThread,RegCloseKey,OutputDebugStringA,	8_2_00007FFBA95F47C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F54B0 GetLocalTime,CreateSemaphoreA,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,GetTempPathA,TrySubmitThreadpoolCallback,GetSystemDefaultUILanguage,QueryProtectedPolicy,FreeConsole,InitializeSListHead,GetTimeFormatW,GetStdHandle,GetConsoleAliasesLengthW,FileTimeToSystemTime,AreFileApisANSI,QueryThreadProfiling,GetNumaProcessorNodeEx,InitOnceComplete,GlobalSize,FindFirstFileNameTransactedW,SetConsoleTitleW,GetDiskFreeSpaceExW,DeleteBoundaryDescriptor,GetComputerNameW,SetThreadIdealProcessor,InitializeConditionVariable,GetThreadTimes,GetProcessWorkingSetSize,EqualRect,WaitForThreadpoolTimerCallbacks,SetThreadpoolThreadMinimum,GetSubMenu,GetApplicationRestartSettings,ReadConsoleOutputW,PhysicalToLogicalPoint,EnumResourceNamesW,PackDDElParam,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetMessagePos,SetFileShortNameW,CreateTapePartition,GetApplicationRecoveryCallback,GetMenuItemInfoW,LocalLock,GetProcessHeap,SetFileAttributesW,ContinueDebugEvent,GetAppContainerNamedObjectPath,GetPrivateProfileSectionW,IsBadStringPtrW,CreateSymbolicLinkW,GetFileTime,GetConsoleScreenBufferInfoEx,InitializeCriticalSection,FindFirstStreamW,PurgeComm,HeapAlloc,AddAtomW,CheckTokenCapability,SetupComm,GetConsoleFontSize,SetConsoleDisplayMode,GetModuleFileNameW,InitializeConditionVariable,CloseThreadpoolCleanupGroupMembers,MoveFileW,SetLocalTime,SetConsoleActiveScreenBuffer,ReclaimVirtualMemory,GetAtomNameW,SwitchToThread,AddSecureMemoryCacheCallback,AddVectoredContinueHandler,PulseEvent,SetThreadContext,AddSIDToBoundaryDescriptor,EnumLanguageGroupLocalesW,UnregisterApplicationRecoveryCallback,GetStringTypeA,GetDurationFormat,VirtualAlloc,HeapCreate,GetLastError,HeapAlloc,GetLastError,HeapFree,HeapDestroy,EnumResourceTypesExW,IsValidCodePage,IsBadWritePtr,ConvertThreadToFiber,GetPhysicallyInstalledSystemMemory,QueryUnbiasedInterruptTime,GetSystemRegistryQuota,ClearCommBreak,InitAtomTable,ConvertFiberToThread,CreateDirectoryW,GlobalFindAtomW,SetProcessPriorityBoost,FatalAppExitW,SetWaitableTimer,ReleaseSRWLockExclusive,GetProcessTimes,GetTickCount,GlobalAddAtomW,	8_2_00007FFBA95F54B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F8BD0 GetCurrentProcess,LocalFileTimeToFileTime,EraseTape,GetQueuedCompletionStatus,QueryProcessCycleTime,CancelWaitableTimer,GetStringTypeA,GetSystemWow64DirectoryW,BackupSeek,LockFileEx,CreateMemoryResourceNotification,VerifyScripts,MoveFileTransactedW,QueueUserAPC,GetProcessIoCounters,LeaveCriticalSection,ChangeTimerQueueTimer,SetEvent,AllocateUserPhysicalPagesNuma,GetTickCount,GetVolumePathNamesForVolumeNameW,GlobalAlloc,SetFileAttributesW,GetComputerNameW,EndMenu,EnumPropsW,EnumResourceNamesW,CreateSemaphoreW,GetForegroundWindow,SetProcessMitigationPolicy,WaitForMultipleObjectsEx,CreateFiberEx,GetThreadDesktop,IsCharLowerW,SetProcessRestrictionExemption,UnregisterDeviceNotification,ScrollDC,RegisterPointerInputTargetEx,SetPhysicalCursorPos,GetMenuStringW,SetKeyboardState,VkKeyScanExW,PostMessageW,GetDiskFreeSpaceExW,LCIDToLocaleName,LockFileEx,LocalFree,LockFile,QueryIdleProcessorCycleTime,InitializeSListHead,Wow64SetThreadContext,CreateDirectoryExW,GetNamedPipeServerProcessId,CreateSymbolicLinkTransactedW,GetVolumeInformationByHandleW,EnumResourceNamesExW,IsValidCodePage,GetModuleHandleW,CancelIo,HeapCompact,SwitchToFiber,ConvertThreadToFiberEx,GetNamedPipeInfo,AcquireSRWLockExclusive,InitOnceComplete,FormatMessageW,FlsAlloc,GetConsoleTitleW,SwitchToFiber,CreateDirectoryExW,CreatePrivateNamespaceW,QueryPerformanceCounter,PurgeComm,EnumUILanguagesW,CreateEventW,MoveFileWithProgressW,FindFirstFileW,CompareStringEx,IsBadStringPtrW,OfferVirtualMemory,GetCurrentThread,ExtSelectClipRgn,GetNamedPipeClientSessionId,LocalFileTimeToFileTime,RtlCaptureStackBackTrace,GetProcessHeap,CreateDirectoryW,RectVisible,FreeEnvironmentStringsW,SetFileAttributesW,AnimatePalette,CopyFile2,CreateDIBPatternBrush,SetThreadpoolThreadMaximum,CreateMutexExW,SetCommTimeouts,QueryThreadpoolStackInformation,GenerateConsoleCtrlEvent,SetThreadpoolStackInformation,AddDllDirectory,GetNativeSystemInfo,SetThreadpoolWait,SetFileAttributesW,SetDefaultDllDirectories,GetLocaleInfoW,GetOverlappedResult,OutputDebugStringW,CallNamedPipeW,RtlUnwind,SetCommTimeouts,GetProfileStringW,CreateEventExW,GetPrivateProfileIntW,WinExec,GetProfileStringW,EraseTape,FindNextVolumeW,QueryThreadCycleTime,ResetEvent,GetNamedPipeHandleStateW,DeleteFileW,CalculatePopupWindowPosition,GetWindowPlacement,IsCharAlphaW,GetConsoleAliasExesLengthW,InterlockedFlushSList,GetConsoleAliasExesW,ReadDirectoryChangesW,QueryPerformanceCounter,GetOverlappedResultEx,GetKBCodePage,GetActiveProcessorCount,GetMenuItemID,GetCommState,FindFirstFileW,DdeReconnect,CreateRemoteThread,GetRawInputData,GetNamedPipeInfo,GetAtomNameW,IsBadStringPtrW,RtlCaptureStackBackTrace,FindNextChangeNotification,HeapReAlloc,SetThreadErrorMode,EnterSynchronizationBarrier,GetLogicalDrives,ExitProcess,	8_2_00007FFBA95F8BD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AAC8 FindFirstFileNameTransactedW,FindFirstStreamW,CopyFile2,	8_2_00007FFBA970AAC8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9656CF8 FindClose,FindFirstFileExW,GetLastError,	8_2_00007FFBA9656CF8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9656D6C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	8_2_00007FFBA9656D6C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970B038 FindFirstFileW,	8_2_00007FFBA970B038
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AFF0 FindFirstFileExW,	8_2_00007FFBA970AFF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970B008 FindFirstFileA,	8_2_00007FFBA970B008
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96745C4 FindFirstFileExW,	8_2_00007FFBA96745C4

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: openvpn.exe.2.dr

Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmGetAppIdFromFileName0, FwpmEngineClose0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FF673E3DB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,

8_2_00007FF673E3DB60

Source: global traffic

DNS traffic detected: DNS query: taco-keys.com

Source: vlc.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vlc.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: vlc.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: vlc.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: vlc.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vlc.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: vlc.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vlc.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vlc.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: vlc.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: libwinpthread-1.dll.2.dr	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: vlc.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vlc.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: vlc.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://openvpn.net/faq.html#dhcpclientserv
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://openvpn.net/howto.html#mitm
Source: powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1770372215.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: vlc.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000005.00000002.1773918147.000000000772A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: vlc.exe.2.dr	String found in binary or memory: http://www.videolan.org/
Source: powershell.exe, 00000005.00000002.1770372215.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: libgpg-error-0.dll.2.dr	String found in binary or memory: https://gnu.org/licenses/
Source: libgpg-error-0.dll.2.dr	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: powershell.exe, 00000005.00000002.1770372215.000000000581F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: m9u08f2pMF.msi	String found in binary or memory: https://taco-keys.com/licenseUser.phpAI_DATA_SETTER_4Params
Source: vlc.exe.2.dr	String found in binary or memory: https://win.crashes.videolan.org/reportsCONOUT$
Source: vlc.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: libwinpthread-1.dll.2.dr, libgpg-error-0.dll.2.dr, libassuan-0.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: openvpn.exe	String found in binary or memory: https://www.openssl.org/
Source: openvpn.exe, 00000008.00000002.1867903344.00007FFBA9ECF000.00000002.00000001.01000000.00000008.sdmp, openvpn.exe, 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.openssl.org/H

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

8_2_00007FFBA95F8BD0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FF673E20520: DeviceIoControl,GetLastError,_exit,

8_2_00007FF673E20520

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95FC290 GetClipboardViewer,CloseWindowStation,CreateFileW,WaitForInputIdle,IsThreadAFiber,GetProcessPriorityBoost,StartThreadpoolIo,CalculatePopupWindowPosition,WakeAllConditionVariable,RegisterClassExW,WriteConsoleInputW,SetRectEmpty,ScrollDC,SetProcessRestrictionExemption,ExitWindowsEx,EndMenu,GetProcessWorkingSetSizeEx,SetPhysicalCursorPos,SwitchToThisWindow,SetClipboardViewer,CompareStringW,RegisterHotKey,DdeAddData,GetConsoleAliasW,IsCharAlphaW,GetCalendarInfoEx,UnionRect,FindFirstVolumeW,CreateMailslotW,FindNLSString,CloseThreadpoolIo,FindFirstVolumeW,ReleaseMutex,IsBadStringPtrW,FormatMessageW,CreateMutexExW,FindNLSString,MoveFileW,GetApplicationRecoveryCallback,CreateThreadpoolWork,FileTimeToSystemTime,ReadThreadProfilingData,IsProcessInJob,QueryUnbiasedInterruptTime,GetProcessHandleCount,GetHandleInformation,MapViewOfFile,RtlUnwind,GetThreadUILanguage,ReadProcessMemory,GetThreadGroupAffinity,InterlockedPushListSListEx,TrySubmitThreadpoolCallback,lstrcpynW,GetNumberOfConsoleMouseButtons,SignalObjectAndWait,GetCurrentDirectoryW,SetThreadGroupAffinity,EnumResourceLanguagesExW,RtlCaptureContext,GetProcessPreferredUILanguages,GetStringScripts,GetUserDefaultUILanguage,FindVolumeClose,CreateTimerQueue,GetDiskFreeSpaceW,GetProfileSectionW,GetEnvironmentVariableW,SetConsoleScreenBufferInfoEx,SetDynamicTimeZoneInformation,GetProcessHeaps,CreatePipe,DeleteAtom,CreatePipe,ReadConsoleInputW,Wow64GetThreadContext,GetDiskFreeSpaceW,

8_2_00007FFBA95FC290

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4659c4.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI61B3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6231.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6270.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62A0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62FF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6D51.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C72.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CC1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI906C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI99B4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{F65C12FB-F21E-46AC-B40E-DA85278EC407}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9CA3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4659c7.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4659c7.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI61B3.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EAA130	8_2_00007FF673EAA130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1BD20	8_2_00007FF673E1BD20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E54D00	8_2_00007FF673E54D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E848D0	8_2_00007FF673E848D0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E348C0	8_2_00007FF673E348C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EB34A0	8_2_00007FF673EB34A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9E470	8_2_00007FF673E9E470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E19460	8_2_00007FF673E19460
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E76060	8_2_00007FF673E76060
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E13440	8_2_00007FF673E13440
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E95C20	8_2_00007FF673E95C20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E3A3F0	8_2_00007FF673E3A3F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EB57E0	8_2_00007FF673EB57E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E93FE0	8_2_00007FF673E93FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9ABD0	8_2_00007FF673E9ABD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E937C0	8_2_00007FF673E937C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EA53C0	8_2_00007FF673EA53C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E32BC0	8_2_00007FF673E32BC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E427C0	8_2_00007FF673E427C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E80BA0	8_2_00007FF673E80BA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EA6F80	8_2_00007FF673EA6F80
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9F380	8_2_00007FF673E9F380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EAFF60	8_2_00007FF673EAFF60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E3DB60	8_2_00007FF673E3DB60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E11F60	8_2_00007FF673E11F60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EAE350	8_2_00007FF673EAE350
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EAEF10	8_2_00007FF673EAEF10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9E710	8_2_00007FF673E9E710
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EB26F0	8_2_00007FF673EB26F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E38EBD	8_2_00007FF673E38EBD
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EAEAB0	8_2_00007FF673EAEAB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E316B0	8_2_00007FF673E316B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9D2A0	8_2_00007FF673E9D2A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E7BAA0	8_2_00007FF673E7BAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EA7E90	8_2_00007FF673EA7E90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E16290	8_2_00007FF673E16290
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E46A60	8_2_00007FF673E46A60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E89650	8_2_00007FF673E89650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EBA240	8_2_00007FF673EBA240
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E15640	8_2_00007FF673E15640
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EB1630	8_2_00007FF673EB1630
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E63A20	8_2_00007FF673E63A20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EBBE10	8_2_00007FF673EBBE10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9AA10	8_2_00007FF673E9AA10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E81600	8_2_00007FF673E81600
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E96DF0	8_2_00007FF673E96DF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E9A1E0	8_2_00007FF673E9A1E0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E725B0	8_2_00007FF673E725B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EA9DA0	8_2_00007FF673EA9DA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E321A0	8_2_00007FF673E321A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1E590	8_2_00007FF673E1E590
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E29D70	8_2_00007FF673E29D70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E38D60	8_2_00007FF673E38D60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E1AD60	8_2_00007FF673E1AD60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EA6540	8_2_00007FF673EA6540
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FC940	8_2_00007FFBA95FC940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FED50	8_2_00007FFBA95FED50
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FA110	8_2_00007FFBA95FA110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F47C0	8_2_00007FFBA95F47C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F7410	8_2_00007FFBA95F7410
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F54B0	8_2_00007FFBA95F54B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96769EC	8_2_00007FFBA96769EC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9668A24	8_2_00007FFBA9668A24
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96048F0	8_2_00007FFBA96048F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA966A94C	8_2_00007FFBA966A94C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F8BD0	8_2_00007FFBA95F8BD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F6AE0	8_2_00007FFBA95F6AE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9670E44	8_2_00007FFBA9670E44
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9624D00	8_2_00007FFBA9624D00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9660CE0	8_2_00007FFBA9660CE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9656D6C	8_2_00007FFBA9656D6C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9664D40	8_2_00007FFBA9664D40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA967AFB0	8_2_00007FFBA967AFB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F6F40	8_2_00007FFBA95F6F40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FC290	8_2_00007FFBA95FC290
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9660234	8_2_00007FFBA9660234
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FC150	8_2_00007FFBA95FC150
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA967037C	8_2_00007FFBA967037C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96705F8	8_2_00007FFBA96705F8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96745C4	8_2_00007FFBA96745C4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA966653C	8_2_00007FFBA966653C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA965FA14	8_2_00007FFBA965FA14
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9603A10	8_2_00007FFBA9603A10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9661A78	8_2_00007FFBA9661A78
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9663938	8_2_00007FFBA9663938
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F9BC0	8_2_00007FFBA95F9BC0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FBBA0	8_2_00007FFBA95FBBA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA965FC20	8_2_00007FFBA965FC20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9665B70	8_2_00007FFBA9665B70
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9677B68	8_2_00007FFBA9677B68
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA966DE74	8_2_00007FFBA966DE74
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA965FE24	8_2_00007FFBA965FE24
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F3FE0	8_2_00007FFBA95F3FE0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9660030	8_2_00007FFBA9660030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA967922C	8_2_00007FFBA967922C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96652A0	8_2_00007FFBA96652A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA966D360	8_2_00007FFBA966D360
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA967331C	8_2_00007FFBA967331C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9661674	8_2_00007FFBA9661674
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA967B64C	8_2_00007FFBA967B64C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9667578	8_2_00007FFBA9667578
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA965F810	8_2_00007FFBA965F810
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA966D7F4	8_2_00007FFBA966D7F4
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9FBB0	8_2_00007FFBBAF9FBB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF93C40	8_2_00007FFBBAF93C40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEDC60	8_2_00007FFBBAFEDC60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009A2F	8_2_00007FFBBB009A2F
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB003A90	8_2_00007FFBBB003A90
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAB950	8_2_00007FFBBAFAB950
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF9C030	8_2_00007FFBBAF9C030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFC2030	8_2_00007FFBBAFC2030
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB006050	8_2_00007FFBBB006050
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBDEB0	8_2_00007FFBBAFBDEB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB011F00	8_2_00007FFBBB011F00
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF5DB0	8_2_00007FFBBAFF5DB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB019E10	8_2_00007FFBBB019E10
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB009E91	8_2_00007FFBBB009E91
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFED3F0	8_2_00007FFBBAFED3F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF97400	8_2_00007FFBBAF97400
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB019470	8_2_00007FFBBB019470
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFB32C0	8_2_00007FFBBAFB32C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAF95380	8_2_00007FFBBAF95380
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB007270	8_2_00007FFBBB007270
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFEF280	8_2_00007FFBBAFEF280
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF3130	8_2_00007FFBBAFF3130
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFAB830	8_2_00007FFBBAFAB830
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF5870	8_2_00007FFBBAFF5870
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF3650	8_2_00007FFBBAFF3650
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFF14A0	8_2_00007FFBBAFF14A0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFDF570	8_2_00007FFBBAFDF570
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB016BB0	8_2_00007FFBBB016BB0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFBCAA0	8_2_00007FFBBAFBCAA0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBAFA0EB0	8_2_00007FFBBAFA0EB0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01E2DA appears 38 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01E2D4 appears 316 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01E2CE appears 45 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBAFD92F0 appears 71 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF673E23290 appears 515 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01E39A appears 916 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBA9659ABC appears 222 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBAFC8340 appears 47 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01EA72 appears 68 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBAFC83D0 appears 56 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01EA66 appears 67 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FFBBB01EFC0 appears 592 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF673E126F0 appears 77 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF673E22CE0 appears 934 times
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: String function: 00007FF673E23310 appears 49 times

Source: libgpg-error-0.dll.2.dr	Static PE information: Number of sections : 12 > 10
Source: vlc.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: libwinpthread-1.dll.2.dr	Static PE information: Number of sections : 12 > 10
Source: libassuan-0.dll.2.dr	Static PE information: Number of sections : 12 > 10

Source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.2.dr	Static PE information: No import functions for PE file found

Source: m9u08f2pMF.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs m9u08f2pMF.msi
Source: m9u08f2pMF.msi	Binary or memory string: OriginalFilenameSecureProp.dllF vs m9u08f2pMF.msi
Source: m9u08f2pMF.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs m9u08f2pMF.msi
Source: m9u08f2pMF.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs m9u08f2pMF.msi

Source: classification engine

Classification label: mal44.troj.evad.winMSI@10/153@1/0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95F3C30 GetDiskFreeSpaceExA,

8_2_00007FFBA95F3C30

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML9FE5.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2772:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF68E06AF43313F540.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: m9u08f2pMF.msi

ReversingLabs: Detection: 26%

Source: openvpn.exe	String found in binary or memory: Use --help for more information.
Source: openvpn.exe	String found in binary or memory: Use --help for more information.
Source: openvpn.exe	String found in binary or memory: tun-stop
Source: openvpn.exe	String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe	String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe	String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe	String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe	String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: openvpn.exe	String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\m9u08f2pMF.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libssl-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libcrypto-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libpkcs11-helper-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: libcrypto-3-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: vlc.lnk.2.dr

LNK file: ..\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F65C12FB-F21E-46AC-B40E-DA85278EC407}

Jump to behavior

Source: m9u08f2pMF.msi

Static file information: File size 56207872 > 1048576

Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1867271138.00007FFBA9DCC000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: m9u08f2pMF.msi
Source:	Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1870207640.00007FFBBCD51000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: m9u08f2pMF.msi, MSI906C.tmp.2.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: m9u08f2pMF.msi, MSI99B4.tmp.2.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: m9u08f2pMF.msi
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: m9u08f2pMF.msi, MSI99B4.tmp.2.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: m9u08f2pMF.msi, MSI906C.tmp.2.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source:	Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: m9u08f2pMF.msi, MSI62FF.tmp.2.dr, MSI62A0.tmp.2.dr, MSI6231.tmp.2.dr, MSI6270.tmp.2.dr, MSI8C72.tmp.2.dr, MSI61B3.tmp.2.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr

Source: vlc.exe.2.dr

Static PE information: 0xA6D0A6C0 [Sun Sep 8 06:27:12 2058 UTC]

Source: vlc.exe.2.dr	Static PE information: section name: .buildid
Source: vlc.exe.2.dr	Static PE information: section name: .xdata
Source: vlc.exe.2.dr	Static PE information: section name: /4
Source: VCRUNTIME140.dll.2.dr	Static PE information: section name: _RDATA
Source: libassuan-0.dll.2.dr	Static PE information: section name: .xdata
Source: libgpg-error-0.dll.2.dr	Static PE information: section name: .xdata
Source: libwinpthread-1.dll.2.dr	Static PE information: section name: .xdata
Source: SecureProp.dll.2.dr	Static PE information: section name: .fptable
Source: UnRar.exe.2.dr	Static PE information: section name: _RDATA
Source: libpkcs11-helper-1.dll.2.dr	Static PE information: section name: .udata
Source: MSI906C.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI61B3.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6231.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6270.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI62A0.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI62FF.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6D51.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI8C72.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI8CC1.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI99B4.tmp.2.dr	Static PE information: section name: .fptable

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04ADBD82 push esp; ret	5_2_04ADBD93
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E2D2CD push rbx; iretd	8_2_00007FF673E2D2CE
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA20 push rsi; retf	8_2_00007FFBA970AA3B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA48 push rdi; retf	8_2_00007FFBA970AA4B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA58 push rsi; retf	8_2_00007FFBA970AA7B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA60 push rsi; retf	8_2_00007FFBA970AA63
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA78 push rsi; retf	8_2_00007FFBA970AA7B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA90 push rsi; retf	8_2_00007FFBA970AA9B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA98 push rbp; retf	8_2_00007FFBA970AAAB
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A9A0 push rbp; retf	8_2_00007FFBA970A9AB
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A9B0 push rsi; retf	8_2_00007FFBA970A9B3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A9C8 push rbp; retf	8_2_00007FFBA970A9D3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A9E0 push rsi; retf	8_2_00007FFBA970A9E3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA00 push rdi; retf	8_2_00007FFBA970AA03
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AA08 push rsi; retf	8_2_00007FFBA970AA13
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A940 push rsi; retf	8_2_00007FFBA970A943
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A948 push rsi; retf	8_2_00007FFBA970A94B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A950 push rsi; retf	8_2_00007FFBA970A95B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A960 push rbp; retf	8_2_00007FFBA970A973
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A968 push rbp; retf	8_2_00007FFBA970A96B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A970 push rbp; retf	8_2_00007FFBA970A973
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A978 push rsi; retf	8_2_00007FFBA970A983
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A990 push rbp; retf	8_2_00007FFBA970A903
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A990 push rdi; retf	8_2_00007FFBA970A993
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8C0 push rbp; retf	8_2_00007FFBA970A8C3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8C8 push rbp; retf	8_2_00007FFBA970A89B
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8C8 push rsi; retf	8_2_00007FFBA970A8D3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8D0 push rsi; retf	8_2_00007FFBA970A8D3
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8D8 push rsi; retf	8_2_00007FFBA970A893
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8D8 push rdi; retf	8_2_00007FFBA970A8DB
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970A8F8 push rdi; retf	8_2_00007FFBA970A8FB

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6270.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CC1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6231.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI906C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI61B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6D51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI99B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6270.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI906C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8CC1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8C72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI61B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6231.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6D51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI99B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI62A0.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95F54B0 GetLocalTime,CreateSemaphoreA,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,GetTempPathA,TrySubmitThreadpoolCallback,GetSystemDefaultUILanguage,QueryProtectedPolicy,FreeConsole,InitializeSListHead,GetTimeFormatW,GetStdHandle,GetConsoleAliasesLengthW,FileTimeToSystemTime,AreFileApisANSI,QueryThreadProfiling,GetNumaProcessorNodeEx,InitOnceComplete,GlobalSize,FindFirstFileNameTransactedW,SetConsoleTitleW,GetDiskFreeSpaceExW,DeleteBoundaryDescriptor,GetComputerNameW,SetThreadIdealProcessor,InitializeConditionVariable,GetThreadTimes,GetProcessWorkingSetSize,EqualRect,WaitForThreadpoolTimerCallbacks,SetThreadpoolThreadMinimum,GetSubMenu,GetApplicationRestartSettings,ReadConsoleOutputW,PhysicalToLogicalPoint,EnumResourceNamesW,PackDDElParam,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetMessagePos,SetFileShortNameW,CreateTapePartition,GetApplicationRecoveryCallback,GetMenuItemInfoW,LocalLock,GetProcessHeap,SetFileAttributesW,ContinueDebugEvent,GetAppContainerNamedObjectPath,GetPrivateProfileSectionW,IsBadStringPtrW,CreateSymbolicLinkW,GetFileTime,GetConsoleScreenBufferInfoEx,InitializeCriticalSection,FindFirstStreamW,PurgeComm,HeapAlloc,AddAtomW,CheckTokenCapability,SetupComm,GetConsoleFontSize,SetConsoleDisplayMode,GetModuleFileNameW,InitializeConditionVariable,CloseThreadpoolCleanupGroupMembers,MoveFileW,SetLocalTime,SetConsoleActiveScreenBuffer,ReclaimVirtualMemory,GetAtomNameW,SwitchToThread,AddSecureMemoryCacheCallback,AddVectoredContinueHandler,PulseEvent,SetThreadContext,AddSIDToBoundaryDescriptor,EnumLanguageGroupLocalesW,UnregisterApplicationRecoveryCallback,GetStringTypeA,GetDurationFormat,VirtualAlloc,HeapCreate,GetLastError,HeapAlloc,GetLastError,HeapFree,HeapDestroy,EnumResourceTypesExW,IsValidCodePage,IsBadWritePtr,ConvertThreadToFiber,GetPhysicallyInstalledSystemMemory,QueryUnbiasedInterruptTime,GetSystemRegistryQuota,ClearCommBreak,InitAtomTable,ConvertFiberToThread,CreateDirectoryW,GlobalFindAtomW,SetProcessPriorityBoost,FatalAppExitW,SetWaitableTimer,ReleaseSRWLockExclusive,GetProcessTimes,GetTickCount,GlobalAddAtomW,

8_2_00007FFBA95F54B0

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: GetAdaptersInfo,malloc,GetAdaptersInfo,malloc,

8_2_00007FF673EA7970

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3901			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 745			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6270.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8CC1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8C72.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6231.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI62A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI62FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI906C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI61B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6D51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI99B4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95F7410 DefWindowProcW,InvalidateRect,BeginPaint,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,CreateSolidBrush,FillRect,GetStockObject,FrameRect,DeleteObject,EndPaint,KillTimer,PostQuitMessage,SetTimer,GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetTextColor,TerminateJobObject,InitializeSListHead,SetWindowOrgEx,TextOutW,RemoveFontResourceW,SetDefaultDllDirectories,GetConsoleSelectionInfo,MapUserPhysicalPagesScatter,GetCharWidthFloatW,GetSystemDefaultLCID,RemoveFontResourceExW,RemoveDirectoryTransactedW,ReleaseMutexWhenCallbackReturns,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,ClearCommBreak,InterlockedPushListSListEx,ClearCommBreak,GetCurrencyFormatW,OpenFileById,CancelThreadpoolIo,GlobalLock,GetConsoleTitleW,InitOnceExecuteOnce,GetConsoleScreenBufferInfoEx,SetTapeParameters,FindNextVolumeW,IsProcessInJob,InitializeConditionVariable,RegisterWaitForSingleObject,InitializeProcThreadAttributeList,GetSystemDefaultUILanguage,GetPhysicallyInstalledSystemMemory,CreateWaitableTimerW,ReadFile,GetCommModemStatus,EnumSystemGeoID,QueryIdleProcessorCycleTime,SetThreadpoolThreadMinimum,ApplicationRecoveryFinished,CreateEventExW,GetLogicalDrives,ScrollConsoleScreenBufferW,ReadConsoleOutputCharacterW,OpenFileById,SetConsoleHistoryInfo,OpenFileMappingW,OpenEventW,ExitProcess,

8_2_00007FFBA95F7410

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

API coverage: 1.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5628	Thread sleep count: 3901 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1460	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FC940 FreeLibraryWhenCallbackReturns,CloseThreadpool,GetLargePageMinimum,SetWindowsHookExW,ChangeClipboardChain,ReadConsoleOutputAttribute,RegisterApplicationRestart,EnableScrollBar,IsBadCodePtr,CharLowerBuffW,GetCommandLineW,SetConsoleTextAttribute,CreateMailslotW,GetAltTabInfoW,EnumDisplayDevicesW,AdjustWindowRectEx,GetDCEx,GetNLSVersionEx,GetProcessWorkingSetSizeEx,RemoveDirectoryW,GetCalendarInfoW,CreateRectRgnIndirect,DefineDosDeviceW,GetTextExtentPoint32W,WriteProfileSectionW,VerifyScripts,GetKerningPairsW,EnumResourceTypesExW,GetFinalPathNameByHandleW,CreateDiscardableBitmap,EnterCriticalSection,StretchDIBits,GetDefaultCommConfigW,GetCurrentPositionEx,CreateICW,GetConsoleTitleW,VirtualUnlock,EnterSynchronizationBarrier,InterlockedPushListSListEx,SetProcessPreferredUILanguages,AddSecureMemoryCacheCallback,ResetEvent,CreatePipe,GetNumaHighestNodeNumber,GetProcessAffinityMask,EnumDateFormatsW,HeapUnlock,SetConsoleActiveScreenBuffer,GetProcessMitigationPolicy,WaitNamedPipeW,GetNumaProcessorNode,LocalReAlloc,SetDllDirectoryW,lstrcatW,IsValidLocale,ApplicationRecoveryFinished,CreateFileMappingNumaW,NeedCurrentDirectoryForExePathW,SetThreadpoolWait,WriteTapemark,CreateDirectoryW,QueryIdleProcessorCycleTimeEx,CreateSemaphoreExW,SetConsoleActiveScreenBuffer,PathFileExistsA,UnhandledExceptionFilter,ApplicationRecoveryInProgress,TryAcquireSRWLockShared,IsDBCSLeadByte,ReadConsoleInputW,SwitchToFiber,FlushProcessWriteBuffers,AllocateUserPhysicalPagesNuma,SetConsoleActiveScreenBuffer,BackupWrite,SetFileApisToANSI,GetPriorityClass,GetConsoleProcessList,GetTapeStatus,GetVersionExW,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,ReleaseSemaphore,VirtualProtectEx,WriteProcessMemory,FindNextFileW,SetProtectedPolicy,EnumSystemFirmwareTables,OpenFileMappingW,GetNamedPipeServerSessionId,CreateFileW,CommConfigDialogW,GetFileType,FindNextChangeNotification,LocalAlloc,CreateDirectoryW,GetConsoleCursorInfo,CreateThreadpool,SetProcessAffinityUpdateMode,GetFileAttributesExW,CallbackMayRunLong,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,Wow64DisableWow64FsRedirection,GlobalReAlloc,DefWindowProcW,EnumSystemFirmwareTables,DialogBoxIndirectParamW,GetNumaNodeProcessorMask,GetConsoleCursorInfo,lstrcpyW,GetDllDirectoryW,LocalSize,FindNextStreamW,CreateNamedPipeW,WakeConditionVariable,TrackMouseEvent,Wow64DisableWow64FsRedirection,RegisterHotKey,GetActiveProcessorCount,FileTimeToSystemTime,GetNumaProximityNodeEx,ExitProcess,Concurrency::cancel_current_task,ExitProcess,	8_2_00007FFBA95FC940
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95FA110 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,VirtualFree,EscapeCommFunction,DeleteFileTransactedW,CheckRemoteDebuggerPresent,GetCommConfig,FlsFree,UnhandledExceptionFilter,HeapQueryInformation,CompareStringW,GlobalFlags,CreateSemaphoreW,CloseHandle,FillConsoleOutputCharacterW,SetProcessDEPPolicy,QueryMemoryResourceNotification,ReadFile,VirtualUnlock,SetConsoleWindowInfo,SetFileValidData,FreeLibraryWhenCallbackReturns,GetStringTypeExW,WakeAllConditionVariable,CreateFileMappingFromApp,GetSystemTimeAdjustment,GetFileAttributesW,VerifyScripts,CreateFiber,InterlockedFlushSList,ReleaseMutexWhenCallbackReturns,GetMaximumProcessorGroupCount,AllocateUserPhysicalPages,CreateSemaphoreW,VerSetConditionMask,GetConsoleScreenBufferInfoEx,DeviceIoControl,EnumSystemLocalesW,DeleteFiber,SetNamedPipeHandleState,HeapUnlock,GetSystemFileCacheSize,CompareStringOrdinal,CreateEventExW,DeviceIoControl,PostQueuedCompletionStatus,GetCurrentProcessId,SystemTimeToFileTime,SetupComm,MultiByteToWideChar,VirtualProtect,EndUpdateResourceW,FindFirstFileExW,ExpandEnvironmentStringsW,GetModuleFileNameW,GetCalendarInfoW,GetProcAddress,WriteTapemark,ReadConsoleOutputW,FindFirstVolumeMountPointW,OpenProcess,QueryThreadProfiling,CreateMutexExW,SetConsoleCtrlHandler,GetThreadTimes,GetConsoleCP,GetNamedPipeClientComputerNameW,SetCommTimeouts,FindFirstVolumeW,AddDllDirectory,QueryDepthSList,GetCurrentProcessId,OpenFileById,GetEnvironmentStringsW,SetFirmwareEnvironmentVariableExW,OutputDebugStringA,	8_2_00007FFBA95FA110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F47C0 GetTempPathA,GetTempFileNameA,RequestWakeupLatency,IsSystemResumeAutomatic,AngleArc,GetThreadUILanguage,DuplicateHandle,RtlUnwind,SetThreadPriorityBoost,FindFirstFileTransactedW,SetProcessDEPPolicy,GetTapeStatus,GetMemoryErrorHandlingCapabilities,FindFirstFileExW,GetHandleInformation,GetSystemWindowsDirectoryW,GlobalReAlloc,lstrcmpiW,SetThreadpoolWaitEx,AddFontMemResourceEx,CreateSemaphoreW,SetLayout,GetProfileIntW,ConvertDefaultLocale,GlobalUnlock,AttachConsole,CreateHardLinkW,GetModuleHandleW,GetDCBrushColor,GetFontLanguageInfo,SetThreadLocale,GetROP2,SetThreadErrorMode,GetNLSVersion,GetGeoInfoW,RemoveDirectoryW,GetTempFileNameW,GetTimeZoneInformation,GetProcessGroupAffinity,GetNumberFormatW,RegisterApplicationRestart,FlsSetValue,AssignProcessToJobObject,CreateThreadpoolIo,SetTapeParameters,BackupSeek,GlobalMemoryStatus,MoveFileW,CreateHardLinkW,SetDefaultDllDirectories,GetCurrentThread,WaitNamedPipeW,RegOpenKeyExA,CreateEventExW,VirtualFree,ReadFileEx,GetConsoleOriginalTitleW,ReadConsoleOutputW,CreateSemaphoreExW,RtlCaptureStackBackTrace,DebugSetProcessKillOnExit,GetCommMask,GetTempFileNameW,GetNumaNodeProcessorMaskEx,AddSIDToBoundaryDescriptor,HeapSize,GetProcAddress,GetNumaNodeProcessorMask,SetProcessWorkingSetSize,SetConsoleHistoryInfo,GetPrivateProfileSectionNamesW,CommConfigDialogW,lstrcpyW,QueryIdleProcessorCycleTimeEx,GetThreadPreferredUILanguages,AddScopedPolicyIDAce,RegQueryValueExA,HeapCompact,CheckTokenMembershipEx,lstrcatW,SetWaitableTimer,GetSystemWow64DirectoryW,GetConsoleTitleW,InterlockedPushListSListEx,SetTimeZoneInformation,GetActiveProcessorGroupCount,HeapValidate,GetConsoleScreenBufferInfoEx,FindFirstFileExW,GetConsoleCP,CreateDirectoryTransactedW,GetConsoleAliasW,HeapCreate,RemoveSecureMemoryCacheCallback,GetSystemTimeAsFileTime,GetFileMUIInfo,GetSystemWow64DirectoryW,InitializeCriticalSection,Wow64SuspendThread,RegCloseKey,OutputDebugStringA,	8_2_00007FFBA95F47C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F54B0 GetLocalTime,CreateSemaphoreA,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,GetTempPathA,TrySubmitThreadpoolCallback,GetSystemDefaultUILanguage,QueryProtectedPolicy,FreeConsole,InitializeSListHead,GetTimeFormatW,GetStdHandle,GetConsoleAliasesLengthW,FileTimeToSystemTime,AreFileApisANSI,QueryThreadProfiling,GetNumaProcessorNodeEx,InitOnceComplete,GlobalSize,FindFirstFileNameTransactedW,SetConsoleTitleW,GetDiskFreeSpaceExW,DeleteBoundaryDescriptor,GetComputerNameW,SetThreadIdealProcessor,InitializeConditionVariable,GetThreadTimes,GetProcessWorkingSetSize,EqualRect,WaitForThreadpoolTimerCallbacks,SetThreadpoolThreadMinimum,GetSubMenu,GetApplicationRestartSettings,ReadConsoleOutputW,PhysicalToLogicalPoint,EnumResourceNamesW,PackDDElParam,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,GetMessagePos,SetFileShortNameW,CreateTapePartition,GetApplicationRecoveryCallback,GetMenuItemInfoW,LocalLock,GetProcessHeap,SetFileAttributesW,ContinueDebugEvent,GetAppContainerNamedObjectPath,GetPrivateProfileSectionW,IsBadStringPtrW,CreateSymbolicLinkW,GetFileTime,GetConsoleScreenBufferInfoEx,InitializeCriticalSection,FindFirstStreamW,PurgeComm,HeapAlloc,AddAtomW,CheckTokenCapability,SetupComm,GetConsoleFontSize,SetConsoleDisplayMode,GetModuleFileNameW,InitializeConditionVariable,CloseThreadpoolCleanupGroupMembers,MoveFileW,SetLocalTime,SetConsoleActiveScreenBuffer,ReclaimVirtualMemory,GetAtomNameW,SwitchToThread,AddSecureMemoryCacheCallback,AddVectoredContinueHandler,PulseEvent,SetThreadContext,AddSIDToBoundaryDescriptor,EnumLanguageGroupLocalesW,UnregisterApplicationRecoveryCallback,GetStringTypeA,GetDurationFormat,VirtualAlloc,HeapCreate,GetLastError,HeapAlloc,GetLastError,HeapFree,HeapDestroy,EnumResourceTypesExW,IsValidCodePage,IsBadWritePtr,ConvertThreadToFiber,GetPhysicallyInstalledSystemMemory,QueryUnbiasedInterruptTime,GetSystemRegistryQuota,ClearCommBreak,InitAtomTable,ConvertFiberToThread,CreateDirectoryW,GlobalFindAtomW,SetProcessPriorityBoost,FatalAppExitW,SetWaitableTimer,ReleaseSRWLockExclusive,GetProcessTimes,GetTickCount,GlobalAddAtomW,	8_2_00007FFBA95F54B0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA95F8BD0 GetCurrentProcess,LocalFileTimeToFileTime,EraseTape,GetQueuedCompletionStatus,QueryProcessCycleTime,CancelWaitableTimer,GetStringTypeA,GetSystemWow64DirectoryW,BackupSeek,LockFileEx,CreateMemoryResourceNotification,VerifyScripts,MoveFileTransactedW,QueueUserAPC,GetProcessIoCounters,LeaveCriticalSection,ChangeTimerQueueTimer,SetEvent,AllocateUserPhysicalPagesNuma,GetTickCount,GetVolumePathNamesForVolumeNameW,GlobalAlloc,SetFileAttributesW,GetComputerNameW,EndMenu,EnumPropsW,EnumResourceNamesW,CreateSemaphoreW,GetForegroundWindow,SetProcessMitigationPolicy,WaitForMultipleObjectsEx,CreateFiberEx,GetThreadDesktop,IsCharLowerW,SetProcessRestrictionExemption,UnregisterDeviceNotification,ScrollDC,RegisterPointerInputTargetEx,SetPhysicalCursorPos,GetMenuStringW,SetKeyboardState,VkKeyScanExW,PostMessageW,GetDiskFreeSpaceExW,LCIDToLocaleName,LockFileEx,LocalFree,LockFile,QueryIdleProcessorCycleTime,InitializeSListHead,Wow64SetThreadContext,CreateDirectoryExW,GetNamedPipeServerProcessId,CreateSymbolicLinkTransactedW,GetVolumeInformationByHandleW,EnumResourceNamesExW,IsValidCodePage,GetModuleHandleW,CancelIo,HeapCompact,SwitchToFiber,ConvertThreadToFiberEx,GetNamedPipeInfo,AcquireSRWLockExclusive,InitOnceComplete,FormatMessageW,FlsAlloc,GetConsoleTitleW,SwitchToFiber,CreateDirectoryExW,CreatePrivateNamespaceW,QueryPerformanceCounter,PurgeComm,EnumUILanguagesW,CreateEventW,MoveFileWithProgressW,FindFirstFileW,CompareStringEx,IsBadStringPtrW,OfferVirtualMemory,GetCurrentThread,ExtSelectClipRgn,GetNamedPipeClientSessionId,LocalFileTimeToFileTime,RtlCaptureStackBackTrace,GetProcessHeap,CreateDirectoryW,RectVisible,FreeEnvironmentStringsW,SetFileAttributesW,AnimatePalette,CopyFile2,CreateDIBPatternBrush,SetThreadpoolThreadMaximum,CreateMutexExW,SetCommTimeouts,QueryThreadpoolStackInformation,GenerateConsoleCtrlEvent,SetThreadpoolStackInformation,AddDllDirectory,GetNativeSystemInfo,SetThreadpoolWait,SetFileAttributesW,SetDefaultDllDirectories,GetLocaleInfoW,GetOverlappedResult,OutputDebugStringW,CallNamedPipeW,RtlUnwind,SetCommTimeouts,GetProfileStringW,CreateEventExW,GetPrivateProfileIntW,WinExec,GetProfileStringW,EraseTape,FindNextVolumeW,QueryThreadCycleTime,ResetEvent,GetNamedPipeHandleStateW,DeleteFileW,CalculatePopupWindowPosition,GetWindowPlacement,IsCharAlphaW,GetConsoleAliasExesLengthW,InterlockedFlushSList,GetConsoleAliasExesW,ReadDirectoryChangesW,QueryPerformanceCounter,GetOverlappedResultEx,GetKBCodePage,GetActiveProcessorCount,GetMenuItemID,GetCommState,FindFirstFileW,DdeReconnect,CreateRemoteThread,GetRawInputData,GetNamedPipeInfo,GetAtomNameW,IsBadStringPtrW,RtlCaptureStackBackTrace,FindNextChangeNotification,HeapReAlloc,SetThreadErrorMode,EnterSynchronizationBarrier,GetLogicalDrives,ExitProcess,	8_2_00007FFBA95F8BD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AAC8 FindFirstFileNameTransactedW,FindFirstStreamW,CopyFile2,	8_2_00007FFBA970AAC8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9656CF8 FindClose,FindFirstFileExW,GetLastError,	8_2_00007FFBA9656CF8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA9656D6C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	8_2_00007FFBA9656D6C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970B038 FindFirstFileW,	8_2_00007FFBA970B038
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AFF0 FindFirstFileExW,	8_2_00007FFBA970AFF0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970B008 FindFirstFileA,	8_2_00007FFBA970B008
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96745C4 FindFirstFileExW,	8_2_00007FFBA96745C4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/QBclasses/sun/tools/attach/VirtualMachineImpl$PipedInputStream.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QFclasses/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q5classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QWclasses/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QEclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version3.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/HotSpotVirtualMachine.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/Q1classes/sun/tools/attach/VirtualMachineImpl.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/VirtualMachineImpl.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/VirtualMachineImpl$PipedInputStream.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/com/sun/tools/attach/VirtualMachineDescriptor.classPK
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/jdi/VirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/VirtualMachineImpl$PipedInputStream.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QPclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q4classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/com/sun/tools/attach/VirtualMachine.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.classPK
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q<classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/Q<classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: (classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/Q4classes/sun/tools/attach/HotSpotVirtualMachine.class
Source: jdk.jconsole.jmod.2.dr	Binary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocatorPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QEclasses/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QEclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QAclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QQclasses/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator$Shared.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QLclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.class;
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: B4Iclasses/sun/tools/attach/VirtualMachineImpl$PipedInputStream.classPK
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QJclasses/org/graalvm/compiler/core/common/type/SymbolicJVMCIReference.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q2classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QFclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: T-4G3classes/sun/tools/attach/HotSpotVirtualMachine.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/com/sun/tools/attach/VirtualMachine.class
Source: jdk.jconsole.jmod.2.dr	Binary or memory string: n/Q4classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QDclasses/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/META-INF/providers/org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QIclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: Lclasses/sun/tools/attach/VirtualMachineImpl.classPK
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version.classPK
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/JVMCIVersionCheck$Version2.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/QTclasses/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: classes/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.classPK
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/Q;classes/com/sun/tools/attach/VirtualMachineDescriptor.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/VirtualMachineImpl.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QJclasses/org/graalvm/compiler/hotspot/HotSpotGraalJVMCIServiceLocator.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/HotSpotVirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q3classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: n/Q1classes/com/sun/tools/attach/VirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jconsole.jmod.2.dr	Binary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.classPK
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q9classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q(classes/com/sun/jdi/VirtualMachine.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QSclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/com/sun/tools/attach/VirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q8classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.attach.jmod.2.dr	Binary or memory string: classes/sun/tools/attach/HotSpotAttachProvider$HotSpotVirtualMachineDescriptor.class
Source: jdk.jdi.jmod.2.dr	Binary or memory string: n/Q/classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.internal.vm.compiler.jmod.2.dr	Binary or memory string: n/QAclasses/org/graalvm/compiler/api/runtime/GraalJVMCICompiler.class;

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95FA110 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,VirtualFree,EscapeCommFunction,DeleteFileTransactedW,CheckRemoteDebuggerPresent,GetCommConfig,FlsFree,UnhandledExceptionFilter,HeapQueryInformation,CompareStringW,GlobalFlags,CreateSemaphoreW,CloseHandle,FillConsoleOutputCharacterW,SetProcessDEPPolicy,QueryMemoryResourceNotification,ReadFile,VirtualUnlock,SetConsoleWindowInfo,SetFileValidData,FreeLibraryWhenCallbackReturns,GetStringTypeExW,WakeAllConditionVariable,CreateFileMappingFromApp,GetSystemTimeAdjustment,GetFileAttributesW,VerifyScripts,CreateFiber,InterlockedFlushSList,ReleaseMutexWhenCallbackReturns,GetMaximumProcessorGroupCount,AllocateUserPhysicalPages,CreateSemaphoreW,VerSetConditionMask,GetConsoleScreenBufferInfoEx,DeviceIoControl,EnumSystemLocalesW,DeleteFiber,SetNamedPipeHandleState,HeapUnlock,GetSystemFileCacheSize,CompareStringOrdinal,CreateEventExW,DeviceIoControl,PostQueuedCompletionStatus,GetCurrentProcessId,SystemTimeToFileTime,SetupComm,MultiByteToWideChar,VirtualProtect,EndUpdateResourceW,FindFirstFileExW,ExpandEnvironmentStringsW,GetModuleFileNameW,GetCalendarInfoW,GetProcAddress,WriteTapemark,ReadConsoleOutputW,FindFirstVolumeMountPointW,OpenProcess,QueryThreadProfiling,CreateMutexExW,SetConsoleCtrlHandler,GetThreadTimes,GetConsoleCP,GetNamedPipeClientComputerNameW,SetCommTimeouts,FindFirstVolumeW,AddDllDirectory,QueryDepthSList,GetCurrentProcessId,OpenFileById,GetEnvironmentStringsW,SetFirmwareEnvironmentVariableExW,OutputDebugStringA,

8_2_00007FFBA95FA110

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA970AF60 IsDebuggerPresent,

8_2_00007FFBA970AF60

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95FC940 FreeLibraryWhenCallbackReturns,CloseThreadpool,GetLargePageMinimum,SetWindowsHookExW,ChangeClipboardChain,ReadConsoleOutputAttribute,RegisterApplicationRestart,EnableScrollBar,IsBadCodePtr,CharLowerBuffW,GetCommandLineW,SetConsoleTextAttribute,CreateMailslotW,GetAltTabInfoW,EnumDisplayDevicesW,AdjustWindowRectEx,GetDCEx,GetNLSVersionEx,GetProcessWorkingSetSizeEx,RemoveDirectoryW,GetCalendarInfoW,CreateRectRgnIndirect,DefineDosDeviceW,GetTextExtentPoint32W,WriteProfileSectionW,VerifyScripts,GetKerningPairsW,EnumResourceTypesExW,GetFinalPathNameByHandleW,CreateDiscardableBitmap,EnterCriticalSection,StretchDIBits,GetDefaultCommConfigW,GetCurrentPositionEx,CreateICW,GetConsoleTitleW,VirtualUnlock,EnterSynchronizationBarrier,InterlockedPushListSListEx,SetProcessPreferredUILanguages,AddSecureMemoryCacheCallback,ResetEvent,CreatePipe,GetNumaHighestNodeNumber,GetProcessAffinityMask,EnumDateFormatsW,HeapUnlock,SetConsoleActiveScreenBuffer,GetProcessMitigationPolicy,WaitNamedPipeW,GetNumaProcessorNode,LocalReAlloc,SetDllDirectoryW,lstrcatW,IsValidLocale,ApplicationRecoveryFinished,CreateFileMappingNumaW,NeedCurrentDirectoryForExePathW,SetThreadpoolWait,WriteTapemark,CreateDirectoryW,QueryIdleProcessorCycleTimeEx,CreateSemaphoreExW,SetConsoleActiveScreenBuffer,PathFileExistsA,UnhandledExceptionFilter,ApplicationRecoveryInProgress,TryAcquireSRWLockShared,IsDBCSLeadByte,ReadConsoleInputW,SwitchToFiber,FlushProcessWriteBuffers,AllocateUserPhysicalPagesNuma,SetConsoleActiveScreenBuffer,BackupWrite,SetFileApisToANSI,GetPriorityClass,GetConsoleProcessList,GetTapeStatus,GetVersionExW,FindFirstFileA,FindNextFileA,FindClose,OutputDebugStringA,FindClose,RegOpenKeyExA,RegQueryValueExA,OutputDebugStringA,RegCloseKey,ReleaseSemaphore,VirtualProtectEx,WriteProcessMemory,FindNextFileW,SetProtectedPolicy,EnumSystemFirmwareTables,OpenFileMappingW,GetNamedPipeServerSessionId,CreateFileW,CommConfigDialogW,GetFileType,FindNextChangeNotification,LocalAlloc,CreateDirectoryW,GetConsoleCursorInfo,CreateThreadpool,SetProcessAffinityUpdateMode,GetFileAttributesExW,CallbackMayRunLong,GetTempPathA,CreateDirectoryA,GetLastError,OutputDebugStringA,Wow64DisableWow64FsRedirection,GlobalReAlloc,DefWindowProcW,EnumSystemFirmwareTables,DialogBoxIndirectParamW,GetNumaNodeProcessorMask,GetConsoleCursorInfo,lstrcpyW,GetDllDirectoryW,LocalSize,FindNextStreamW,CreateNamedPipeW,WakeConditionVariable,TrackMouseEvent,Wow64DisableWow64FsRedirection,RegisterHotKey,GetActiveProcessorCount,FileTimeToSystemTime,GetNumaProximityNodeEx,ExitProcess,Concurrency::cancel_current_task,ExitProcess,

8_2_00007FFBA95FC940

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95FED50 QueryIdleProcessorCycleTime,GetCompressedFileSizeTransactedW,UpdateResourceW,SetupComm,SetThreadPreferredUILanguages,VirtualAllocEx,UnlockFile,SetTimeZoneInformation,GetDynamicTimeZoneInformation,SetThreadDescription,MultiByteToWideChar,TryEnterCriticalSection,GetProcessHeap,SetUserGeoID,GetFileBandwidthReservation,CompareStringW,SetComputerNameW,CreateMailslotW,GetConsoleMode,SetFirmwareEnvironmentVariableExW,WakeAllConditionVariable,SetEnvironmentVariableW,MulDiv,EndUpdateResourceW,WaitForThreadpoolWorkCallbacks,VirtualFree,SystemTimeToTzSpecificLocalTime,ReleaseSemaphore,GetActiveProcessorCount,FindFirstVolumeW,WinExec,SetSystemPowerState,BeginUpdateResourceW,GetMaximumProcessorCount,SetTapePosition,GetThreadId,GlobalFree,HeapDestroy,BeginUpdateResourceW,HeapAlloc,SetStdHandle,SleepConditionVariableCS,GetProcessMitigationPolicy,GetSystemPreferredUILanguages,IsBadStringPtrW,GetModuleFileNameW,OutputDebugStringA,

8_2_00007FFBA95FED50

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe "C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673EBC9F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF673EBC9F0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA970AF58 SetUnhandledExceptionFilter,	8_2_00007FFBA970AF58
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA965881C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFBA965881C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBA96646C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFBA96646C0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB01FC20 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFBBB01FC20
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FFBBB01F040 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFBBB01F040

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss90f4.ps1" -propfile "c:\users\user\appdata\local\temp\msi90e1.txt" -scriptfile "c:\users\user\appdata\local\temp\scr90e2.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr90e3.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss90f4.ps1" -propfile "c:\users\user\appdata\local\temp\msi90e1.txt" -scriptfile "c:\users\user\appdata\local\temp\scr90e2.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr90e3.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FF673EB3F40 GetStdHandle,GetConsoleMode,SetConsoleMode,_exit,SetConsoleCtrlHandler,MultiByteToWideChar,malloc,MultiByteToWideChar,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,WaitForSingleObject,free,_exit,

8_2_00007FF673EB3F40

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA967E130 cpuid

8_2_00007FFBA967E130

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,VirtualFree,EscapeCommFunction,DeleteFileTransactedW,CheckRemoteDebuggerPresent,GetCommConfig,FlsFree,UnhandledExceptionFilter,HeapQueryInformation,CompareStringW,GlobalFlags,CreateSemaphoreW,CloseHandle,FillConsoleOutputCharacterW,SetProcessDEPPolicy,QueryMemoryResourceNotification,ReadFile,VirtualUnlock,SetConsoleWindowInfo,SetFileValidData,FreeLibraryWhenCallbackReturns,GetStringTypeExW,WakeAllConditionVariable,CreateFileMappingFromApp,GetSystemTimeAdjustment,GetFileAttributesW,VerifyScripts,CreateFiber,InterlockedFlushSList,ReleaseMutexWhenCallbackReturns,GetMaximumProcessorGroupCount,AllocateUserPhysicalPages,CreateSemaphoreW,VerSetConditionMask,GetConsoleScreenBufferInfoEx,DeviceIoControl,EnumSystemLocalesW,DeleteFiber,SetNamedPipeHandleState,HeapUnlock,GetSystemFileCacheSize,CompareStringOrdinal,CreateEventExW,DeviceIoControl,PostQueuedCompletionStatus,GetCurrentProcessId,SystemTimeToFileTime,SetupComm,MultiByteToWideChar,VirtualProtect,EndUpdateResourceW,FindFirstFileExW,ExpandEnvironmentStringsW,GetModuleFileNameW,GetCalendarInfoW,GetProcAddress,WriteTapemark,ReadConsoleOutputW,FindFirstVolumeMountPointW,OpenProcess,QueryThreadProfiling,CreateMutexExW,SetConsoleCtrlHandler,GetThreadTimes,GetConsoleCP,GetNamedPipeClientComputerNameW,SetCommTimeouts,FindFirstVolumeW,AddDllDirectory,QueryDepthSList,GetCurrentProcessId,OpenFileById,GetEnvironmentStringsW,SetFirmwareEnvironmentVariableExW,OutputDebugStringA,	8_2_00007FFBA95FA110
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	8_2_00007FFBA9678A0C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00007FFBA967895C
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetCurrentProcess,LocalFileTimeToFileTime,EraseTape,GetQueuedCompletionStatus,QueryProcessCycleTime,CancelWaitableTimer,GetStringTypeA,GetSystemWow64DirectoryW,BackupSeek,LockFileEx,CreateMemoryResourceNotification,VerifyScripts,MoveFileTransactedW,QueueUserAPC,GetProcessIoCounters,LeaveCriticalSection,ChangeTimerQueueTimer,SetEvent,AllocateUserPhysicalPagesNuma,GetTickCount,GetVolumePathNamesForVolumeNameW,GlobalAlloc,SetFileAttributesW,GetComputerNameW,EndMenu,EnumPropsW,EnumResourceNamesW,CreateSemaphoreW,GetForegroundWindow,SetProcessMitigationPolicy,WaitForMultipleObjectsEx,CreateFiberEx,GetThreadDesktop,IsCharLowerW,SetProcessRestrictionExemption,UnregisterDeviceNotification,ScrollDC,RegisterPointerInputTargetEx,SetPhysicalCursorPos,GetMenuStringW,SetKeyboardState,VkKeyScanExW,PostMessageW,GetDiskFreeSpaceExW,LCIDToLocaleName,LockFileEx,LocalFree,LockFile,QueryIdleProcessorCycleTime,InitializeSListHead,Wow64SetThreadContext,CreateDirectoryExW,GetNamedPipeServerProcessId,CreateSymbolicLinkTransactedW,GetVolumeInformationByHandleW,EnumResourceNamesExW,IsValidCodePage,GetModuleHandleW,CancelIo,HeapCompact,SwitchToFiber,ConvertThreadToFiberEx,GetNamedPipeInfo,AcquireSRWLockExclusive,InitOnceComplete,FormatMessageW,FlsAlloc,GetConsoleTitleW,SwitchToFiber,CreateDirectoryExW,CreatePrivateNamespaceW,QueryPerformanceCounter,PurgeComm,EnumUILanguagesW,CreateEventW,MoveFileWithProgressW,FindFirstFileW,CompareStringEx,IsBadStringPtrW,OfferVirtualMemory,GetCurrentThread,ExtSelectClipRgn,GetNamedPipeClientSessionId,LocalFileTimeToFileTime,RtlCaptureStackBackTrace,GetProcessHeap,CreateDirectoryW,RectVisible,FreeEnvironmentStringsW,SetFileAttributesW,AnimatePalette,CopyFile2,CreateDIBPatternBrush,SetThreadpoolThreadMaximum,CreateMutexExW,SetCommTimeouts,QueryThreadpoolStackInformation,GenerateConsoleCtrlEvent,SetThreadpoolStackInformation,AddDllDirectory,GetNativeSystemInfo,SetThreadpoolWait,SetFileAttributesW,SetDefaultDllDirectories,GetLocaleInfoW,GetOverlappedResult,OutputDebugStringW,CallNamedPipeW,RtlUnwind,SetCommTimeouts,GetProfileStringW,CreateEventExW,GetPrivateProfileIntW,WinExec,GetProfileStringW,EraseTape,FindNextVolumeW,QueryThreadCycleTime,ResetEvent,GetNamedPipeHandleStateW,DeleteFileW,CalculatePopupWindowPosition,GetWindowPlacement,IsCharAlphaW,GetConsoleAliasExesLengthW,InterlockedFlushSList,GetConsoleAliasExesW,ReadDirectoryChangesW,QueryPerformanceCounter,GetOverlappedResultEx,GetKBCodePage,GetActiveProcessorCount,GetMenuItemID,GetCommState,FindFirstFileW,DdeReconnect,CreateRemoteThread,GetRawInputData,GetNamedPipeInfo,GetAtomNameW,IsBadStringPtrW,RtlCaptureStackBackTrace,FindNextChangeNotification,HeapReAlloc,SetThreadErrorMode,EnterSynchronizationBarrier,GetLogicalDrives,ExitProcess,	8_2_00007FFBA95F8BD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	8_2_00007FFBA970AB58
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00007FFBA9678B40
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	8_2_00007FFBA966ECD0
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_00007FFBA96780F8
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	8_2_00007FFBA9678454
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00007FFBA96785BC
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	8_2_00007FFBA9678524
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoW,	8_2_00007FFBA9678804
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: EnumSystemLocalesW,	8_2_00007FFBA966E790
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: GetLocaleInfoEx,FormatMessageA,	8_2_00007FFBA965600C

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

8_2_00007FFBA95FC940

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FF673EBD3EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_00007FF673EBD3EC

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Code function: 8_2_00007FFBA95F47C0 GetTempPathA,GetTempFileNameA,RequestWakeupLatency,IsSystemResumeAutomatic,AngleArc,GetThreadUILanguage,DuplicateHandle,RtlUnwind,SetThreadPriorityBoost,FindFirstFileTransactedW,SetProcessDEPPolicy,GetTapeStatus,GetMemoryErrorHandlingCapabilities,FindFirstFileExW,GetHandleInformation,GetSystemWindowsDirectoryW,GlobalReAlloc,lstrcmpiW,SetThreadpoolWaitEx,AddFontMemResourceEx,CreateSemaphoreW,SetLayout,GetProfileIntW,ConvertDefaultLocale,GlobalUnlock,AttachConsole,CreateHardLinkW,GetModuleHandleW,GetDCBrushColor,GetFontLanguageInfo,SetThreadLocale,GetROP2,SetThreadErrorMode,GetNLSVersion,GetGeoInfoW,RemoveDirectoryW,GetTempFileNameW,GetTimeZoneInformation,GetProcessGroupAffinity,GetNumberFormatW,RegisterApplicationRestart,FlsSetValue,AssignProcessToJobObject,CreateThreadpoolIo,SetTapeParameters,BackupSeek,GlobalMemoryStatus,MoveFileW,CreateHardLinkW,SetDefaultDllDirectories,GetCurrentThread,WaitNamedPipeW,RegOpenKeyExA,CreateEventExW,VirtualFree,ReadFileEx,GetConsoleOriginalTitleW,ReadConsoleOutputW,CreateSemaphoreExW,RtlCaptureStackBackTrace,DebugSetProcessKillOnExit,GetCommMask,GetTempFileNameW,GetNumaNodeProcessorMaskEx,AddSIDToBoundaryDescriptor,HeapSize,GetProcAddress,GetNumaNodeProcessorMask,SetProcessWorkingSetSize,SetConsoleHistoryInfo,GetPrivateProfileSectionNamesW,CommConfigDialogW,lstrcpyW,QueryIdleProcessorCycleTimeEx,GetThreadPreferredUILanguages,AddScopedPolicyIDAce,RegQueryValueExA,HeapCompact,CheckTokenMembershipEx,lstrcatW,SetWaitableTimer,GetSystemWow64DirectoryW,GetConsoleTitleW,InterlockedPushListSListEx,SetTimeZoneInformation,GetActiveProcessorGroupCount,HeapValidate,GetConsoleScreenBufferInfoEx,FindFirstFileExW,GetConsoleCP,CreateDirectoryTransactedW,GetConsoleAliasW,HeapCreate,RemoveSecureMemoryCacheCallback,GetSystemTimeAsFileTime,GetFileMUIInfo,GetSystemWow64DirectoryW,InitializeCriticalSection,Wow64SuspendThread,RegCloseKey,OutputDebugStringA,

8_2_00007FFBA95F47C0

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

8_2_00007FFBA95FC940

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E3D370 socket,listen,_exit,getsockname,free,free,	8_2_00007FF673E3D370
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E85E60 setsockopt,bind,_exit,	8_2_00007FF673E85E60
Source: C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	Code function: 8_2_00007FF673E85660 listen,_exit,free,free,	8_2_00007FF673E85660

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Network Sniffing	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	11 Input Capture	21 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	12 Process Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Network Sniffing	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	36 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
m9u08f2pMF.msi	26%	ReversingLabs	Win64.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll	42%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe	0%	ReversingLabs
C:\Windows\Installer\MSI61B3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6231.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6270.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI62A0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI62FF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6D51.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8C72.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8CC1.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI906C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI99B4.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://taco-keys.com/licenseUser.phpAI_DATA_SETTER_4Params	100%	Avira URL Cloud	malware
https://win.crashes.videolan.org/reportsCONOUT$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
taco-keys.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://win.crashes.videolan.org/reportsCONOUT$	vlc.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
http://openvpn.net/howto.html#mitm	openvpn.exe, openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1770372215.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mingw-w64.sourceforge.net/X	libwinpthread-1.dll.2.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.1770372215.000000000581F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taco-keys.com/licenseUser.phpAI_DATA_SETTER_4Params	m9u08f2pMF.msi	false	Avira URL Cloud: malware	unknown
https://contoso.com/	powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000005.00000002.1773918147.000000000772A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	openvpn.exe, 00000008.00000002.1867903344.00007FFBA9ECF000.00000002.00000001.01000000.00000008.sdmp, openvpn.exe, 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.1772648932.0000000006157000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gnu.org/licenses/	libgpg-error-0.dll.2.dr	false		high
https://gnu.org/licenses/gpl.html	libgpg-error-0.dll.2.dr	false		high
http://www.videolan.org/	vlc.exe.2.dr	false		high
http://openvpn.net/faq.html#dhcpclientserv	openvpn.exe, openvpn.exe, 00000008.00000000.1856489278.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1863713804.00007FF673EBE000.00000002.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1770372215.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.openssl.org/	openvpn.exe	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1770372215.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571709
Start date and time:	2024-12-09 16:34:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	m9u08f2pMF.msi renamed because original name is a hash value
Original Sample Name:	1e5ce241801ccbef1583b30d15bc5340897f02797c496f524b56412515936fca.msi
Detection:	MAL
Classification:	mal44.troj.evad.winMSI@10/153@1/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 249
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4836 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: m9u08f2pMF.msi

Simulations

Behavior and APIs

Time	Type	Description
10:36:20	API Interceptor	5x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll	Setup.msi	Get hash	malicious	Unknown	Browse
	installer.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe	Setup.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	installer.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	v.1.6.3__x64__.msi	Get hash	malicious	LegionLoader	Browse
	v.1.5.4__x64__.msi	Get hash	malicious	LegionLoader	Browse
	LegionLoader (21).msi	Get hash	malicious	Unknown	Browse
	LegionLoader (22).msi	Get hash	malicious	Unknown	Browse
	LegionLoader (17).msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\4659c6.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	23754
Entropy (8bit):	5.856590599087684
Encrypted:	false
SSDEEP:	384:P4uPXsXXXzXAX1AXI3XDkXMXvXmX0X8XmXDXrX6XuX7XiXQXhX/XjXKXJXpXjXdu:P4uPXsXXXzXAX1AXI3XDkXMXvXmX0X8Q
MD5:	A0B31E05CEF8B47DAF1E2B4E8E91297D
SHA1:	A48FC61FBCB8755DAA805CCCC3CE2398446130FF
SHA-256:	5389689876D8C3B3DCE5DFC167152258B9EC56107DBCD27F2B12ACC4AC101FFD
SHA-512:	A967A70EB0A81758774D85376E09743FF3611247AF7EB29EA1735122D0EAA5124D5F086A22A6859727DB65D86122864E3F4B3EF4655845C49942A1AE1BC700B2
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.T.Y.@.....@.....@.....@.....@.....@......&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}..Ifid Apps..m9u08f2pMF.msi.@.....@.....@.....@......icon_32.exe..&.{564632B4-D632-4965-A808-AC4D3E1DC9DD}.....@.....@.....@.....@.......@.....@.....@.......@......Ifid Apps......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{CBCD90DF-DB36-4D67-AEDD-4171F1E02C1A}&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}.@......&.{8BD726EB-D80E-44BF-87C1-E0FF3732DEBE}&.{F65C12FB-F21E

C:\ProgramData\vlc.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jun 18 23:44:58 2021, mtime=Mon Dec 9 14:36:27 2024, atime=Fri Jun 18 23:44:58 2021, length=984312, window=hide
Category:	dropped
Size (bytes):	2126
Entropy (8bit):	3.855427387776437
Encrypted:	false
SSDEEP:	24:8iFrl1H0ebjADBrZ/8A1B4XojADAXojADEkAigl5Wdu1YdAigl5f1bm:8iFrj0imljPXeOAnWdu1YdAn9b
MD5:	5777629866960DCC10F36FBDBD374F77
SHA1:	7C506C606865D97D30F79E205B46FD3396A4F563
SHA-256:	48C658E49F8060B44C5A4AEAF8504EDC6D7D34EA2230682AB257C935145A8EAB
SHA-512:	D599FF4AB652D9C123B2550DCA51114A44F5AC18FE97AF76E39D48764235C8BC95F38C94AEB404E573EFE741FEBDB46702999F3B268AA68CCB7FFF4251FF4694
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ....a'T.d....V.PJ...a'T.d..........................$.:..DG..Yr?.D..U..k0.&...&.......y.Yd...f.m.PJ..ro..PJ......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y.\|..........................d...A.p.p.D.a.t.a...B.V.1......Y.\|..Roaming.@......EW)B.Y.\|...........................0c.R.o.a.m.i.n.g.....^.1......Y.\|..GROVIT~1..F......Y.\|.Y.\|...........................0c.G.r.o.v.i. .T.e.n.d.....\.1......Y.\|..IFIDAP~1..D......Y.\|.Y.\|....$.......................\.I.f.i.d. .A.p.p.s.....V.2......R.. .vlc.exe.@.......R...Y.\|....Y&........................v.l.c...e.x.e.......k...............-.......j............ "m.....C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe..<.....\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.o.v.i. .T.e.n.d.\.I.f.i.d. .A.p.p.s.\.v.l.c...e.x.e.5.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.G.r.o.v.i. .T.e.n.d.\.I.f.i.d. .A.p.p.s.\.f.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.4135884505161025
Encrypted:	false
SSDEEP:	24:3qWSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NK3R82iagSVbV:6WSU4xympjmZ9tz4RIoUl8NWR823VbV
MD5:	A8618B4C148DF7938A9E6843797E0DA2
SHA1:	F4646CB3B7AF44CF70B686139D853556535F9494
SHA-256:	19BEC78325F7A0ED157A955A1457E460930AF49FF5CE97A43849DD9565C08BF8
SHA-512:	04E4926050D67B30F7B1C78BB8B8D7A45C4C4BB8AF8988E536C178954422FBC1EF3CC7BC9956058BDFD67C39403809871FFBA44E34E872AC3308A2D689A6D9EC
Malicious:	false
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nbpbjem.oa0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vu5y4yf.wuo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\msi90E1.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.1321609710832776
Encrypted:	false
SSDEEP:	3:QtFKYpjKjKDiAl35YplflPlx3lMlRfLlYplf955:Q6mfDj0L1zmDfqLN
MD5:	0CEEC7B277191690F5704147332412CD
SHA1:	5966645FF1DE4D5D04341041904237DB5B8A2392
SHA-256:	0DAD972B0FB47B02053A204ED7140073661E01D060AAC3CB1A04633A040E5C17
SHA-512:	DECDAEF6A7E7D3D79DE352E90EC15A434498B4EC32F4E70A4407867A7B7DBBFFE2705409A6F73926FD1F0440AB30F5FE5FDD7A93C3EE35B29F873A2B70C9528C
Malicious:	true
Preview:	..H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e. .:.<.-.>.:. . .<.<.:.>.>. .C.y.o.q.R.i.n. .:.<.-.>.:. .0. .<.<.:.>.>. .

C:\Users\user\AppData\Local\Temp\pss90F4.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6668
Entropy (8bit):	3.5127462716425657
Encrypted:	false
SSDEEP:	96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
MD5:	30C30EF2CB47E35101D13402B5661179
SHA1:	25696B2AAB86A9233F19017539E2DD83B2F75D4E
SHA-256:	53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
SHA-512:	882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scr90E2.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.531795843558323
Encrypted:	false
SSDEEP:	6:Qgk79idK3fgmfDjplXhkvKN+KiV6IrMTl0x1LlG7JidK3fclOmDF+thkvl:QPEgxkvKstrMT9NIxB+Dkvl
MD5:	EA4BD253C1500BFABE6550E439E102C8
SHA1:	A734A4AC299183E0749655492DDD0D5952071063
SHA-256:	8BC5B5F9B666FE7CFF50539329F096F2D69BA3280084FCDA670A3314896359DB
SHA-512:	449DFAFB91AC4933267FE6B94EEAF04EE870295122F7A553C8C3B26641496B36C8A764B3DACDB2EFE45CE09CD4CC880C5F41976DB62E0DAD9481D8A6746CBA18
Malicious:	true
Preview:	..$.s.a.i.f.a.h. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e.".....$.o.i.a.w.e.j.f.i.o.u. .=. .[.u.i.n.t.3.2.].(.$.s.a.i.f.a.h. .-.r.e.p.l.a.c.e. .'.a.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.y.o.q.R.i.n.". .$.o.i.a.w.e.j.f.i.o.u.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	256864
Entropy (8bit):	6.8622477797553
Encrypted:	false
SSDEEP:	3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
MD5:	E0BFA64EEFA440859C8525DFEC1962D0
SHA1:	4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
SHA-256:	8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
SHA-512:	04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.msi, Detection: malicious, Browse Filename: installer.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	506008
Entropy (8bit):	6.4284173495366845
Encrypted:	false
SSDEEP:	6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
MD5:	98CCD44353F7BC5BAD1BC6BA9AE0CD68
SHA1:	76A4E5BF8D298800C886D29F85EE629E7726052D
SHA-256:	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
SHA-512:	D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.msi, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: installer.msi, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: v.1.6.3__x64__.msi, Detection: malicious, Browse Filename: v.1.5.4__x64__.msi, Detection: malicious, Browse Filename: LegionLoader (21).msi, Detection: malicious, Browse Filename: LegionLoader (22).msi, Detection: malicious, Browse Filename: LegionLoader (17).msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............\|.&.....\|.$.J...\|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................\|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97152
Entropy (8bit):	6.423207912198565
Encrypted:	false
SSDEEP:	1536:yOHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1lLN:yOr/Z+jPYNV9H0Q8ecbjt1j
MD5:	5797D2A762227F35CDD581EC648693A8
SHA1:	E587B804DB5E95833CBD2229AF54C755EE0393B9
SHA-256:	C51C64DFB7C445ECF0001F69C27E13299DDCFBA0780EFA72B866A7487B7491C7
SHA-512:	5C4DE4F65C0338F9A63B853DB356175CAE15C2DDC6B727F473726D69EE0D07545AC64B313C380548211216EA667CAF32C5A0FD86F7ABE75FC60086822BC4C92E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p...............................................'J....`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14272
Entropy (8bit):	6.519411559704781
Encrypted:	false
SSDEEP:	192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
MD5:	E173F3AB46096482C4361378F6DCB261
SHA1:	7922932D87D3E32CE708F071C02FB86D33562530
SHA-256:	C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
SHA-512:	3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.659079053710614
Encrypted:	false
SSDEEP:	192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
MD5:	9C9B50B204FCB84265810EF1F3C5D70A
SHA1:	0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
SHA-256:	25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
SHA-512:	EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11200
Entropy (8bit):	6.7627840671368835
Encrypted:	false
SSDEEP:	192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
MD5:	0233F97324AAAA048F705D999244BC71
SHA1:	5427D57D0354A103D4BB8B655C31E3189192FC6A
SHA-256:	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
SHA-512:	8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12224
Entropy (8bit):	6.590253878523919
Encrypted:	false
SSDEEP:	192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
MD5:	E1BA66696901CF9B456559861F92786E
SHA1:	D28266C7EDE971DC875360EB1F5EA8571693603E
SHA-256:	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
SHA-512:	08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.672720452347989
Encrypted:	false
SSDEEP:	192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
MD5:	7A15B909B6B11A3BE6458604B2FF6F5E
SHA1:	0FEB824D22B6BEEB97BCE58225688CB84AC809C7
SHA-256:	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
SHA-512:	D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13760
Entropy (8bit):	6.575688560984027
Encrypted:	false
SSDEEP:	192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
MD5:	6C3FCD71A6A1A39EAB3E5C2FD72172CD
SHA1:	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
SHA-256:	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
SHA-512:	EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.70261983917014
Encrypted:	false
SSDEEP:	192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
MD5:	D175430EFF058838CEE2E334951F6C9C
SHA1:	7F17FBDCEF12042D215828C1D6675E483A4C62B1
SHA-256:	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
SHA-512:	6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.599515320379107
Encrypted:	false
SSDEEP:	192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
MD5:	9D43B5E3C7C529425EDF1183511C29E4
SHA1:	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
SHA-256:	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
SHA-512:	C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.690164913578267
Encrypted:	false
SSDEEP:	192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
MD5:	43E1AE2E432EB99AA4427BB68F8826BB
SHA1:	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
SHA-256:	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
SHA-512:	40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11720
Entropy (8bit):	6.615761482304143
Encrypted:	false
SSDEEP:	192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
MD5:	735636096B86B761DA49EF26A1C7F779
SHA1:	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
SHA-256:	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
SHA-512:	3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.627282858694643
Encrypted:	false
SSDEEP:	192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
MD5:	031DC390780AC08F498E82A5604EF1EB
SHA1:	CF23D59674286D3DC7A3B10CD8689490F583F15F
SHA-256:	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
SHA-512:	1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15816
Entropy (8bit):	6.435326465651674
Encrypted:	false
SSDEEP:	192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
MD5:	285DCD72D73559678CFD3ED39F81DDAD
SHA1:	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
SHA-256:	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
SHA-512:	84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.5874576656353145
Encrypted:	false
SSDEEP:	192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
MD5:	5CCE7A5ED4C2EBAF9243B324F6618C0E
SHA1:	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
SHA-256:	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
SHA-512:	FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13768
Entropy (8bit):	6.645869978118917
Encrypted:	false
SSDEEP:	192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
MD5:	41FBBB054AF69F0141E8FC7480D7F122
SHA1:	3613A572B462845D6478A92A94769885DA0843AF
SHA-256:	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
SHA-512:	97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12744
Entropy (8bit):	6.564006501134889
Encrypted:	false
SSDEEP:	192:8a9aY17aFBRAWYhWYWWFYg7VWQ4eWbr0tJSUtpwBqnajrmaaG:8ad9WYhW4F/qlQG
MD5:	212D58CEFB2347BD694B214A27828C83
SHA1:	F0E98E2D594054E8A836BD9C6F68C3FE5048F870
SHA-256:	8166321F14D5804CE76F172F290A6F39CE81373257887D9897A6CF3925D47989
SHA-512:	637C215ED3E781F824AE93A0E04A7B6C0A6B1694D489E9058203630DCFC0B8152F2EB452177EA9FD2872A8A1F29C539F85A2F2824CF50B1D7496FA3FEBE27DFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...h{............" .........................................................0......J(....`.........................................0................ ...................!..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12232
Entropy (8bit):	6.678162783983714
Encrypted:	false
SSDEEP:	192:+WYhWoWWFYg7VWQ4eWSoV7jjT6iBTqnajbQwr1:+WYhWIiVTTXZl3QC
MD5:	242829C7BE4190564BECEE51C7A43A7E
SHA1:	663154C1437ACF66480518068FBC756F5CABB72F
SHA-256:	EDC1699E9995F98826DF06D2C45BEB9E02AA7817BAE3E61373096AE7F6FA06E0
SHA-512:	3529FDE428AFFC3663C5C69BAEE60367A083841B49583080F0C4C7E72EAA63CABBF8B9DA8CCFC473B3C552A0453405A4A68FCD7888D143529D53E5EEC9A91A34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...+P............" .........................................................0......@.....`.........................................0...e............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	6.2047011292890195
Encrypted:	false
SSDEEP:	192:8JIDSM4Oe59rmkUALQe1hgmL44WYhWWWWFYg7VWQ4yWARgKZRqnajl6umA:8JI2M4Oe59Ckb1hgmLhWYhW2v2yRlwQ
MD5:	FB79420EC05AA715FE76D9B89111F3E2
SHA1:	15C6D65837C9979AF7EC143E034923884C3B0DBD
SHA-256:	F6A93FE6B57A54AAC46229F2ED14A0A979BF60416ADB2B2CFC672386CCB2B42E
SHA-512:	C40884C80F7921ADDCED37B1BF282BB5CB47608E53D4F4127EF1C6CE7E6BB9A4ADC7401389BC8504BF24751C402342693B11CEF8D06862677A63159A04DA544E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...IV............" .........,...............................................P.......e....`.........................................0....%...........@...............0...!..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19904
Entropy (8bit):	6.189411151090302
Encrypted:	false
SSDEEP:	384:4SrxLPmIHJI6/CpG3t2G3t4odXLhWYhWfgy6l9ne:4iPmIHJI6vZO
MD5:	A5B920F24AEA5C2528FE539CD7D20105
SHA1:	3FAE25B81DC65923C1911649ED19F193ADC7BDDE
SHA-256:	5B3E29116383BA48A2F46594402246264B4CB001023237EBBF28E7E9292CDB92
SHA-512:	F77F83C7FAD442A9A915ABCBC2AF36198A56A1BC93D1423FC22E6016D5CC53E47DE712E07C118DD85E72D4750CA450D90FDB6F9544D097AFC170AEECC5863158
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.../..N.........." .........(...............................................P......C.....`.........................................0.... ...........@...............,...!..............T............................................................................rdata..$".......$..................@..@.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-private-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64456
Entropy (8bit):	5.53593950821058
Encrypted:	false
SSDEEP:	1536:Se6De5c4bFe2JyhcvxXWpD7d3334BkZn+PI5c:Se6De5c4bFe2JyhcvxXWpD7d3334BkZU
MD5:	5C2004DAF398620211F0AD9781FF4EC2
SHA1:	E43DD814E90330880EE75259809EEE7B91B4FFA6
SHA-256:	55BC91A549D22B160AE4704485E19DEE955C7C2534E7447AFB84801EE629639B
SHA-512:	11EDBBC662584BB1DEA37D1B23C56426B970D127F290F3BE21CD1BA0A80D1F202047ABB80D8460D17A7CACF095DE90B78A54F7C7EC395043D54B49FFE688DF51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......F.........." ......................................................................`.........................................0...T................................!..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12736
Entropy (8bit):	6.592404054572702
Encrypted:	false
SSDEEP:	192:+nqjd7dWYhWDWWFYg7VWQ4yWMJ5HKZRqnajl6b:+nsWYhWxp5HyRlwb
MD5:	DD899C6FFECCE1DCA3E1C3B9BA2C8DA2
SHA1:	2914B84226F5996161EB3646E62973B1E6C9E596
SHA-256:	191F53988C7F02DD888C4FBF7C1D3351570F3B641146FAE6D60ACDAE544771AE
SHA-512:	2DB47FAA025C797D8B9B82DE4254EE80E499203DE8C6738BD17DDF6A77149020857F95D0B145128681A3084B95C7D14EB678C0A607C58B76137403C80FE8F856
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...P..D.........." .........................................................0......N.....`.........................................0...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16328
Entropy (8bit):	6.449442433945565
Encrypted:	false
SSDEEP:	192:maajPrpJhhf4AN5/KixWYhW4XWWFYg7VWQ4eWvppXjxceXqnajLJhrdCq:mlbr7nWYhW41MXjmAlnJhUq
MD5:	883120F9C25633B6C688577D024EFD12
SHA1:	E4FA6254623A2B4CDEA61712CDFA9C91AA905F18
SHA-256:	4390C389BBBF9EC7215D12D22723EFD77BEB4CD83311C75FFE215725ECFD55DC
SHA-512:	F17D3B667CC8002F4B6E6B96B630913FA1CB4083D855DB5B7269518F6FF6EEBF835544FA3B737F4FC0EB46CCB368778C4AE8B11EBCF9274CE1E5A0BA331A0E2F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...9..b.........." .........................................................@......^%....`.........................................0...4............0...................!..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17864
Entropy (8bit):	6.393000322519701
Encrypted:	false
SSDEEP:	192:WpPLNPjFuWYFxEpahTWYhWHWWFYg7VWQ4eW9M3u57ZqnajgnLSuRCz:W19OFVhTWYhWlBu5llk2
MD5:	29680D7B1105171116A137450C8BB452
SHA1:	492BB8C231AAE9D5F5AF565ABB208A706FB2B130
SHA-256:	6F6F6E857B347F70ECC669B4DF73C32E42199B834FE009641D7B41A0B1C210AF
SHA-512:	87DCF131E21041B06ED84C3A510FE360048DE46F1975155B4B12E4BBF120F2DD0CB74CCD2E8691A39EEE0DA7F82AD39BC65C81F530FC0572A726F0A6661524F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....v..........." ......... ...............................................@............`.........................................0...a............0...............$...!..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\dictionaries\en_US.aff

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3246
Entropy (8bit):	4.313391741874073
Encrypted:	false
SSDEEP:	48:T7emiglihmWpRlH61/98BuY3SZQU3uD4Vg1lwsbJ0EcWiOr5NSr5NK3WuhYljrHN:RigQLsAiOUoeFTQUydYVrF31pwhwoe
MD5:	D329845E5D86AFEBE0DB82B3422C70C2
SHA1:	E432BEE2397B8573444ECAE348300F06AA5DF032
SHA-256:	56E2090475E1CE11A1885CE8ECE4D4B1F1E863F69A7233CC00BAF56CDAAA9096
SHA-512:	137202D74C374EC168BC64BBD0039BE2A77DC052842367550EB8E31C9C95B58585F4D3F46F72F80D4A22229C64B8600629B3FAB4F1E9E681446635E0A7524892
Malicious:	false
Preview:	SET ISO8859-1..TRY esianrtolcdugmphbyfvkwzESIANRTOLCDUGMPHBYFVKWZ'..NOSUGGEST !....# ordinal numbers..COMPOUNDMIN 1..# only in compounds: 1th, 2th, 3th..ONLYINCOMPOUND c..# compound rules:..# 1. [0-9]1[0-9]th (10th, 11th, 12th, 56714th, etc.)..# 2. [0-9][02-9](1st\|2nd\|3rd\|[4-9]th) (21st, 22nd, 123rd, 1234th, etc.)..COMPOUNDRULE 2..COMPOUNDRULE n1t..COMPOUNDRULE nmp..WORDCHARS 0123456789....PFX A Y 1..PFX A 0 re .....PFX I Y 1..PFX I 0 in .....PFX U Y 1..PFX U 0 un .....PFX C Y 1..PFX C 0 de .....PFX E Y 1..PFX E 0 dis .....PFX F Y 1..PFX F 0 con .....PFX K Y 1..PFX K 0 pro .....SFX V N 2..SFX V e ive e..SFX V 0 ive [^e]....SFX N Y 3..SFX N e ion e..SFX N y ication y ..SFX N 0 en [^ey] ....SFX X Y 3..SFX X e ions e..SFX X y ications y..SFX X 0 ens [^ey]....SFX H N 2..SFX H y ieth

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\dictionaries\en_US.dic

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	758251
Entropy (8bit):	4.79038751246559
Encrypted:	false
SSDEEP:	12288:ja/Jivuk9SBJTgI6ecuunMM9J2QX6aCYyV9KdrbHzQnkzDBfcbEwoiiJQC:IJivGTvcuc36FK9m0i1C
MD5:	3D51E0A789AD7B97307DC64229EFE5BA
SHA1:	A8665D0D492D85B3A4F903C9C4D43CC42D416516
SHA-256:	800EA3988CE7707858D97DA15228A30A7C0C0EECDC560EACE14BC0F0965A338E
SHA-512:	86BC40B7B87E15A36498F2BE31E1C05D6CBE2F4C8290FD5DC6A5D561E3F6AC8500D5F56585760582DE89518A23C4219EBB5D53BDC9FFAD121AFF9057E95668F8
Malicious:	false
Preview:	62118..0/nm..1/n1..2/nm..3/nm..4/nm..5/nm..6/nm..7/nm..8/nm..9/nm..0th/pt..1st/p..1th/tc..2nd/p..2th/tc..3rd/p..3th/tc..4th/pt..5th/pt..6th/pt..7th/pt..8th/pt..9th/pt..a..A..AA..AAA..Aachen/M..aardvark/SM..Aaren/M..Aarhus/M..Aarika/M..Aaron/M..AB..aback..abacus/SM..abaft..Abagael/M..Abagail/M..abalone/SM..abandoner/M..abandon/LGDRS..abandonment/SM..abase/LGDSR..abasement/S..abaser/M..abashed/UY..abashment/MS..abash/SDLG..abate/DSRLG..abated/U..abatement/MS..abater/M..abattoir/SM..Abba/M..Abbe/M..abb./S..abbess/SM..Abbey/M..abbey/MS..Abbie/M..Abbi/M..Abbot/M..abbot/MS..Abbott/M..abbr..abbrev..abbreviated/UA..abbreviates/A..abbreviate/XDSNG..abbreviating/A..abbreviation/M..Abbye/M..Abby/M..ABC/M..Abdel/M..abdicate/NGDSX..abdication/M..abdomen/SM..abdominal/YS..abduct/DGS..abduction/SM..abductor/SM..Abdul/M..ab/DY..abeam..Abelard/M..Abel/M..Abelson/M..Abe/M..Aberdeen/M..Abernathy/M..aberrant/YS..aberrational..aberration/SM..abet/S..abetted..abetting..abettor/SM..Abeu/M..abeyance/MS..abeya

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\clipboard-40-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	280
Entropy (8bit):	6.328040373865125
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKEk/2wqNmEyvsYEE3r7UXGEoW7yR/bp:6v/78nMtIj9yx/6cl1
MD5:	C58286125E5CB909DAE9107DFD8F2006
SHA1:	21380AE4E18FC176759885416684A0B19C7F7C82
SHA-256:	A65F53D774AFC38308625E6C165B2EAD4F1DD03D25896548B42F2F21CF901D2B
SHA-512:	4E00ED5AC90F78C62BE0507A2DB2ECD57F4505DD79870AA4C1BF485B13E076D5CC29BF4EC9FB0625FEA9F186BF0C21C5F5D7D40BBD6A14C4CC9C6D840800FE1C
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`......%..w..v&&&A\..N...ey........&.-..... 6L.++..... 9...Z......\|......n..Tl..1..PO...!...../.O".o.....j..x..g..3.4..033K..2.!R S..,H.....l.......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\documents-folders-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	294
Entropy (8bit):	6.181656360209844
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKahknMBpLYoTn40eWuD1hidlYfelDblbp:6v/78nMtehFBpsWnLuDWvYQf
MD5:	09C1CB2C3931F1E4FA7039678026BFAC
SHA1:	72526E215BA70B6C0C53A14E30177B3C9C9B3AC7
SHA-256:	10E4A6EB6992319CA1EB35C7366E3B7A6F1ECA743456282DCF64E76528705D23
SHA-512:	79C273D66BC3D650643EE84C9C3BE4438848F23DFAB09EF345F93E45EE440147B858E4556B281F166A0640F6EA65A3D8F8D660B2466C9F7CE63DA42035C50E30
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$.... -!y.....e.L......5......Ib.8I........ddg.4...d@.J...@......W...N.r....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\download-folder-9-32.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.2752538251619265
Encrypted:	false
SSDEEP:	12:6v/7iwnMtI5NdBM926zd5296hYRSOGdZret7SnP4BZKPw2n:ckANbMH2OASOG/retb6
MD5:	CBECFA8E3A39AD187D0B5B611E8530D3
SHA1:	1F98EC988EB2326A7905EA0CB0DADB11DFF98456
SHA-256:	9B54F74F911E5F78A187B52EC94F2049180BF2FBFD043B3E56E5F1D4BF6654A0
SHA-512:	F68AFB9275F37AA3FB42879D0147B30367A8CE15DEDBC967557D9DEBE12F649665D6E86F32BE3E66640FE95243F7A275656CB5A440A6676BEC74DD2041F5C8CC
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDATX.c`..P...)!&.IIN......\XQN..H.H=U-W.....b....gee...@>".r.....H....v\|.A...c9)....2.Rg.......9...d,+%u...Ev...s.JH... ...W8.....3.9@NZ.6/.O<..O....CR....w...,..a.9..-.1.l....r".%(.:@^F.)zV......YI........O3.(......,."....+%.....2....Q...N.....H...PjeeaQ.......:d%..$...r.....L....b.HKH.G.........@1.t1`H...@_.cbb.G7....Q..{C.4 &"..T....,.j.....$.r>..t.gC%y...\\A.,.....&..Tw.4G.....e9..w.(+.k.\#.h%V...........Hv3...4......De.j....0..agg7gcc..f.c..DT.....P.Q.$....L.......F...P..#.v\baFk."..(h@.%P"... .@f....,.....Hp.3E$.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\employee-id-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	329
Entropy (8bit):	6.420308355307663
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyK2z8phbkbsxZG9leYdylfqCJ+k3iIp:6v/78nMtqYPoNl8fqCJlii
MD5:	0674729E929FD791FC0D0AEF5B2FB5D9
SHA1:	0A321E40FEA01E9FF341BAF78FCEE0D81963D84C
SHA-256:	CF909DDCDF9BAD76EC0640275CE54B73F20EAE0A5E80ED7DC9F48AE982ACA8DF
SHA-512:	59A317D283E2638593A82E149BDC3B8BC7E9FF0F5A575F3BC51845FCDF01174EB1E4B498C9B21897B73A461A1B2F9E068168920EF7A98F593DA61A99A83F15CE
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..........A....'P.W...io.;.....@...2.&.R..YAV.5.bl. .Az.6cS...".fcc..f(P.).Y.. ,)..KH@...Allj....q.@..k....%X..II.$..B.J..F.F..fFFF...P..{.3...@.......^.F..V.@qIl..L.l&XS"1XA.......I.`p....^..>.......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\eraser-16-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	324
Entropy (8bit):	6.491766680808101
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKll8n/sk3c7jBQxWgqbrTSMHmxHuESGmO2+vi8A9hN/sup:6v/78nMtboUKcuWgqbf5EHLSGmS6jD/N
MD5:	59CE25E2011AC621D8C76D5EBC98E421
SHA1:	27D9D254EDE7482CCBAE645E52CBB2BFB14EAB74
SHA-256:	5BE77F5B2BB5A057E27733A28E36E535076D2EF12A6263B13D2EAA6ED9E59B09
SHA-512:	3934D94EBC886D6386272D33782E8A7833945725AB227F3CB854FB2185A0539F2E43E9EC9E85A595C73F73E6BB57B289200A7E15F02240536ABF24CEA752603D
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c` ....9.........DD.*.+..a.I.sdk&..l...9K.f......!.h.ax..4K.K.$..`.s0012r.8..2.A.qqr...YLXd..vfff1.. .@-..o.4......!.5....L.!85.0..$&-!q.(......#d.@C...........4.Y3.e.@.<........37..H3.:........n....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\fonts-folder-3-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	267
Entropy (8bit):	6.19077973468042
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKzEj/0GGou28UK+L+WVmMFntkDqnXEuOp:6v/78nMtih228RnumMV+DqXEu8
MD5:	4E4AB21E8FDEE3C90C277F6EC23BF8CD
SHA1:	2CA13EA94FE3CAEDAB3A2BE44FC18CD2A523CECA
SHA-256:	956D447717A91521D4A0B48486189795B0F0E83F11C05E32F8FE666529D040C3
SHA-512:	EC6CA34F6D975D1E3E433D3B8BA9CCE9FB6742D3F17B2DCC27B7201A98EA23479C33FD209B2584A8F5C633B97802D757E4D2BC1397FA7BFA3D802291D699C78D
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.........0.:>^....011.......f.V...3.*..h..c...p1.....$A.#clj.z...@TB..P..%O..2.......sET....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\list-document-32.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	460
Entropy (8bit):	6.83761150187215
Encrypted:	false
SSDEEP:	6:6v/lhPKwnMRtyKIj7eaYGwoGn9iGUl/nf+wB417DbsLRtAJNfEYopHnt41dSoEs4:6v/7iwnMt8jsoi9lkwDsAsYopOdt7SaY
MD5:	09EFF4F4D770599A874BC2D94065A8CC
SHA1:	265B40063ED9EE376C5991AA39E5772AD68C406F
SHA-256:	A9238998CC2DCF53933685F7D92686C81F9433167087AD4820E121FAAEA460B5
SHA-512:	C3E01B97D92C5AF4F6A023374D4EF8A23BACA485DF82A2ADAE753650062FE857CA2FECF5AC33E720F8B92C2AFAD0C2FCD5B141475C11FD451C6DB82A9D26A349
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<...JIDATX.c`.L...+PAF......J....Gq..lll.$9.....?B..-@...r..-.c.Q......4w....=.....!A..@_......}lj...Zh..i...0s..].+M...>M..L..@...........M.0w..Y....M...r.0$....C?...@....."..-M...0G.B...@4]......y.[.....a.. *$<....MLXd... +%u.9=.S.]......`..4.....MRL\|.....s.0{.%....9...3.y......$..&B.(.M...p4..&.....t.00..8........r...8.0....;zg..(....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\safe-31-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	374
Entropy (8bit):	6.671134871061204
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKKy/nDjX8HfN2qmvwKliLbUpyfp1HZAp8TFEWdp:6v/78nMtOybjsHfN2ikinU6p15dKWz
MD5:	4A4930AE3498DCE09DDD80775E1FD7E4
SHA1:	548E0FCCD0C382778F26D2DE411560B30BF23ED4
SHA-256:	C21F5FC164884D7AE90D306B8098CA4A4FDDC028D63B04E75E06823293960D3E
SHA-512:	68ED2585AB02E9B3ECBC481C55FF3B42721D9689502A9E0FBDA162FF8C9AF78FCD98B0DDA683EE1224A14C5543271DC953CF788F5DF8AF38AD757CD81B88A6FE
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..&F&^A~.z!...b0H-H..X3.......r0.##...4r...c.9..Q..}.r..3.,.............@.s.s.r..[.K.<.i...4#.%$.1...Q..D...$'......B........I2...Y.$.......b...j..X@......b.....>+..}...PC&)..&)..r....y....N...}J.f....A....Cu::...p.I.0.<..P.=L.............IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\star-folder-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	301
Entropy (8bit):	6.433970126002673
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyK9Ej/0GGou28UKwrQdo/0ek1kCjFO75gD5NhUmuVp:6v/78nMtsh228RwrQq/Vk5O+Dimu7
MD5:	6212A7A0F72777E1702FF69655C11014
SHA1:	340F31181297EEFD1E7C710A53D34812F3FE5586
SHA-256:	5E0D0CC1E5A7CCDF0754A131C00FDEFB345E763047D00CF458B485A660F8C961
SHA-512:	819DCB658A57907C700366518E19814D2FF57DBC0902843FD1E5C0D140AEF9163A5EA0370A98EF93EC4D997DA362A96B9D204B30C2F45249B00BB2E92AD05FE8
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....xy3....D3V...\....x.......h...#.+.....r.P!....$y.]7Ia '-s...Y).KX..FE&.....\|nN.?....+PDHh..h..<...8t....<.J.......sr......IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\swatch-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	275
Entropy (8bit):	6.241760254713669
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKxWuGoM+kPJzlX8jjbnbbvkLV+Vm+p:6v/78nMttpM36H8LV+Vms
MD5:	F7515A8ECBF2AA3AA9C57DFF3B05753E
SHA1:	F51571132ADA200E233E5279014F6E396800C8C4
SHA-256:	5BEBE21F8829533D8118E9B47DD49E2317C735A472477B583211670782312665
SHA-512:	9AE9D82588858A39C6B56B99AD2703CA2652EB99358B234A632D47C38E1FE48E1548DB7CC763352FA1AF4E49B0A4CF3DDA9B8425BBFC94FAC4B7D1E957294988
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`@........B.....$..CW...e.*.+...j.`..2..f...U.0..D..!..V.....`.@~... ....."....5.....(6...m...$F......^@NHD....(N. ..(dg&$....... 1l6..Lc..:.qo....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\sync-folder-1-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	358
Entropy (8bit):	6.674957154010901
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKaX2j/0GGou28UKztI9ohN9y6EHnqywm1jgWHopHbp:6v/78nMte0h228R5mvHnRwpWHopV
MD5:	D0301F65CE574CFB8601F381A04FC2DC
SHA1:	B970384F7B4D11280A41498CD99B73FFA8EED575
SHA-256:	D1E2AA31652F8CCD1F8C6BE5F7DBE5056407DA790EA8604BA776FD9856546BCD
SHA-512:	17CE1CA8593D575544EFDE570A30BD5D78DD7D35FF03C25D990ED11A5521D95BB6FCB7FAE899D93B7C46C8F5CC7C2533763A1D4DF31D7CFEDB8256801D0AEE56
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....E..&..... 1.Q.5.j.xy3.......U..,...N._....9).[ ...2.ab....0... #)u.......d..4@DHx0j...{.."V..l..$.(..WL...LL.r...ar...I...p.....n...,.0.XYY.y....L&)!...L...BrR......=f.Y....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\text-document-10-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	282
Entropy (8bit):	6.2049316386300095
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKOhknMBpLYoTn40eWus7vrGVr3gWndp:6v/78nMtKhFBpsWnLusHGVrgWz
MD5:	0943B8C4B397211B1C73B2288D2B0655
SHA1:	2437C95E1CBDD6240D84EEB88C57CAFDFA5AE792
SHA-256:	4221BB09453A0ED7183FB675B374F17B5F28BA7097AFBABBCCEBBB05EC557911
SHA-512:	DF7BF3F6DEF5CA7E227EB2BF3F1E313F066C3AFE178D584860D6D6325B03DBFE6949C0C72643C3E0D8748767182892D7FAB4D090C1E86FC7D1911D58EF13FC3E
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$..I5...4@BTl-r....W.d..]...>....... %3!.P..?...T"1\3.t..Wn%.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\icons\upload-folder-5-16.png

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	325
Entropy (8bit):	6.5022763903385785
Encrypted:	false
SSDEEP:	6:6v/lhPUnMRtyKFEj/0GGou28UKs/5Ln9R/ZVfFMXqfXMsnM2Sup:6v/78nMtkh228Rs/550yMshSc
MD5:	ACFF953EC211AF6260069114D88B5D5E
SHA1:	DBCCE1D8B99F2AAF2411FAEE55885CE4B0C87343
SHA-256:	67D52CE987D7BB34817359BB689C69DD769FB3D147D136C65F16F94FDA16E2EF
SHA-512:	6C069BA0EB35774A23A3FB8B46119069F510AD7F0B3F9FB5B98E3667C91EDA0E4D5508E79480010B829C86E35B7A62CBAB6B0350169AFF8FA58CDD5D7869D650
Malicious:	false
Preview:	.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@......Q..}.K...7...\|<.i0o....cS#./P...n.......I&..i....\VR..A.8..A.....`....;A4.7w$Q^.%,.. ....W...=.......L\.XXX.XYX..F#>..JH .J...IVR..........4.....IEND.B`.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libassuan-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	158192
Entropy (8bit):	6.276215721465373
Encrypted:	false
SSDEEP:	3072:CHpTY9D4S6S8AFezF9bqtdf1i+PTHnlLee0cw1XbCzoll1e+Asrm+P0w:CHpTnF+qe3yCzolfe2rm7w
MD5:	04932B84E5CD4EA826840EE8EDE549B0
SHA1:	6FE6F09021D4341537EA0C9010048D37462A0782
SHA-256:	74DF283D6DDE5FC5DB3073619F712A80C9DEBE38291D3EF91EDCD3C220601407
SHA-512:	35E5C73E59785DF4E30BBE0B8B27960C9F38E3CF4944E0470622DF20424B421387648172427C17AD3502FAC3E2DF4D1C21F2B9B1E5261B6707A528D79F9F3C00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....:......P..........e.............................................. ......................................`.......p.......... ............>...+......................................(...................(t...............................text...............................`.P`.data... ...........................@.`..rdata...*.......,..................@.`@.pdata..............................@.0@.xdata.......0......................@.0@.bss....p....P........................`..edata.......`......................@.0@.idata.......p......."..............@.0..CRT....X............2..............@.@..tls.................4..............@.@..rsrc... ............6..............@.0..reloc...............<..............@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libcrypto-3-x64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4700448
Entropy (8bit):	6.762778198451197
Encrypted:	false
SSDEEP:	98304:GF+qQZELs+X7bVqGoFkzfwnxPhSVM1CPwDvt3uFGCCLh:a98Ks+rbVqGoFkzInx11CPwDvt3uFGCq
MD5:	D1229452CA48896B048BDB0D12A5C505
SHA1:	D2B73383DDADE5BBD42669049BFB6265892572B7
SHA-256:	D9E31123FB00BA631FCCD9E697CD5F4DA4A4D09CB62F5B6F2F4C49EED8A8E27E
SHA-512:	5401A94C8E998A6259AFE7AD930E914CA3F5AAAED4F706EF6151136E568B06BA8C3BB27AB04F95CBBB40FC879A75C0B7C442A586D54816E7109F8FB2755BC6CA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d.....f.........." ...'..4...........4.......................................G.....G.G...`...........................................A. ....TD.@....@G.......D.HI....G. )...PG.\.....?.T.............................?.@.............4..............................text.....4.......4................. ..`.rdata.......4.......4.............@..@.data....t...pD..J...^D.............@....pdata..HI....D..J....D.............@..@.rsrc........@G.......F.............@..@.reloc..\....PG.......F.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libgpg-error-0.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	252912
Entropy (8bit):	6.26449546686269
Encrypted:	false
SSDEEP:	6144:azN0KgZEaVmFI2qmDsHVf1JJKDo7wv52DP3dBrmSF:m0KgZcFIHmJU1BrR
MD5:	EFE675C00C0543DD08AD96E4D7DD022C
SHA1:	539A1724C5DB6279D239E28BF0BC1D06751CDF02
SHA-256:	EF3A3677540AA47F1543C475E4531CE8BE0C70FBE3B75957C0AD6A0993A4ECA5
SHA-512:	9E35D053D2C2CD5B3A70ECB88023B3854A7837D4FD0498622C9238A5D8EC0E2DDD51070A8525E2ED066B76E67FFB4602BBE7BBF1057D23373A71287AE7B2C126
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#............P.........(k.............................0............... ..............................................................P..p .......+... ...............................B..(....................................................text...H...........................`.P`.data...............................@.`..rdata..............................@.`@.pdata..p ...P..."...6..............@.0@.xdata........... ...X..............@.0@.bss..................................`..edata...............x..............@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libpkcs11-helper-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1247744
Entropy (8bit):	6.781026237562463
Encrypted:	false
SSDEEP:	24576:bFSwpQ+GZ8biTP/tiPsmkWs8pNkMljjQqJGiC:AwpQ+GZ8biTPVrhWKsM5iC
MD5:	CE50E6242FFE16E09CBE9E8363F3B0EF
SHA1:	D073D8A4B7AB7A6BBEF5E6554A11A9631E16CB64
SHA-256:	801A01238F7D2DE6FD3034BFA56F9F0827E16BEF33281244C7F80118A4CD45EC
SHA-512:	48B0470488F549C4CC934D84B0C358A5C50CB6D2B9A7B346CE7BC4076122C4153E8E2B48058936AB8E9343529F2C9ED7CB4F82D1FEEBB6A2B5AED41C2874E7EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....XTg.........." ...).....N............................................................`.................................................d................0...j...........p..l..............................(.......@............................................text...,........................... ..`.data...$.... ......................@....pdata...j...0...l..................@..@.udata...............4..............@..@.reloc..l....p......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	829216
Entropy (8bit):	6.300815379570505
Encrypted:	false
SSDEEP:	12288:/qxOwtce9UEE1KK2+SwtLde4UE8b35Vv8RAmpdEVB3SP:/It9BE1XYZJyxdEVB3SP
MD5:	18232E66F7998529421B051E678C38A4
SHA1:	3C040DA458F9231D3077193AC4A1F68144B8E2C2
SHA-256:	B9E15674A3DC28D604F3A03398F2F421C3654C1376D5AAD3A4835538E1C61F1A
SHA-512:	31258C52357B648093AD9AEC5760F0012202F596DD14F6C3A50DAC37286CB811F0CCE3BC418502767686FC199679DDC8D1F3DC790F19B8040D0229BC5DB636A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..\|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d.....f.........." ...'..................................................................`.........................................`0...K...{...................r...~.. )......X.......T...........................`...@............................................text...(........................... ..`.rdata..............................@..@.data...8=.......8..................@....pdata...r.......t..................@..@.rsrc................b..............@..@.reloc..X............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libwinpthread-1.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	66544
Entropy (8bit):	6.309954882128114
Encrypted:	false
SSDEEP:	1536:Xoun2j59yXrmGv5jqGcZJt7im3YtQrmEKP0m:XUyhAJt7im3YtQrmEKP0m
MD5:	4F8C576F1515282FF03306B01DE7F75D
SHA1:	52CECE362F99E1B65732F54275F9CA984338882D
SHA-256:	C27F1770F0648A3FEB826C6D480CECC37D8D807F193F45B721EB466688FF3998
SHA-512:	7DDE6F439314C79C485A3B2EB7213FE17FC822377984B77CFA4012E2AB0BAC4C0A5B2951727497D2017DBA2140646E71A169BFA720E0C19D54FE4FF81552E59A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....L......P..........d.............................`................ ......................................................@..P.......P........+...P..T...............................(....................................................text...P........................... .P`.data...............................@.P..rdata..............................@.`@.pdata..P...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....`.... ......................@.@..tls.........0......................@.@..rsrc...P....@......................@.0..reloc..T....P......................@.0B................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.base.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	18367853
Entropy (8bit):	7.968497771189572
Encrypted:	false
SSDEEP:	393216:BLz4LssSDaG2WEXljHcVPZBfJgPWFp93OKqNZNJyXgjrHKzMR:CLJSuCCVHaiPWFpkNzcXgnHKgR
MD5:	C6C96A3F5AC8A949A7F920D83D4C8B3F
SHA1:	2D6B7E5973DA5B3A469C4D6B426A02B7AA4FF9E2
SHA-256:	753BA6FDC8F9C1DE1627D0ABBD03E97E2E97AEF3E5823A6C8C036B68D48C301E
SHA-512:	EE9FFC7C6B996B9DD9421E23444F9F3D72E002E6CD50E7816325DE7392E49240D6B239139D5C2C7F7FF01EDE0F35077B95C77C60995E94405A38E1E8F5B263AB
Malicious:	false
Preview:	JM..PK.........o/Q................classes/module-info.class.9.\...o....@.(D...= ..hP....n...yw4.`.Q..5v.^.+..#.b.b.Fc..!...=.....~7.;3.y3.f..K..&.t.....3..\.F.6...R..!Oa.Y ...<.5sRR.H.m.!.@.(.:.9M.P......h2.kT.IF\.xY.fN.f.X..z.V'#....)4...)N...$.q."+.T.z...Z4......Q......-2.....}.!.....VPHF....&N-#u.x8....g..N.[4:...UZ.kI...@..O=.c...e.R.....-..6.._.e2.i.2....7.j!.Lf~..V..a..@.~<E..U..Mr@)X..IL. Qa/.%.iZZ..n....Z.t/...ei...#^..p&5..P..2..FN)#..f.p.8I'.z.. B.R.j....?Qg.A...w...&......J..Ng4.X.....f.6.q..e.,.d.e.,....Jm.x/...~y...A.A....).AkP..)..JE..4.Rp.~V.)>.......2qI\...t.6.lU_@YL...5.q..(#_...).......q...W...M...L...:.....\|.....o6...$ ..!(..V..SeD..^y.ZC....Z.#..A'..31.mH.....%..(..TAu=.!f....`.h..H...e...q.$./..]{....M....x.2M...q.1@..KR.X....,.B.ed\ys..rBy$!.&.G..<.Y....M.h...S.A..0..M....s*...\.^e.kg...,j..........%$%......6..ZcF...<.5.....`0%)..)..3.D.k.`Y.....P.....@..........p....[..........0.Y.j....d...Z..U\|`83f.0W..Q.8..U..i....[.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.compiler.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	124409
Entropy (8bit):	7.718272830707501
Encrypted:	false
SSDEEP:	3072:1i6Z6wsvoYmg/SeP7rXuLU20fGqZLdlC8IvgvGR:7XsAySk7rXu+fGqZLdlWvCGR
MD5:	5A4FE8E78A6C9254B36919DA9CE7799F
SHA1:	27276BC48C907C856F0EB72CF6F3A48FA3A92E44
SHA-256:	44E1E786291E335C6E4DCC9B2EACA365F06EEB8534A0CF8912DAC550091C4F46
SHA-512:	5C8B22AFC7B07B8DC595E6998819A4544603B6A8B3100EA653F42826B340C5930A872C01BA90269A783FC955C7024DB26088D4333D22DE5A632B0EF4734D7CD8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.0..-....P(...P.. q.q@BB.?`R................av=3^.....;.3...e....A[ Bg.p.. 4..x:....{(............t.@+w.kO&I.\|...+..P..eh.J..f]..H..F......si.......l.(..j.&6..U...Hd.=.hMw/.......LY...UX.9.X.ma.P..Y..+&x.7fO.V....I.2!4.bb_...E.fz..E4;=^.%\|.2...7.........%L.e\5...-....U..v0.84z.......80...PK....mp2.......PK.........n/Q............;...classes/javax/annotation/processing/AbstractProcessor.class.Xit.....%{$y...N..e ....&.....8.1.N........D..3#..-;..JI..RJ..6l.F...ZJY....t.....R...l......9>.....w.}W........J.P.TQ.2..;.a.1.[..[.w..O...Lo.@ ^..F.a....P...#..e...v..&...w=GOx[.K.#P.Y.z..H..>)}..J.....^kJw].y..".b...@.L.3..xFrKZn....j..U,.B..".....~.....$..z.H.j..",Vp...p2y....L5v..^..C.j..u.....T.&P:..2.@u....q.C..CX..I.O...d.n..!.U.V .;.....Uh.O..o...b....K..A.C=...\..F...2..B..W}.W+U..U...k.....I..Bb..!..m....Qq.V..8n..*...u}. r..N.d..9...Q.V.yX'.8{......,......M..+..o.j.:_....%.7.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.datatransfer.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	51389
Entropy (8bit):	7.916683616123071
Encrypted:	false
SSDEEP:	768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
MD5:	8F4C0388762CD566EAE3261FF8E55D14
SHA1:	B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
SHA-256:	AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
SHA-512:	1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^#.j...R.A..qV.1o...p.....\|._.-N$.!.;X....\|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be..eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N......r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.desktop.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	12133334
Entropy (8bit):	7.944474086295981
Encrypted:	false
SSDEEP:	196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
MD5:	E3705B15388EC3BDFE799AD5DB80B172
SHA1:	0B9B77F028727C73265393A68F37FC69C30205BD
SHA-256:	BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
SHA-512:	CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S\|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z\|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.\|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..\|sF.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.instrument.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	41127
Entropy (8bit):	7.961466748192397
Encrypted:	false
SSDEEP:	768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
MD5:	D039093C051B1D555C8F9B245B3D7FA0
SHA1:	C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
SHA-256:	4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
SHA-512:	334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..\|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z\|.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......\|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.logging.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	113725
Entropy (8bit):	7.928841651831531
Encrypted:	false
SSDEEP:	3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
MD5:	3A03EF8F05A2D0472AE865D9457DAB32
SHA1:	7204170A08115A16A50D5A06C3DE7B0ADB6113B1
SHA-256:	584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
SHA-512:	1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm........Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h..^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz\|..^.........8q..{...}.G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH\|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	896846
Entropy (8bit):	7.923431656723031
Encrypted:	false
SSDEEP:	12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
MD5:	C6FBB7D49CAA027010C2A817D80CA77C
SHA1:	4191E275E1154271ABF1E54E85A4FF94F59E7223
SHA-256:	1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
SHA-512:	FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..\|..]{.........S\|...(cu/..i.d.z...[....'.M\|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.\|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..\|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.management.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	92135
Entropy (8bit):	7.945919597257173
Encrypted:	false
SSDEEP:	1536:Jxw6Uq67COVGkuLH5Sr6DPHoXsUJWLgUpDYC+ZJk3kJoPUFX:Jxw6v67bXr2g/WRVtwi0Jw+X
MD5:	22F603FFB69D73089DDE462D567E88C9
SHA1:	7ACF3CADC41F208280B8F115C2EE58FE16FDB538
SHA-256:	27047E3D872637D62DD251A1E7CBE0AE5F1DD1F0F275A06405E6C673421681C6
SHA-512:	AA7ACDB5DD69CE5C8C62E4A89F65F94DD9316F9364E30EBEB66A542FC418FC586EC41B0D13D41548EB05B4B96E22113B879D20B9F146B935D8B6CB3826E78A51
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.Q.N.0.}C..............J..U..W...%....G.....G!.......g.o..=.o./...qH(I...~,..... .>#.Y.$S..%Wi`..1M....'A...i.v{..ah..)..J.Q,.-....'.S..OR...i../.1..J..3s.....I..>*..7.>.....m.P....9.-..~S.n.5.R<J.i...17y...?..6.a...Y#..G.>........-B.F.L.D...5....GE.E..B.P....yJ.....A.........xMc..9.]..1c.E.n.q.]..b.e...&..\^v..Vm..M...g...=.-c...>.PK......a.......PK.........n/Q............6...classes/com/sun/jmx/remote/internal/rmi/ProxyRef.class.UmS.U.~n.YI......j.$@.VZ...k.64%.4V@.\aqs7nv).........?8~.G9.{.$1....{..y.9.9.....O.E<O#.!.I..H1.90.M.6.Q.=.u.!u...w.a(....5.hH..@g......q.<2\.t<nX..0m.mZ...}..&mW./V..y...!w.u.E"....pF.Y.c...d.]n6..:....:...x].-.+.k...L2..p-...........c....%..o8..\..%...KRi.a.O.#T..%"l2g<...(nW.9/...{....+.d..\n...M\c..q..).f..P....u.s-..P....r.../d0.[q...l...-..b...h.....9.,...o}.&.g....oI..:...0..\|d..KN...,K..:..bW`....p>..=.;..L...69......P.....L..L...?........?.k...?.%..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.naming.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	460349
Entropy (8bit):	7.928980735357845
Encrypted:	false
SSDEEP:	12288:y8d3lQXYWlLLH56T4J+1hdWvHBmgmhhs+RGJ1:y8d3RWlXeMqdWvHczs6o1
MD5:	B396D42998F877CBDE5B93A1B238B5C5
SHA1:	ED864130A63A807EFC16CE9F97F8C24750A14C35
SHA-256:	734130C3E9D7A12A75BBB194C9FD29DFC85FD802B42B3CCD2C617C86FC905473
SHA-512:	8E44D12F37DE7A1F7453299FA0A3ACC566C2959A1C482DA936108BFB6514650AA3E2400AC090B65F2FE3FA53BCFF4F676D129695B10334B4160B45EF3B440043
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.Sio.1.}..KO.f{p.Hi8J.-..DU.T...3..5.9...........G!f...$..J...g...........3L............ ..CA{2.h.R.V.(...V..l0...M[..oF"..1...\v..q..a...s9#.q..K}..#.eyh;>.^.F.Q..m...8(..<..AA=..XdX.q.p..L........ur....u......[.s}.<..ju...wU.%.C07..B.......42l....$..U$S...&...#.g.w....,.a.+....^...0S...u."m...ciK...J.B..H.A.\|.&........U.OZY%..c*j...W+.O.V.M...dG.j......y.r.....$.s....P...ab?n...UMI...{#.uwR.aC...w....e.>R:..LE.......z.(..l=....2.1Z?:...n...t~..;..-;{..Y...\|./.:..<.&...N.%....8.)..9..%\..,S...e<.[...?PK..._./....$...PK.........n/Q............=...classes/com/sun/jndi/ldap/AbstractLdapNamingEnumeration.class.Y.x..u........S.,a....JF..."#.h.$.X...v....5.1....PB...Ml -N...%...i.;.>..WhC.I...G..A....h..d.M.o.....s.....]..W^..........A.)..a.[bv\|{...N.U(j..n.BaC......B.F..BK81.J.[v.#.X..j..O.I;.v.e.=..o.....F.q.+.s..QP[E.,...f..w.Q'.0...v..... .l..s5.a.B0...R-.Nz+5.Jo`(..KG..".pX...K..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.net.http.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	718964
Entropy (8bit):	7.932673218886782
Encrypted:	false
SSDEEP:	12288:i0TENWrWZbbneYeeZXg4ao0K/3JCypyudOQjsDv+X/A4zEs6HtZrvZ:AA6Z/teKX50K/ZPov+Xo4zEV/7Z
MD5:	5A11C4A6D94E1C67F84D2D22B7012B11
SHA1:	273C3A253F6845441C6B4D0AA000BD0860574EA8
SHA-256:	AF1946B6683575D724430220DB7C948AF2598E69091F74459CCA1F97A15C2A54
SHA-512:	841460A10900517CEB80F734F1492AEEE83287ECB521BB5107BECA3684189521D56F9CD2B17A136C521884124CD1F307CE51F63DABCAC60247960BBBFAC046BA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu.MN.0...@..K!...8A.*......n2m.$v....b..8..IAt.F..x.gKo>..?.<..It..y...n........I...Ul.1+.5B}r.....Y..L.A.......T.x....J..:I........T&,..W.XI?.8&.T.r.f.....Z.....Ch..u..S....\n...5/.g9.....d:gc...t..e.<.m...F.C..C..:.=. .mA.M....M......(__~.PK............PK.........n/Q................classes/java/net/http/HttpClient$Builder.class.T[O.A...(..r..Q...^X....E....%D..vw..e...b.Y....?..e<;.(......w.7...?....(c....Z.+ .~..]..s#..........b...sN.._..!.=...@.8..T/......\|..P`(...h}..P.....D.........F.....n....F..z.7...%.a.rO.U/..Tk.#.J'.p.L..C.."....\&.....i.]N.....i..8..H...,..L..n.Qm....)..)o.k.b..K...l.6oq?1'^i.h....~..9........e....<..v....t.;u.m.R]...+Whn.8e..@...>b.v.2......g.;5.iz..).{f.;.:.lr.fj2L8...z..PDB/0.:3[.}..p:....z...j.k.4.o.D.\|E.?.."..zzcy.We.-..K.mI...]'U..8...V;e...&.....i..Uo..ioXm.^7....1....B......:n...[.oc.....,b..]L.......dp...>..)..cZ...%..../...~......s.^....)..\|.Y.q...v.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.prefs.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	54624
Entropy (8bit):	7.943156238505704
Encrypted:	false
SSDEEP:	1536:QAcQb2JQBFv0vQ1ffh80OUisaBL00Yfcfd8tjsH5:QqjcY1fJIUXCQx0lr
MD5:	224D8C26B9454FFE244D354BC030CAB9
SHA1:	E531A7BAF213D72964CE4DD83A11AEEAE5713F00
SHA-256:	43622935A7EF06E30D1BDA7E77CB76488DA9E721728AE0B8ACDB1F9C7B91C943
SHA-512:	E0754FFF5801CEB2B1512AD0DDDF0D74C4C2AE97EE70A467E7D83E3AE5870A6ECC6F250B849108923AA8CA94EA3505C4CC7C9BEEBFC192B2DFF1E99A943DCBB4
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]N.N.@.=W..K....--$.=;.......J.!3....r...Q.;.&.Y.;.qs....'.9..N..:.qV.u."....zS.......h...h.M.}g.u..w...-.~Q.C.....<D.p.o#^...2a.PI..{..T>..$..r...?.ps..T.U....YxVf......T..X.....\..5......J.).}tn.g...T...=......PK..t?u.....9...PK.........n/Q............3...classes/java/util/prefs/AbstractPreferences$1.class.S]O.A.=.nYZ.(....Rd[.._/%D$..R.h.x..C.\w..,..H_1A%>...Q..M.iL7...;.;g...?~...q..dmX.r.c.;...k.W."....-.#...4...<.J+.}.@..2..=0j..#o..`..C.p\|....C.i.\...k.Y...c..6..F.M.......P.p.c6..L.*......X.....f..%#..\.u.S.n.&....a...0.....>...... ..f...mr..D.w..l.2L...^.I..."../.bo..2$...t..&..F.'...2...CKDoy..h=....L.i.J..a....J.apGs...?J.....\0..;..p.G.y~.P.......F...0.<.)..].........C%.......x@t..Q.4..Q..RU4../BEU....m.\)...2T..w.......R.@..s4Z#D..Be.+X.;./4.......k..4.....Q...8R.W.a..r.v..3.~.m}..=...}..dt..#.P.!3...Ix!...D.T.......R.......L_.2.....<4.!<2...E..PK..]5\.H...`...PK.........n/Q.........

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	385108
Entropy (8bit):	7.9135425794114935
Encrypted:	false
SSDEEP:	6144:WLo6BW4jXxBTXH4nfLyHInEmCC+Z/GTdy6ixx7KoLUTzROUBczZoUDYbwyKdlO5k:YvxhBDHauHIEDC+ZOTKL1IzCzZoUDYbK
MD5:	C4BF3C85D5A2B5A2482D29682F937339
SHA1:	2ACCDEEAD4904C6EC919771CE49943C9D6E8A9E9
SHA-256:	25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
SHA-512:	51908DB9F980EAABB144C3BBD38563DF0DE3AD9AD286FD4D4F5C41B4F2D70CF278395E123D8C26A64742858A4B629902532C0AF097D020EDA92A7031AF586B66
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeR.N.1........E....ogX.n.411.../Pg..L.i....\^..>..Lwg.b'=?...z.........8eX.M6dO.K..cX.......J.T.....'.Q...).7..E..q...+.c.!..D.^..WFs,3.4.,O9V.....\9o.pt.....K..Z..'.+8"j...09.&.....g.......q<...H{UJ......Kx../6K.......z.].....C.g.Ka........\.<.!..dWq)..e)..Ik...t...T.+.J..F;S.m.a..4..g.>...Fd..U..C.<..Q....,..4...E.Wt.#..p!l.=....v=Qf..7...k.}T..........n..p.M_.V......F.<.E.............b...U..;.;.R^..;.AL.(...({....8Tw..PK..{;\l........PK.........n/Q............R...classes/com/sun/rmi/rmid/ExecOptionPermission$ExecOptionPermissionCollection.class.V.S.W..]..aY.....hQI".UAJ.V......k.\..f7f7......K_./}.C....L.38..8...C..7.........#.:.>d.....;...9y......\|!....n...2.^R...g3.=.>.3).4..6u..mZ1.vh.fw1...#.....kY[....5i..:.!A.j.....H.P)a..*ld....5.dB....i..J...v...W.)O/.-..X.$.ay......K?.2O0.1.[.v........U#........$.)n..q...Qh..lG=..:.M#..g4{.V...6Amn....H .le..hF2"c+v.p............e40.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.scripting.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	44965
Entropy (8bit):	7.9310029341229376
Encrypted:	false
SSDEEP:	768:T/6WAhx73PjgF6wN1l861Z/T6dKl4U1mQUva+qD160eYG3ichd66N3LgRBG:+73PjgTaK4U85i++1bmi+66N38RBG
MD5:	A64194B2F7AD00E12C9E5AE260B57B3E
SHA1:	2617AE8B733B5E7B31180A3EED1DDFFD1B5CF631
SHA-256:	BC08974AF0D13B1B362A651329036C24CC54028F1D0B3EB327350B51E2270FA5
SHA-512:	68FE47540C844FE28B92C0AE4E8FF5C77F60A4AD0C5F1F3857412DF36E11A6053697B823E7C3D653E012F1923502DBBAAA9B03803A24344DC5C384853A3D44F8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMNAN.@....PJK!9q@\|.YQ......\|`.,a!.E......x.....>x.....o.7H...eM.g.>..D....\|..I..W.y...c....".L.3.J..+j../:...(.D..v.c.'......:.p.+....67V/..]..aL8\..Rzi...w.G..+.z.........uM.......d.]_m.....c........<._.S6....I..p..i...PK..=..+....F...PK.........n/Q...............classes/com/sun/tools/script/shell/init.js.<.s....@47.]+.......K.......];i&CK.."u$e[.......AYI{.6.....]...<....^=.V.:.Z...G...>....0Q.u6-....AU..mT6..E...I..P..Z7.....}....z.............W'/^.~w..4U.4Z.j....Um..\|.Kx..z. .?....{....>.....U?g.....\.E. /.\|]N..\..h64....X.`.U..Z5.... .R..j...QU.p9-.]h5......^UI...k]vx....e....^.f.U....'.Z?./.j...s...V.c.O.<...ROTV_5{.\|p..i.~....-........v..v..+.).a......<T2....H.,t....6..l..9>X/u.64..n.O...s......Q.R.Z...j.g.r..G.....^O.&V.%.e."X.=\F..u].e>.e+........n?~T..,...,]..].-.:.0..................L.K..^...$..B..:........p...~.H.l:.M....5.u1k./-.7B.^.%.f.. ...w?....8...\g.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.se.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	2207
Entropy (8bit):	7.650310282866788
Encrypted:	false
SSDEEP:	48:pEEdhj3vrYL8RjLRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DjGqt:+EdhdKvJX/Agxo7RA1LZZAL4Gqt
MD5:	3B4DCB7D28ED3DA5F09ADE9FDE137D3B
SHA1:	0EEDA129FA837E4D5E54F678249C7265C96BE4FA
SHA-256:	4BD4726EB7772FD1A202DF3EEF6367ED66688E0603C4B970D22AC8EB560F2A04
SHA-512:	BBC8165555B54BCE7E2342CEE798F93245B0F5A4B6E9CD9CCBB28F7EF42E8B4E3DD729DB95E7B027CE955DB27FA3B8555D8015B568CF8672A4BEC9DC6028EC1E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classe..V.1....2.!.xC.&...A7.....=.68.4IF`..gr...P..k.9...K.OU.........p"0_..hh...\|.B..@P....h5..FbJ`..A....,..t....9,\|U........:.....F..X..&.H..X.Xf...2.I,./K.J.NN.....I....Be%...o8]q...Bg....].D`..:.A.x&0.1..B`i...N\|.K...^..`.:/#U..O.:.%v...."..e4..uv.-.E..+-q.k..}.k)RE...../~...zN_s._G../..P.D./...}]].?.....c.Gh.I.......X..M.;.-..s..f.0W.....S.s.&s....e.3..o...G._...PK..U.FO........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQgHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S\|t0...:..6x.}.;..i..D..Ye\|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld.....H.........H/a.(.sa?E...oR'G.!3......j...A..'.....V2..m..5H.....ex.z...m..........a.l.6..7{........v.3]..(..g.\|E.fg"^d..zc".-.dJ.[..M.6*t.uS.BKy...Ys`./.k.......yaZ..........U'.....&.n.&...P....F9..J.1bo.6..I.]%....x..../.1...[.u....ey...-.Ag$H@.BD....xHL.>..V...>

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.security.jgss.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	698330
Entropy (8bit):	7.957481640793777
Encrypted:	false
SSDEEP:	12288:vSE51vUGc5P3jM18B7OcsnbmTk2baTrPxLLu3S6qj8fM7vX:qE5t9UPzI4OjbmTk2GPxvu3SXj8e
MD5:	372B6F9949895C86164FDF3A1E99CAC6
SHA1:	B9D3ECAFAE368E7ACDADCC347DE6FFC08D031CE8
SHA-256:	934114BA650D81262CFE3CFBA0D5A190520C05CDDDCD9A7A875E3E1D951AD71D
SHA-512:	2DB6F0FEAAD1DD724447CE6E1E1CE92C5293AAB8A661031BB4B343564703BA033410EB0BE56B223F2F8901CDF158530503C0F5B6459D7918253C3AC7CF99F029
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R[O.A..."."..........P..w.LH..d.;l...lfgYy.w....G.g/.i.L2sn.d.......>.#aq..t$.At.j ..?.g(..a%.N".T.....I...a....;....._".H..R..V.C......iNy..@.I.G..,.x..Q...11O.H..a...Q....K..)7.u..p..:.K.IX._..."lLG3-.Xj...Q.v...)7."#u$F.......u.;...o..........a......3...}...]u5.jW...R#....;.&...P../...K...8...^._.z.$...`-p.<...Vg.'u...[..<I.+.[B.D......t.R0..(.c....^.../.%s.D....{G...-\.9...qd.7........S..B..a/..r!..^.v..\.v.B.+.7....;h.zu.m..+`X.5...#.........S}..PK..CU\.........PK.........n/Q............?...classes/javax/security/auth/kerberos/DelegationPermission.class.V[s.......,.....".f-a!..+.Ip.M.q....0...x..h...,s..Il..vl.v..0.I..B.L.-....C^...<'...T.....8..;.}.w...............`...$L$...}.Z...Y.\|;\.>f.v.9.W. .=W .....a...qm.X...T.........l c.].=.L..pV....?+}/.>..9g..m..P.TV..-..ZDj..@.@.^.B...{...K?......[.r....B.Qeub....W`.+.C.*.up.~..vb...&.......$Q^.,'XG...+......xD...0.(....\T.nxb.(...,;.ob/..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.security.sasl.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81698
Entropy (8bit):	7.940663737798511
Encrypted:	false
SSDEEP:	1536:PNkjPGGpYd4vOGnXOTbAuy88LVeMdC/FEM9ZndTL8kSCXWO5o4HMSKSg63WiWdYG:Jd4mIXpHdAVgkuO2GXKuHVWlZlV8i
MD5:	BDD7FCA80A0E7436DC46FADE0C8CD511
SHA1:	C491F4A649B8DB593F26D25133DD104D8985AE60
SHA-256:	F783A14F1FD9E804553F54E8B97E38A5BEB8C25ADF096FD380FC1BEE391153AA
SHA-512:	6DD0A97BC791E78C28E1D1D949911B94DB3E2B08E5055283AD0195E0897E7984FACB517FF8E6C7B6E78E310819AFCBEAC9876B0FF35370AD96539C3E8B28C134
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.N.@.=..r.h...-$........,..t[.7...?..2N....Mf.\....O...&4...C9V.kR..:...\,..W.....{w...2.2.u&......y.n9n..Q%...\_.Rg6j..~F......<S<.E..uo.G..jF....B..4a........;............{o.&K...S.h....P.J.....G..;..3..B..g.x.i 3Bk.b?Y....5P...q.">..q.C.+...E.6..:..l....gl.\...#.........PK..... .......PK.........n/Q............5...classes/com/sun/security/sasl/ClientFactoryImpl.class.W.w.......,lc.hB.b._.@.C...&26.6.nH..X.UV+.$i..6....> }.m }..b....9.9.I=).7...-.9m.W3........[.n.h.....G.7......HJ5."..Gu....0L..).ij....U..AT#(.f.#....Z.6..HV."....N..9.=.....d...g.....$..0....A... V..6/...B.9.....).......5A..:.`...Y)C3tT.u.....l..O`Ky.s....z...R.Z......o..o......`.@cy{.'..6.T....GX......4...?vpW..=..... ..a.1.;.Y..6G-..2.wX91.s.#..J...D$V..U..n.7.-EUA..Cw`.V.t2...V......U..M`}.'.v. .....wu.W.C.....R.a........W...GR.d.O.i.7j.HE!..n..CK.-#..../..u7.G..M.8.e...."...<.a....p.+.".G2j6{.G.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.smartcardio.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	58645
Entropy (8bit):	7.913344050895434
Encrypted:	false
SSDEEP:	1536:r6aikQmg/FHrHESArP6j+qjHQT3K4n5pBCZ9xkQ8AgIDAJ4WY8gOY5nIlSjI:e7mqECMbnVAXDq
MD5:	4C54BF6DD5C142E6C8C1A360C985167C
SHA1:	7449C89D087ADC871E26218F6AD82FD1FF5BC01D
SHA-256:	0AF33A68F7B71F12FA3B7F27BC69B80A86633F25EB82830076ACFC3170538EC0
SHA-512:	2C5050F04B4F7AD373CDD33B3874A38AA317C996DF27630D4AFCD6F2ACCEC6A5ACEE3ABADFCF8D0182104651BA68239FA13E4658398F9F92D0E1C6D4B4F4568A
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu..N.1.E.Cd.D.A..gF.t...$...i%Ef..S...........6i_.=..........B;W..H.....GB.b..$_".3]fLs.B....}t...=._.#.G@..[.FdV.../m..U....M....h..\......Aqj.d...\.Z..:..r-...O.....e/l)... .^..........?Lv@....\|..+Woq...\..S...].f.a.9.B.:{..PK..F......k...PK.........n/Q............#...classes/javax/smartcardio/ATR.class.Vko.e.~.t......R,....V.j..m.ta.e......v;....%..5.D.D..1A0.....\B..o..'..A.wf...J.0...y.s.s......2.."...P.a4...jOY5&z.....#.G7tg.@.+..".F............e....t%sK.3.X.f...V!....{...r..U.....V.+J..1..<...5.6.uX/.l;...m...Z..Yy..C.<o2..\.Ql.s.:c.......h3...e..E.2+..Z.=[g+..P..1l....f.im.4..sZw&9#M..iWv..#.....(..T..!..5RUG/..I..k...eN.......t....D&U.AJT;..d6...`g..d=Z]<..........lc.J..{R....WY....f.jY....D...2.Y.n....(.a.....j......[..b.>..@.#....hu..Y..`K.dQ.Q..7C..,...vD...0aa...M.............YG#J.+);..;.]....M..+....."....16.Y...,;d.3.Y...D...;..G.W....3..g.....VqX.[....5......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.sql.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	76011
Entropy (8bit):	7.806124696487568
Encrypted:	false
SSDEEP:	1536:WwNmF73X9Xw+OM8661csaSLwEqv4RO8zIYaHlrez:NYlpBj866taSLwEqB3DrA
MD5:	E910C6B0413AB8D4CD0A5EBCCDA387EF
SHA1:	6782B1D03ED398C4AA558C219294C6367F7C8479
SHA-256:	2A24C132034F0894A0AA38A2DFA546F6D20113783B791EDCC9831DFC144256FA
SHA-512:	A729C0449FD21D633E5F70B8FE98876E96FE7559DE0E4E137A55B329403B624D6F298B2D4BBA061AD4049DE224CC2A2C3B6FA2BDCB13430BE78E84992D537B2B
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.MN.0...../....@]A7l.;$$..I.eHb..m.=........Hx..........p.K.05.&......D....]l.._.n?........\|...s..A......_...C....(.3.0&0O.\dVD.6./..M+S.vD..!..\oe....g..#.....y...&..ID.BI.Bk."r%..x.....B...f.t..NP.........}.........~/l..s.g~..8.S..PK...p......k...PK.........n/Q................classes/java/sql/Array.class...N.0.."2............FH.h..Dg...,#s.3.j^..>..[1@....dY{.''_...O.0.P.....Q#\|u.. .....Bs.g.....p.e..........#P..9g...l.@..}.\|.P....,...<...@.+z.C ..h!.O[`..>U#.F.....Y..Q...\|+.h%K/(.....i.l....MGi...j...\."....-..~.T<......\o.q.y...d....d....a.......5....v\......2....)._....k.K.7.J...R...R..\.2.RP..z..P...T.&.U.+.-.4...Ag...Y\|..w..PK...?mb...&...PK.........n/Q............+...classes/java/sql/BatchUpdateException.class.W.s.W...+.k..8vl)..$N#._q.I.7qS.i.(vR...).F..JdI.V.(.\|5..\|.xf.....q2..2.e.7...x.7.x...sw..m..0c.....w..s..OO....$~.C.....-.=...X.......K..f...s.-.er..@,.R&Y#.26o.3....3..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.sql.rowset.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	190817
Entropy (8bit):	7.967262446791647
Encrypted:	false
SSDEEP:	3072:SiFe3M5fvodBY6aFvCLY3HQgZlTlJtlGwNa+Uk3/+y9L:o85XoHaRMCHQelhHlZVlGy9L
MD5:	435A6696E8BABB8D66B3D838FAED2BF9
SHA1:	4EB408C7D7E6A347CC6F331CAEC10DE7F55FBC57
SHA-256:	3F55459BE1A9E300D872F712039F975A3C5BCCFDC498CD0A603A465DE8633300
SHA-512:	D3D8D34400230FDDBBCDF469786869FCDF50491CDDF70B58ADCB33E959A5ED8649E374E714FFFFA7AA2D4884042F09B0FCB7963402B65BD48E1634D099E2B2BA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classeP.N.0.......hy.......{CB..0...I\...[.....G!6.E.Z...v......W8e.F.../.GU.ch.!.'>...,8.K.h5KDj!.P.\8g....M&...m....9W..1.m..:+.X...NlTi~6..i..u2\e.Dh..6..uq,ml1....x",X.5S..d.X...&.!...._-.1t...l$.!.R..8`...D{b(CA[.1..,.[.=.@$4{A.s....>..O.}....s`.....:...kl.......a.......ep....n..K..FY...q?..PK....:.:.......PK.........n/Q............/...classes/com/sun/rowset/CachedRowSetImpl$1.class...N.1.....K..RN=.(.$.e.R.....AE.....Wt.X.h.....V.D..E...UuvI..Ua%....o<...??..X.4....B/a.....RN..ja.....vpZ.f....-.z..y.W...3.C.B.F?lB..=q..UMgs.@x.aKRI.L....i.`.B..}..............jiwk{...Z.&.U.=.L(U..2.Q.c6..!a"..9...G.G..+o..L......Fi.O...o3...R...D6D.~.xl...r.aK...w.g.9a&v.....9w.By"}....'........\|..(...R..`.+R.j.pO.;./.......PF.1..4a..:..H.\.I[.!..e.JO.i..fmp....k..}.&..5..........t.{X.B.....k2J.hg.s..sZV..h...a.....*.y.h.s{])..\|Wk.1.5...3P6.=<~.=..1....-.".}.8..T........./k@./x<v...r@<J......E.............

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.transaction.xa.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	4035
Entropy (8bit):	7.63515724105447
Encrypted:	false
SSDEEP:	96:Yq0GYT9RMGlLOkhw8KvJX/Agxo7RA1LZZALaGXDHHs:f0GjlkhDKdNsAlsnI
MD5:	FF54FAF2ABD3B1BD2B868FEC043BB19D
SHA1:	C6EBE8364D84B85478C164A6A6A09FEB4394F6A6
SHA-256:	D73340591C1D956650175CDF0B12F5523EE5D5644ECDAF663DD7F44EBC28290E
SHA-512:	F6225B4F0FD673226F20D8BFC9A99851FE230C7DF59472FE07269B83A52F52E5878A39B9B2C55D8435E98C140F16BC383AEA01D4AEDED5BC4531084D491A3B37
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMMI..@..v..x......7A....(.L.....>.G....:tuWWQ....`.....z.C..u.Dp..q...<K".84..J."a..Bm2.c1!..#..YF..Q'4....$.6...r..2...B.X... ..S.[..2&8w...n.\|....(...w.....f...(._B.?8..j.<...PK..Z...........PK.........n/Q................classes/javax/transaction/xa/XAException.class..MS.P.....R.a@.?...(U....&..4a...7L(...:iq...p.q..?.?.7........>....;..r......J.....o.t=p+5.\....^S.....c......$..Q?.O...I...9.....E&&K.#....L...b=.+...81:..n.a.....d.[.#.3.y......U].^By.Z...J....{....}..ZG...ag2JQ..X[....#.d.C.Z.BN..^.R.....\.`.-.n:..;..n3J.k9y..f'4+..X.....8zA.V..v.4.V....d.).f..&.......ym..+..l....X......:Z%.}....[4..g.6/I.LC..h.....nf#...G....ms.G4....p.;,..bp.+4.......#...GX....*7...apUE]...(.....x...M/p..=.>.Z.<...pSF.;~.......x.?c...}..(..,..'......\|..^)e.w...6....a..>P..c.Y.z..... ..)>/..>..../H\|.\|I...Q....._._.....).!..xR..xJ..[.O........xF.{...?.?......O.....J<.^...X.8..J.R.k.m.[....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\java.xml.crypto.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	670979
Entropy (8bit):	7.887042011821685
Encrypted:	false
SSDEEP:	12288:aXgXoXuXOLj7awadMRn6HG46P4IN8mvyHswk596dQLreo7Z6AAb1yRvuASgS5Mey:aXgYMOLj7awadMRn6HG4y4IN8mvyHswi
MD5:	895377EEDFDE160D01971E53C5657F7C
SHA1:	8A3E4A11683A7F406DF57277921A9B5E49DCA185
SHA-256:	026D61591C17B3ACBF900F3EA676452CC668062116C5B823709AEABBF77AC7B6
SHA-512:	D73AB337D179B07DB5F01D58243578687A9E4323BCF6ADE8137E31D882099966EBC8C132CC3A5391A4C77D532B54C5354C6C0279CC24AC0970375B0EEA0EBEF4
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.UYW.P..F...6.....K..-.&(.((....6......7~.......[.....9'..............9..:].Prx...~.D.`..Y..z.^q...'A..Bh...q=K.3}..K....`.3..!....q.1...Y.vt.!E.lt....?.n............"..'.:.....l...M.%........KXH....z.........$......'..A..v/.p....4V..)q...0..I%?>..6a&.^..C.).5L.h.^.r...f...Y\..a.)h}......bJ..<&L4..m.cQIH.(a>9N..r..8..$.>.........I....~.2I.......'b....v$F^...0Fm.N....W.'.]$..b..G...q;.(.j?.0C.......0G....@...UE.../w.-.w'..e.....njX..."..@.P.Z-.2.?..$....}c!Oc..T.,..xOh;k.il..b.6.../...R.H..o4c.kse.v6R.D..U.q.v..[.+.z.?..<..>..T.{LX<"t..^.?.3.-L.N.+8{Z..X..=...5)[....J.......J.W.KJ.Qr..-..\|V.....].A.n@..na.wpW.>.#<.....t.c.9L.4/#,I....-......PK..v.G........PK.........n/Q............K...classes/com/sun/org/apache/xml/internal/security/algorithms/Algorithm.class...O.P..w.+t...(...0.I%&j2...@.F.._..M.v-io..+}....}..2.{W+HM4.Y.=..\|...s.o.?.............F.'IC'.=..qwW8....C)..N".4..J?H...\..X..@.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.accessibility.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	517331
Entropy (8bit):	7.932914811977659
Encrypted:	false
SSDEEP:	12288:3Jcwf4nlwkOnw0dGfGf2NNdGGF56ZwDcBy:3Jcy4nlenRGuf+NdPFke+y
MD5:	1BF162783EC1B1DE6BF846275CB30304
SHA1:	DAED3EAFA8D19CA690F8A46B55DEFB0FD5F55387
SHA-256:	BE8A7293DEADFF4410281D93A0B6E8CAF2ABD08486000F933E2B7794998B0AAA
SHA-512:	71000CFDE3B33D7E1DE2BE8F34D1A4451CA37DB7C7CA28B59A6F6C00A730E974EE9F0AE4868659B9BD47970FE70CD83A4F523AD0D03F70362C5C7BD7FD99AC95
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.@....HA>....M............}..].B.%....sy..\|(..S=.....g~3.;...o..qL...O..S..@.V!.L.\..........T.b.D(....3 .y:tM....~.].%2.D.E8..L..P...........6..z.}i.....!.g...}n.j...el.M.../......l...NcO.@.\.....+g(...K.[..E<....P....'B..b.l`.J.C.7..g.[l...,..)[...'.......WU8W.a....PK..a.-.........PK.........n/Q............@...classes/com/sun/java/accessibility/internal/AccessBridge$1.class.SMo.@.}..q..............RU....i..rA ......v......~.?.1v".R.QK..}.7..3......}..QC.C#.....1?.a.U...c.8..T..2..Q.-...c;.R}.>\|.x.........:1aX.5O#..n.....B.3Re...G.k.:..`..q.'.-TX..$...X..MC..0......fb...3.b.t{..FZ.}...6..0e..F..\d".$Nj"6.t.V#..~1..y..N.......}.6...O..+.3...9.../.e..+..x~: .w.;...K)...L"^.R....e4..B%..Qfo.;..;.....Ck_X.J[..R....Za.I....O.V....n....g%r.+.g:.p.l.....`..k.N...1'?............g...>...f)..Jq.T./X=...K.YEm.V.7q.\|.[d.+d.w+..#.z~.PK...G.'....h...PK.........n/Q............A...classes/com/sun/java/acces

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.aot.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	286933
Entropy (8bit):	7.911348853312728
Encrypted:	false
SSDEEP:	6144:vlan58OL1oHDUV6c+45ksJuLWjNAN3ZtjV5OyaFQWIWdB8VimLL:vZHDezuqcjOjQWIySs6
MD5:	CB1CFBA8201EE222C2D69845FC055F84
SHA1:	8C448B58260790B6B10231F0153FC7438B41F4D8
SHA-256:	DE900FCC734F2CE46175DFBAA4C26368452C6049EA96A35F1E27F5CD988C9D3A
SHA-512:	2B69DD8B25F2549C4BCD4F2F3E3FB21F0EB66FD8BCAD4CEC0F7B731317041BC01B8329644109C0823839F3BA78BE48CEB227C5CB958CA3101E24035C24FD15C2
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}..N.0.E.c...1.(.y..H..=;$$...b..IA..],..>..BB.`..G..~..\|{.p..P.&...)...?...9....}nR.#...3..?!L95H.QI.q.`(...s+..O....S..U!,.....)C..Rh.R.........0....')L.....0JI.R.#....P<Ib.%C..,....}eX$4......B...a.w.J.V....O..u.lV.(N..../".......HI.a.P.\.c~/...7.%L.....A.O\..8........a./.r{/SB.%.C.....!\|...#.....{.u.S7z...3;.......eT1..L..i.a..Xrz.k8...PK....h.x.......PK.........n/Q............>...classes/jdk/tools/jaotc/aarch64/AArch64ELFMacroAssembler.class.U]W.E.~...tm....b-.MBe...HK..l0..4j..a...M6.nPZ..z..^z.7............n.ml)x<........;......FPH...q....U`.S+..]/..W,;..L..M)..:t......i)o.....=.Z.8%'...If...M..0C.6..Z....o)..8^i$.oG...H.8.C._..........m2;..x.(e...R!..)...X:.... ...a.E..8.......j`...k..W.?..H..=j..:..e..l..-...W...T>..p"...^.).s...E...,e.......6Wr7......}..%.b.4^%.n...&3......6t.xMs.V,k....8+.V.\|'..d*.M).i...H.Y.>..D9.4......\|.c.N..x......:.tc+-...Li.SE......_...:]).s.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.attach.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	38562
Entropy (8bit):	7.938691448340528
Encrypted:	false
SSDEEP:	768:YFL2bxkq9mFS8C+9OwdExG3rjwo6LkgHVOImnz3E2/ElTMst5G:Qalkq9ktCCOwHwo6L91Dmnz3E6ElTltQ
MD5:	B1ECA358F4D3525178F96244F11344FD
SHA1:	EA84D813907BA33FB66E54FC0A8272230F7F6FCB
SHA-256:	178B1246FA90169F75CC8DED648A88276DD252A28A85F26676777D75D290BB64
SHA-512:	985D19030C00EAF12E088184745739ACA59797D6E354FD41B1483A231E66479DAC0260E1BA9A3A5FFE4954CD69EC8FF49ECAF7D14DF0C4333BC77B2790EAE410
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.J.@.=..&M.V..>v.\5..".r#.....c2.I.d&........TA....9.........1....L.(...".~4..U..$..gJ...E..._.g....".d..J.T.+...0....<.....3.B.V...zzy....9K...b......$."........N.Q../,...5.o.]6O-...DY..6N.>......J&,..).....)W..".#..#.E..K`...}.u.C....}K..e......D...6.....@.a:.qhv.}.PK...4..........PK.........n/Q............?...classes/com/sun/tools/attach/AgentInitializationException.class..KO.A..O..y........1.c\..b...6.. .qU...LSm....7.!...p..v.....TO.H....7.~...>.s..@..u.P...D....W.]z.4#..~..Y....6..(.-.k..Z..&.h.<..=/I.g.(L<i..v..#e.."-C} .....+..f(.T....1.&h.....f..6...P`&Q1aC.'dl..,\|'0.Lb.......k....(../........?...;.( G..8O..N.....M.s$.zcj.../.3.{...[Q...v.,...S.."o..g+..fp..Em~\|..K.....2Zg^p.wO!...T.2}..4.\WX....p.Qs.&.>wGj..r...'....zEy.....3..(wz.9..t>.n._..:?....nf.........9......1....J..\|.p...L../PK..............PK.........n/Q............5...classes/com/sun/tools/attach/AgentLoadException.cl

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.cryptoki.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	351274
Entropy (8bit):	7.9627246365800355
Encrypted:	false
SSDEEP:	6144:ulMVIrmuMtJv/bpPkLG9zDEUa9NcHCwegOkCh0Tmj3/pxk3UKFZW7dc:ul6tltM6xDja9CCuOkChC0BxkkKFZwc
MD5:	1327D707FBB8DF3EE0D70D15A9C0D040
SHA1:	C4659E3754C6FA51E043AF8154AF8A9EE18A6F48
SHA-256:	EF9D8D43781AF4C7A1952014806FD3E36036DF92D62E79A3C0AF021CAB6EDA50
SHA-512:	E67C3E11EA5E962345CAC9682BE0F66E21CEB754AAAB2B48EC504D5EC50462BE5A96F59E28F046F9D3565E6C27214BD1793D8354DFA13FD99A2783EC44AA3AB5
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.@.=W...G+..7.)N.n\..1&M......N3...\..~.q..Xp..>........W..L'.T.U..=..t'.N....I...,.BoT.\|4.M....!l.....Q.b...2..#\.I...\..-B...~p+}t...QR....5b.#2z..i<..n....,z}...pFh.4B...t....#..F.E.......;7cY.=.%..C>K.............[.9.t~wYg..{..s\l..hc.....PK..gz"J........PK.........n/Q...............classes/sun/security/pkcs11/Config$1.class.SkO.@.=...}T..P...q..u...%$H @.G....t....!3S....(.?..e.....tn...s.....w.5.-".....>.3...'...Q...?.a._..0...re/.<.....<..0....@W.....SCD........).q.u.E..Q1/..-..6.1.W..6.....fG.c..).r.R.Q.^.E.P...%...Gi...(....W..t....%....6&..a ......dPF.0.]..XW...-~!W+b.....x.......k..,......8bp.=2..0L...{G.....o..FH".e.3..E..}.v.......?..H.]0g.B.j..=.....\|.+...ok..v/.i.\.u...u&^.....K*..2V._...J...$..Y..Pj...-..^1._.l....fM&..^."..C_k.1M......,.t.h6K_.E. s_.>.G.Oi.O..(.hw.P..E....J..$...u,.p..3\|......{v!6Fd`.9...u.`..4.#>....r..-Q..=.~....:...DM.KT).0O.......EbM!}~.PK....8.H....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.ec.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	201772
Entropy (8bit):	7.9524710852936815
Encrypted:	false
SSDEEP:	6144:9qVHcUYpfJbKNaLV2ppHAVxWHj+f/ehKAqW:9icZp0yVOxA30j+f/eJqW
MD5:	263F17CDB67CA9DC7704B373ED4FFE6C
SHA1:	6F8E27D98F9187BF6A19A6C048E4C1E8AD43D2B1
SHA-256:	C35E8D06078F41B89D152DF528C0F577A65BEE1235379B17E0C5BC54867B80FE
SHA-512:	6C3689F290F6FAC4A090B6F01B7C2E70390F158F548D2E3F3F04F5383C895DA6F2D0092A254FE85D3FE0FA9BDA8F50DA72173ACC9A0AC99F590A22D6E370D3B3
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmOIN.A.}_.f...t....D.4.3!...U_R.]....s.....X.q..'.x/.O...'..\..s....M.n...........DO.r.Ef...%Byp'n..J.$NY..d.U...9"c.....1..&."...b.x.).h.z.....]...@.).<yz.pA..l..?...._......P...sJh..W....V&.v...\..n..\|[.!.\|...k..X.....x...A........z.../PK...I......l...PK.........n/Q................classes/sun/security/ec/ECDHKeyAgreement.class.Z.\|...?.$_2....`F.F..9. ^...@.!.. .:.\|IF&.s......wW.j.-.....El..V..n...]{............f&a2.....3..{<...?....}.k.....9.5.2..\|..+......h_$n7\`.-.ZV...."AA..`8../....@..JMh.Y.D4..kX......'.p.N:.iK....v.....+.......)...$bqo....cq.8`y.N..rn..D.9NPY.....]..x4..;c..e(70.D.*.I,.....4,n.2K.......q[w.NO.....32...........\.....f....x.'.......-Z:...w$=Yp..D..e..f../N..F..`@.~...qT.d..Y..0.e.{w.....cq...M#...1o.S.H...7...M..M.@....]...B..fg3\|F.O5......g..\.`..[B!.....i..2...k. ..Aj.E.R.....LX..Y^.(j.;...fnAY.p..qy8..o....4....\|2.S.7..5R..G.....S....8S0c$....C.&...%-.].\.98.D#...]V\.;F.V

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.crypto.mscapi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	78196
Entropy (8bit):	7.92845847050618
Encrypted:	false
SSDEEP:	1536:k2Na/LNYo4Z/rkUG3FVnJP1Uufitv3eQccdatnKdknGFe3mUsGwzMOpOICSCSKPm:Z4CQls2igDGFiCgtIVjqSi4Hh
MD5:	6F42045F475CC7E5AFCE90B03AA6ECE0
SHA1:	51D26AA2154B906A29A931151887E9EA5C11962C
SHA-256:	F35CBD067FA654E4782847D60E27BC6BB19329C144CE724836E11ED3024885BE
SHA-512:	630781278A0BD196D38765E37566E8704CD09EFB48E267EAF541AFF60D0B3585884F4F27E5F6C4A0E5AA1536B5CB1F84DCA65E02FD80D22F5AFF296D2E6DC396
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmN.N.0....P..%.'..:T.......J.....Tn....V...8..\|..I...J.....~\|........+5...@...[..'..r..K.r'.Z.h....v...."qJx..].0...J.^.S1:.....Sk6Z..K...F..b.=.O.....x+.^.`>..$..!.b....z...............8.w.p...b....Bm#...(..B.0...c....PK.........E...PK.........n/Q............4...classes/sun/security/mscapi/CKey$NativeHandles.class.R.O.P...V.v..(.. ..6..#AQ3!8.4...xW..P......#.A.y.O.A=....@b....{.......o...`.@.I.......vy....?....R.].W....V.idt.&..dX.z...........u..+1.o......x"b0:.p..A...%......K.d`..:.&.c.a."r......v.F..RK..)y..{...Y0h.`. .p}...E....}.h...Z<t....w\.....C.0d.b..m.b.Qf.......Cjc.#........:b...$.#.h.. ".../..H..G.e./A.'_...'.0........C.V@...fe.@.!k.d6K.j..8.....PE..0....!Y..3T)......+...f..I.$..M...J#.Z..?.#R;B..c.3,.. ..\|z.f.r..)...b.A....U.....T.Z0(>.]......g.......T..&..55.p....EuV..%..i]:.....:A..A..%R.....q.$4...\|..PK...S;W*...E...PK.........n/Q............&...classes/

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.dynalink.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	164226
Entropy (8bit):	7.892034326519069
Encrypted:	false
SSDEEP:	3072:WduPEhfhy9SH8Y4zuTV/9nrPcTYxt7qnbN6LjTjAW6+w0ghchJK44kupSzOxGwQJ:WduchfIgHAzuTdR4TYxt7qnbN63TjAWN
MD5:	5F943224E4AF329272D7FDC2066583CF
SHA1:	895810831A50558AEA8DE45E121E5166030B9E54
SHA-256:	AE6BB704E5073B9A0A72E767E7621077E78905799EA24493D23F11E41B6D8E83
SHA-512:	BDFC9110CE85062532C583920D2AB6D4EEF9345E87FE5C68264C3E83020705E3AD3C4ABFA248C4C3C59FA9718EFD288B19DAA78C684A856F847D5F6864C24015
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.A..V..Fv.....J.^..........e...7....G.g.1.0...JM...>..\.P.'a...T.I.Dh.....qBu....C.X..........B...C..Ze...e(..k.TS.M.P!xk....j...!H..$.S.......]B...y<xvO;.I.I.yh.z...3.C.1.X...{.nS..b.P~N2=.w2.....V...y...Dj.[./\GbJ....Y.....\|.la.r8...qd.5...ffs..9O.;.....6...R...;N-.w.U.5.~..O~.PK...?.y).......PK.........n/Q............5...classes/jdk/dynalink/beans/AbstractJavaLinker$1.class.S]O.P.~.6.m...0......B.7.b37.n]B..p...'.PZ.v3..o.V.c.......i0.....y.~....ur.`.k%d.U.S1.<..{.......@......G.p.`.:<.........m.............3.....U\|..Q@QAI.(T...83zq.q'y..I...U.-...%N..42...i..v.j2.f..3.b.e...;.....m3l^.<..I..1.......b.T0.0.O5.>..t+..N....GQ..**n.)...1.Z..nH..../.v...6.K.{..Ym...>C..{../..,6...K6.$vH.....j....=.ux.'f.I..;<.$>#..;...3\..A.'...Z....z..a..{-..CW......5.l.8y...j...j>.c.+x.\|..0._.Oy....=.V...(O.<.C.......h\|.;.Q......Z....7).!8r.g......J.?#.".0...P.G$...g$...K.Y.S....9!....hM..V!...\|..ZU<

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.editpad.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	7108
Entropy (8bit):	7.811258404475187
Encrypted:	false
SSDEEP:	192:Q8DM/XTGw6L+YSUUgagGBdzubltchdvvWKdNsAlsB46c:Q8DM/jGNx7agGKblGDGLAD
MD5:	AA734D758967C9CC99D97CADAF2CF600
SHA1:	C11F74087C937E8A29C7B8E9E796896D0D9359CA
SHA-256:	614B6DAD2877EAC8D0E1F7D29F2067356C3ACC3CAA40DC6DCA23953F416D79DE
SHA-512:	959EDABC1255EF215CD76F949FCD6B1809D9A8E01BB320165AF0E9462EBFE62646A6DDE9017FE55944B5B9036C2FAAD87064C2EE64B46EE80511A0C6761CE988
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMOKN.0..WJK...\|/.&....;$.X E....Tn.8..v.s......8T..y3.y.~~...<...[)^$..j.....,.Y...2....$.fw.M0....M..P...=.f...S......=B.\.8W...aT..i.t..;.....;.9+..L...L.K..H...B.qL..g(....#t.\.g.....0.>...l!.MX..L/DN.ld....l..o.@..jb..?..}.qh.....:..."..3...5p......PK..5^..........PK.........n/Q............#...classes/jdk/editpad/EditPad$1.class}RmO.0.~..........o.J....i..:mR.&@E..4.......].@.......vv.m.E..r~...{....@.[S......J..W.u(b.oy...~.q..P.2... @4...)x.^.'A7Is.1.EW.......?OD....O\|.QaX..>........t...[m(Jo.....x}.3.j..\|.....z.a.^..H.v..i.1.#..A..\d.C.j.vy..4...c...iQ.`..03.M.....`X.G.]..o.0.]...n.(.e].A.....I!.m....,.e....j...&.D.?..&.OJ....<.9V..}...J.<%@...Dh...j......i...k...m\|..W.\|F{..@.../.....`..{N....=Y...wp.c....gONI.._\|.o>...L...79.X#.`.5l..:6-nX.._PK.....m........PK.........n/Q............!...classes/jdk/editpad/EditPad.class.X.\.....e..,.X....&..B ...l,`b...CD...@6,3.;.....n....nz7..$.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.httpserver.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	102118
Entropy (8bit):	7.881915775504197
Encrypted:	false
SSDEEP:	1536:hA2EjV4dImyeS82MzTdgErULKjFp4Fm1CMfe1ChqmxrMylQEnEfc6o3zqZ1o:+2Ej5mlP5rUGjFp4FbMfe18r2TYMZm
MD5:	F4F26CF1AABC52F9C792551E45F971CD
SHA1:	98F52335B802EDE4918EBE4725E79BF59BD48029
SHA-256:	AFDA7A68032E31314698D506E38EE63682A506BB72D6620DAFEA6DA1578585A6
SHA-512:	820ACBB8CAC8E19383B5B5D93AA475E83186148022EFCC125001ED2A3CDE96B9F131D083300D62167687442865ACC79644E169553A4C749FDF0E43203C938124
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuP.N.0..../.M.3.8T......J..Lb..&..$...8..\|.b..PV...xv...w.w..z...Jt.b.....!...y...U.r.6.Fh....q%.Qf...eZ.........R..1:.....}W<K."....m...S.'.4:W6...;5...^......%..-.L9B.G<I;S.a..en...E~{....c-.a..1...G.....x>.....1b.."d......PK..D.......}...PK.........n/Q............:...classes/com/sun/net/httpserver/Authenticator$Failure.class.R.N.@.}..R.............CbH.$....n...dw.Wy1.x...(.tA.nx..7;....~}.\|.h.$...&...d..h..8tB...R3....&V...sU$.C..@1d...Wm.t.>...e"oc.6..ZL]..b..l..,.%.D..Y.....#r.L..\|.O.\..2.~....~..ICM\|.....}......H..HD.......r....]..Ku.Ie..N_....\t.WJNr...5..pJ.L..1..O.R.g.Iv.P.pr.o..5o0_tM....d/`.....M.........VZ4v...t4.2.W...tY.lk.{Q..Ic_W.p.}.G.ZZ..#..e....PK..1P..g...p...PK.........n/Q............9...classes/com/sun/net/httpserver/Authenticator$Result.class.P.J.1.=i...Zm...B....*..D.TP.{..n.6.$.......G..[_\|....9..I........).h&..h!../.J.B..y?_P...Kmt..h......N3...4.P.y.......CN&.L....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.incubator.foreign.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	67990
Entropy (8bit):	7.946352945303167
Encrypted:	false
SSDEEP:	1536:bUJtgSL6NznTI0AE1ZSxiubggeSqtx0xp/2hQ9rW76B93ap:bytF6NbBz1ZS3bggeSqtxq5/rW76vKp
MD5:	E9CBB864F1F0780B15F40963C426E6F3
SHA1:	F910917052336D532732647BCDB73D80DF612C62
SHA-256:	FEEEBA790ABE0CD4A36BBC68FE29185B4A152663ED5FC6B6261FB40E729D3B21
SHA-512:	DE83F8F52040E862A495881C59A5FAD444A012DCDCFE65B56896A079D6DE1B4668138F48C9E50E091BD2F83E11F090CDBC38E47FAD52186DC6ACCE6994027535
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMNAR.@..A...h...X.J.p.F..~`H..B..$r.].\|....dE...t.t....'..bBog...6k........w&.m..&.V\Z....L.sB{....4x&...g..a..R....D...W+.$F..]..%.s....a..WN..I...b!..R[C.....LJB..Mj..w....h...Q.g..y.o...p.U.%N.n....6_.n.y..PK..%an.....C...PK.........n/Q............2...classes/jdk/incubator/foreign/AbstractLayout.class.Yy\\.......p.0d5. faI..!b.!.D.".Db.w...I......R..6.Q[M\....kB..4..>.Zkm.Z.V...^.....s.af...o.....9.w.s~..._...PO.9..\.6.y.'.l.....ZpS][.f..%./.....BnUuW..(P.PQ...`.oK.?..j.P../.....u...hX.F[..P.I."..t....z,....F....h..7...i.QB(..Lb@.2..s..2..U..L...M.@..c".Bq,8.....Zo@o....UI..L}u..9[...Aph.h.....B+.P......m..B.!SL;.....s]P....C..J.'.m.G......34....../K..Q.R.X(.?.]...T,."Q..U.6..`...*..LX.jP.`...8.P..h...mZX?/....P........4..[&O9...Uq..'.i...!..M.-.Ia./.4,_..z`.O.W....d.BpN...w@..C...B,.+f...D....a......G...b...hb.....d:.4.z..F...X.Q.E...9FJ..ay..\X....-hM..@.g......LsV.....b.Z..eu..3%U...'E

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.incubator.jpackage.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	944571
Entropy (8bit):	7.993019507850888
Encrypted:	true
SSDEEP:	24576:o/LKQfuCSkRb5ZBlZQQILYqwjypRJ0lqmAp:4LKQmCj1lZQvLYqweh2Wp
MD5:	D202B393A656A5E8C68687B4D33F55C4
SHA1:	9B41A22AD8105D3CF3961AD8F4D6E750BCF291B4
SHA-256:	5619F01649B53255A0A3E68CFEC3A4AD2DE6200F83E347DFFE083F0839AC467D
SHA-512:	01CE53A2C06BCA793DB0AA9E7011A3D4C734EC1B4DEB289CF3E57973514DFE25D325C3C401798EE22CA06FEB47D643CCD73880F064AFF27449691C189C7D7AEA
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.0...a+-;-...C....\@.....$.1.mjGq...\.x...1Ii..j}...G...\|{.p.2a.a.....M.D..%85.,..5..(]..DdB...j]<.".......OXa.. .....P.......rCiM.V.-!OX..o..K."....a...$.Bk..."...i........N...b..2.H....9L....8R.k....._..Yy.m3..N.]^....9B...^.. .J_..r.*3.Rw.+.2.J..3aU.........<;W..F[....<.-.../5....D.$#...y.......@....H.^l.~.10..h3...dF...i..{..^,b....... k.(`..)..N..~.PK..-O..~...H...PK.........n/Q............N...classes/jdk/incubator/jpackage/internal/AbstractAppImageBuilder$IconType.class.TmO.A.~.^{.yH..K._....."j.)..M.H,6!~..G.r.k......h..2..%"U?..d.3..>..........#........Y...x.z.F....nR(0=.....x...Z.R.2.eo..x.p...-3..EG.1...s..v..6}7..s....a.\|Q..`..H.&......9...C...{.....I.u..T~.Za(.....)\W.....Q.v...?.-7......6j....;.!..:.I.~.V..I......;.s.3.E..~.L..x.S.e....Gu..m:...X.".@........).q$.....:.`B.G...V3.K..i9.P).......a.fz..fS......N.]..U.Y...8.i.\.'.w.)MT....#\$...-.v......pq..D.U..Y.....L.jR.n

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.ed.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	7519
Entropy (8bit):	7.847897535550514
Encrypted:	false
SSDEEP:	192:5IDZZqI952/n+g5u2ssRZZl3ewqKdNsAls7+B:2DZP9HgAuHZo1LAR
MD5:	C8936F98B9091974AE938C3DA77A2F25
SHA1:	F5A9C8C0883DE8EA79C3BD9D8AC3F80C11320157
SHA-256:	138B3AEDC0F46E2CAC688CDB36B78E9B06D102E8DC9C3E6F8A7CC8ACAC993263
SHA-512:	BB4BB7268C81DD734DE01977AA2AFD1CB4301C09EDA7D1D6E396EB7E24034520F52AB4111B9722EC32FE2DAB158D21B5DDD4EC579FB29125BBA3BD91089AAC4C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.0..-..)}@.\...u..\.sCB..0.R..I...c.....G!...8..zgv.3....'.[......Ol.RtA...Be.M.F.Y(..\..)61...Z].).\..n...uQ.....]....je...=.u.1...{y.J...y".^..#.....u,!.CX.i..l..\....I.s.....M..&zin..@.....<........E.P...@:...8.Z.FH....PK..........Y...PK.........n/Q............;...classes/jdk/internal/editor/external/ExternalEditor$1.class.T[O.A......R..!.U[n......5@J1....``.%.[..JM.....h.Oj.5...P 5n..g....sf..y..@..a...._A...c..MU....MWyY8...]o....'.Z.ua.'(0.Dd...AD..Aa...v4....t.......X...O<3..N...H."..#.N...c.:.....Q.:w8C_"{.....0...D..>.f.?.".p..;......B.i.......,C.0i.j}^A?..y....PX.D.\|..0..T.....v.i..'..r...E...kp=...P.t..X.Xq..@.E...S.'R3L$...d..?g.)...0x..U..Vt..e...4K.kO.w.Am.&>I..We.....!.n...D=."...A.{.y.c..~......z....=.h..%m....5]3........X0<;..?..k..T,.\|:{..i..[.Y.J.:.].{9...d..n..X[..Y.b.a...P.v..]Qw.C9n;.tD........6.1H.DW'..toL........$...B....k.....U....\|./.B....".H)

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.jvmstat.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	90538
Entropy (8bit):	7.8478943536932055
Encrypted:	false
SSDEEP:	1536:3fa+mzmuYgDlJR3aOy11mrrGFHz6FH2TD8YR7IactS5HK/6YVGz2OMPCzn3/PQPr:v1mzh9vX/az6FH2TDjIStA6gODz3/P2
MD5:	2F1AED1638554EC6D6479CCFECE4F6FE
SHA1:	767011B093A860A269947435B42A0918A031DBCB
SHA-256:	1CD4ED9D066D1C5D2B8E179DED7024F2B52FCF9364F1C0765C5D579FF73CB2BA
SHA-512:	987952BF02E87A4011B77A25CF3811BBB91FA0C166F3F7BD31C83A705A821685252F4F9C280AC77834EF6AE8BD57D96A467E8D2873BE1B8ED898F18AA72B195E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R.N.@.}..a....`..`l..\rAB . !.;j.......c.\|..> .....2H#.K.U...k..........a8Ua+..(k...0..x.(....K/..3.xq.j#..>B.c....,.[...qQ!8....,2w1H....e!3..&.v..d....O.#.....U...T.7.D..#.....@$.&../....M...-K.$..r.U+..v1E..>{gBK..!.0F...f.....4t0G..+.i.0..=?..0c.....v....D.E......o...>#.B+..w..\..B.R...NJw...dG.F.F......lE..#.si.#.Q..k].i........?`.^.q.....A.rc...9..a......g...G{/.....uFx.1..Uf..#.....l.?PK....vR....d...PK.........n/Q............1...classes/sun/jvmstat/monitor/AbstractMonitor.class.TKS.P..n....$(".".G}"BE..3u.8V..F..J..&I;:...n....3....(.sob[..7.'..{.s..._...X..\|.......w.W.xA/..[..#.0t%..,3...L.....).Ca..+..A.h;../.).l.W..c.9g.}g.Jz.`.H5..e..K..GA/....J..FR.H.....Pp....n.z.,.......L#E`..\.%..JG+[)..w..X.o^V0.+.A.rxX..c.vvB.s.Wg.!.m?._....N2..a..dL...3.p....v..].....3..%9.(b../.HUi...ik'3....w.E.).dlV.Y.z.g..i.^pM.........li....].X.A......h.3S.(aM..7)..P....v..a.%..N.z(5.<g.......ig..[

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.le.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	424947
Entropy (8bit):	7.938896145421226
Encrypted:	false
SSDEEP:	6144:kDK++kib1+dsmo6Asyn7XP8VClZe/vgPpHH8qUINO2QEnPyf2rQ5ASe:UrwbQno6AB7XPgCn/Bn8NMfQIy6Ke
MD5:	4A46A0B3A85C592A5CD1A875C466E386
SHA1:	9863CCC4CEF7FE3A46FB9A99CB367346B8872D3F
SHA-256:	05EB47739AC18826EA713F68E0611EB59950255AB002FE3CC7CDED75A9CC2464
SHA-512:	9D1B7EF66CD98A22C3A6E160F315263643F444A86F8C237C98E1FA6101A3A607B49266E085D45AF9F8A1FB232DB85248C046DA22FF2B6B679656EF6CD8C71DCD
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.R.N.@.=S(n......P...E.%R/.}..J..?..7a..E.....C?..B.a.VBib.sv.3......?.>.P..`j...G.."l.C..:W.f.L\|..:....na.......}.6g.,+.l,Ckb-'.2R..7_.i..L.B..W"M.Z...x.N....(+..GK8.L^$.@..3G.Dd...$.....[..e.2......{...&.xN.-r..xI...N.cs.W.J9n...y..j9.0?...C.......4M.....i...5~e.C...$.l......}........N.X..{... .....E~.....+..f..P.W..q....@x}Uf+x...U.....7.n9....;...u...y..5.^......g..qp...-PK.....i........PK.........n/Q............9...classes/jdk/internal/org/jline/keymap/BindingReader.class.X.xTW...,y.......)....iM..2.......\x.yI.&..Y..wk.j.R7.......m.. ....k.k......of2Y@.~....}.....s......j...k.g.2..Vk..NX...v4.P..O.3.....~.....7.eR..PW6.....x+P..@..sP..5.-.Of.T.J...Pxk"......#.h.+....sl.....hWvpP.s{N#.....Yz5..'.+S)k...Y;....,.!.(....p.......sF.8.&h..sL..<...kqa.i...t..Iv%.....r.5....*.K.,...t...x..c.5.~v.65.L......yXL..+.).>w.....\``....^a..HeT..L..M....0......Q.}s.4..".M4...M....Q.,,3......@Z.......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.opt.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81856
Entropy (8bit):	7.846420334642564
Encrypted:	false
SSDEEP:	1536:11nsYEHYbC3DfjgQb6r1sPX2ShUVu4J6FI8pn2aGZsUpCi7Lre7jDZXG3tQ9D:1BsYiQqDMriX2PVuM6SGrOLsK3UDZXMM
MD5:	E47B28481EE70BB515D1ACFC17C9D84F
SHA1:	5BD36C3121AD501400D8A92546DA6A72FCDC271F
SHA-256:	545BFD82162D6262FE190F86F86DD497E1665235EE2D1129CD5D5E1AEA908C2F
SHA-512:	2AEA39B26710427B528BBEBAF3A88DD9D6CC8ECF350E99E99FFD7437729CC234D958601FAD30AB844077FC190190E2DDD3E90528B56FEAC451065F459CE18800
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classu.MN.0...Ai.?($P.,z..T.n.g....0.)N...........R....od.......&t3..F..}s-.a......l%q.-Tn..nU.h...{q+..!...O..^g+.".......&..J...D....W.U.~%.Rb.MC..:......]./.6..>.?"...Or.....x..R...Z...Xf..n..a...Q.cD<G8..~rSQBP...~..N.......PK.....S....x...PK.........n/Q............8...classes/jdk/internal/joptsimple/AbstractOptionSpec.class.W.........N...X 4....d..,.......$..V..N..vg..Y.......-.m..j[j.-..V.O~>../....{g&.}.6~..{...\|..s..\|.........@.B.x.a..mj.....:F....\.0....)..P.(.qA;...]#.......kX.#..P8...9f8....1O2...........[.,.....@.Z...X........:......9U....A.4.!.......]..I ...6HS...VB.h..Q.I`...a..NI...a}..nV.....U.._[i^z.UE'..h....'...W..z.T..;..3....O\ Y.<...F.M...1..m6....Z.5..z.......m+E=..N..'.\Qw&...[o...6.[.=..c.i...X..RB..Uq/.9.~T.......>..U.}P..\?...Tf..yR..#....X........Z\|.F..\..<./.u/.....]...\|....:...\|1..n....cD&...D.)UG.de:k[.I....x..8...xL`g}Q.P=...\)......=.b...M.....

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.ci.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	441292
Entropy (8bit):	7.904078584539265
Encrypted:	false
SSDEEP:	12288:xL9PUt54BixmIWVjQgCjiub1RU53P8tP9:xLhJgxmIUcWuxv9
MD5:	E46EA1F70112D65C273DEF5E61194944
SHA1:	A0545A8DE36BD509813D6E0D0A0FAB9C400494F4
SHA-256:	08738A27A0B852F2F928066F40F28B0ECF3B7AE383BE8670BE40EC51E3F322DC
SHA-512:	E7486E285DDA9376342303901C2C97216071E1512A7AA9E6D1AEDF3DF8D0639FD2F74F0B00028E9B2B186633C4FFB04B0D02ED25B7573903E114F052E8253C2D
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}R.r.0.=.mC...z.PJ..h........t.I.w!..mdul%...]<..\|....4!.~.........?....a...2.8..* .\. OUG..N.3.'..j..:.0B....{.F..cC..J....s..a...Q...f.@."#0I...0.=..../.>..e.........r.\|v.@@X...t.&,........+..1i;.e.wK..pf.N.M&p.0..(....X#,....y.2i.u..0VZ..ccM..l.6....>7.o...N+.....v.o...&..5.j..@in.V..a..ea.^....!..bjXo....)a...6.\|o~f..E.(.O\.Fd...8R...8..EV-.].7...A...&$.C..:.......}.GX...pF.Mu.....6..=..B.V...&x.........].....oPK....V....x...PK.........n/Q............)...classes/jdk/vm/ci/aarch64/AArch64$1.classu..N.@..a...:.(G..r.@.....c\Y..%x..C;a...i.k.3..01>..jb.1<.....?#I....../........c..X,....Y.v..z..C..p\.i.D8.EKl...k..)c.....9....(X(r\.g.HsBDn}v.YZ2jO1...~..7.MA..].....m....x...%.kY.@....."...8....*..P..........t...;UUk..u_..Z..H....g...I.6.8...^..(..u..&.R...M.amd.....L...}m.q.k#..w ]...q....(a.{..&...{..p......+C~....O..vt.....?..fcOF..3tU.+.....O.Z".C.....T3r........\..@.~..)...,...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.compiler.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	6393414
Entropy (8bit):	7.903376019710367
Encrypted:	false
SSDEEP:	98304:6owraaSV2UUIicONZ4L/LgvXXtasDSECRrs+b5Fr4zvFTTJNzH8mQ:6oWbSPCeL/svX9Nwxs+b7r4zNplG
MD5:	9F834ABEAAC75525F0FCF228B7A60574
SHA1:	179F4A4E8E30686AD80582F3A0A1E1F178E50BA3
SHA-256:	8B66F9D8245ACAA5E2EF406C443E33D1FA9D3ACDCB6FC93A439C4EA1FCB15442
SHA-512:	81976CB0DC4FDAEF67BCE6276123DEF0ACDFA98B6ADDE9EF4350A018D03C57E3B3F0F8FEC5451AA34AACEF802476FF6561E8161DC9AB1F8FCDC077FB7C872035
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.\.x.V..ym.6mS.^...m.&e0.N....I......X+m%...L...\|.....zL=f..]...yz.5..n.}+.v....Q.}..G..l. .e.P....r:...l...1...^..4m_..au.;.N.bZ.].;".X......G.X6.......aY2..e...pV.2'..aX....`Vl.q.....D..Y.....G:n1. 7...3[0]..$..@8..te.2.,m.D.B8....Y..XM.....x......K.O......R....+39..S U.D.?VD.\|0..K?.J...\..p.C...Gr.....cg.h.c...e9.....[.l.H.x.i..T1.'.#.U...i...\|..mG....\...EI6:5..e..2......).(..nQ..8..X........~.....\...Y.......9.c.....pP.L..C..p..%...X.,..!M... g.H.2..\.U$U........d...g..2.E.'.![q.).2mz...m..D..bn$..oK....J_......./E8>.Is\.<....Z.m........y.2..cQ...)....N...4z.<Z.b.J..0.$.Px.#:.Zw.2......G..L..\R..2.Y.#a/....\T....:..:C..C....S ...k..Q.y..\|.B......xsC...Sd....6..eY6..%.(.:.%.8...p...7)..wqD...'I....K....i.r..i.p.U....L.',.!+=....\{..r.Q.R...x>.1..B.:.....AB!U...X.4z9.ZJ....H...Lz5/[$.^.pb..J.U.*H..>...&...F..h....K...\.o.....+=2.-...oMVO.'.ir......1]...@..h

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.internal.vm.compiler.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	12298
Entropy (8bit):	7.8734358073542
Encrypted:	false
SSDEEP:	384:4sWbgcyF3vE5ImBmW6oJ4+cbE3Rcfd8wxmy6zvXLAD:4s/cs3vEGmBmCKBP9Z6rQ
MD5:	34DFDC94E39761FC9E046893E561D671
SHA1:	A15D2FDDC81E8055E85289E409EEDD31B73DEF4B
SHA-256:	05334CBAC51A75673F23943BA026B79672440C477A0E69608FEA456C02A36834
SHA-512:	CA394A70EFE1AA102B2C01DD1CA6749009953B66FF5F426A50CFC9FEEB1452C756A72654A839D01F202A4BBBECD54CF6B4638EFC1F5AE0CDA1E41D7D0B3C1983
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.P.N.@.=W...)>v.\1....N....F:.B.C..l...~..e.. $..M...s.._....qJ(I.O"...W...5...)'.....c#t.#6.l..8..f..<.R..E...\...!.+.x..<.Jo..)....VUM8.B...D.(.j...\"T...}.B..X.....i\.{..?G{P.o.}....{.A...M.b.....m.s.O(..D..-...eW...>.\|0.....p<s..C....W......[XJ..H.m...b.b.bq.F.YN5.z.......G..a.....7PK..../.+...,...PK.........n/Q............Y...classes/META-INF/providers/org.graalvm.compiler.hotspot.management.HotSpotGraalManagement./J.K/JL.)..K..-..I-.../)../.../.... y................<^..PK...:.Y?...A...PK.........n/Q............_...classes/org/graalvm/compiler/hotspot/management/HotSpotGraalManagement$RegistrationThread.class.V.S.W.....C+..4..&.\.1......b..0.$...f.0..t..A..jn.....MQ...>.U..T.%y.C..}IYK....C...x...\|..v.......t...X%.?..#E/xL.v~.v.,H7.<m.sX..?Pv.xn..h0...F.u..I;...\z...vV`...u...mqk.t$P...N...C.......x.S.tN{.,.3^...J....h...tm..Wc[@.....r<.......u&.A.@.......l.p..6..4......xb....Ml...Y9!..4..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jartool.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	194472
Entropy (8bit):	7.970641034460952
Encrypted:	false
SSDEEP:	3072:MgedXNLqa3FbTV5vUwRraR677wbxsv1EGo76TIObRkax7vJk4VsDkT9hym9oAlzK:bIXFH31fvYRe7wbY1pH/7vS4okT9IAZ6
MD5:	325C9BAC6B43ED148BFAB975BA7EC749
SHA1:	112602CC92CB5706740FE8E470245CE5131ADD46
SHA-256:	0DD5B5ECAB1D3C4227330FF96B2CD0782BFF4C1DA082DD5BC667C693143454CB
SHA-512:	15DD1150F5BA2634EE32016FF470C5BDB6F51FFDE32E7A94265CC2298ADB1777526C907310086B5940762F78D317A051C927DF2D69D03F0CF2B35EA68B3BF61E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classU..N.1..Qd./...x..V........@...lM....sy..\|(....4i;.}..L.......CB}i.,V#....Dh...\.$3.h..M...(.....6..:.Y..%.].g..><B...Safu...U....yyK.O.....>....$.r&..r>N..\|..M:.E.0.S..:..C.)WM.Y.HY.]..a.gi..sB.h..c.})>........L9Bc+L.....^.$2k7....n......G.......Y..l.B..Tm..\|.=\r.`..^.-.1(..?PK.....k........PK.........n/Q............-...classes/com/sun/jarsigner/ContentSigner.class.QMo.1.}.l.%..Z(....h{...J..R....N..&.v...V.8!.....U1kPKO.....{......9..6.X@#G..&Z..\.JQH;...V..zo......a.E.r....s.Z.E..m......D......k.M..FV.N.b(....`.g&......~.. .N.d_FIx.}.....Q....v..$.?.P.$.gC.....U.M.)..R..b.8..W.....or..Q..c.....k..D6N\|9.......J.6.)7j}S....O...M..G....C...l.Z.e......{...NO.8..G.t..h..).B......=.;........+]......l......2.},3.al..<......O...y..g.=.x..#l..PK..aHL.........PK.........n/Q............7...classes/com/sun/jarsigner/ContentSignerParameters.class.R]O.A..C..Zi..T...i..`B..n5.4...x.n..4.3..,...}.....w

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.javadoc.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	1211177
Entropy (8bit):	7.944554747269419
Encrypted:	false
SSDEEP:	24576:c4xHrlw1+43XYwN5YYB8d9PBEJAqxM6EClnYCRwQz:t5B69YYOrPeJfMrypz
MD5:	038AEACBF82A840FB86C19767F657F72
SHA1:	7883E63F46B7CB0847ECA59BEF4DF7D8A3EC8D72
SHA-256:	1430B8D1685F5DE76F26C54B56C81D5C1069358CD4709BC3DCB6FFCCB0913264
SHA-512:	154779EDA97F99703796A169D00BB37FBF46C4D1ED87F9954943860828FEA6DE3CBC0D282511977C0E5C56C084E801C5E736CD35A41AFC448E2B192F2EF5DA95
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.S.R.@.=-H..J........E..^\|.\|......dX.\f+........,;..X..IUz.O..3.3....o...-a:1a...NO.."t...&.%s...NC...'L...=..0...+"..U..!xM\...R.{.$,...9....[C.u.\..,.<~).N6K..DfQ9.p...^...Y.r.w.........]B..S..:.U.....V.....[i..\|...k.,47..A...X....LX....V.k#.....&+.."s.b.p..I..)a.z.I.:V....LuM. [...To/.hq.k.f.\s....uLv+.j.oI..\./-'..LP&-d.MZQ..Q..x3..~>.f...%L..&\|.2..}..0WO.e.....8.Y_......"..$<..n....>...<..M...._U.g...U...^..a.}.=./.g.+..a.YS..yx...,.!GV....o~.PK..~.AI....k...PK.........n/Q............3...classes/jdk/javadoc/doclet/Doclet$Option$Kind.class.T.O.P.=o..t2'.CP.!.(u*l.....l.....V.XZ.u\|.b..@F"D..o?..GQ..l..}.s.=..u_.}.. ...!....+}..1.^C..c.zQ.L..o{n..6.`.TD.e....J.b..0Y..........Jqi..}T..Tk+.5.9...I.9S_?-......(H....\$.....-s...^...>a.pIFZ.0.S......;.../.f.S.e.l..........\@...........v......Q..Gc.......M.6..SZ..6P.....5...e.....U37.....$.~..5L.n.l..HJ..m.3...N.7]...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jcmd.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	148116
Entropy (8bit):	7.957089717075174
Encrypted:	false
SSDEEP:	3072:ep6J8WzaQPEnQilSKrKbu4orXtAw8BEI6KyVmX632j:c6eiOPObu4OAw8B7B/N
MD5:	7FE2728D9C5445BD2E8BCE58C8EB596B
SHA1:	DC5E88F003CE98F92BBC47558BEB041FD42316E9
SHA-256:	6E07BA1C7EF067AF05AAA9B6C5EBA558C9B7C110BE19A4B8CA92750718FFD195
SHA-512:	55694DC5A5F13F82C5E2E411BB17A5CF46B350A0CB4C25952CD35B57E98B6B9AF0652DEE4F4B365401E0DCB4AB6F2C873E6F8FF015D178E211B6655F025C5040
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]P.N.0..C.A.RvzoB%.......ILI..U...~..>..B<.B$<...c...?>..c..Q:.c9..7..c...7.K......*pPc.Oo.kwJJ.'^.ul<_+....C...G8Z...g}9:U.....C..-..rKd2..9v...f........<.%9.3.l..U.....mS..,......a..4...-..ppB....!.%..,...Y<..L...x..Lf.e.&.^..P......o.p...qN..;4......q.9E....I.......8.e.s..PK....Z.........PK.........n/Q............1...classes/sun/tools/common/PrintStreamPrinter.class.T.s.U...vwo.l.Q..V .....BM.R..`.Bkg:}q...b...l.8.....o<..Kp.w..c....%..f.3.{..\|.9.g....O..q..1...S..=....p.;..{......0H....u...T..D.+..m?....NV..ww,HX.l...\|..9.QV,.....m..q..../.g.,.8..&.fF...J.I..a..{.F.o.../.Y)T-..#.)..o.....R...-..E..m.I@..Y.p.'$r6N.......`.^.do.]/K....3JQ.kD-_..>4.t.n..w....i.l....[......o....~..=...s..Z.DQ.U....(.,+].1%.Du_.@-....;[~....&k..6..8P.....(........c7.y[......a.......6+\.\|.....z.F....&..R....f.......r.l.9....P.v..)X..j.z_.t..8....0.)qQ.....7. .[.7..W..0j5j...(...W.9.....T?.B}.\|..+..Zc...o..}.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jconsole.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	471595
Entropy (8bit):	7.927361107640658
Encrypted:	false
SSDEEP:	12288:5l1yr1oJ6u/7xwGw5eHlUisCEtfyyVTJtfp:dI1oJb/7xwG4WlUibry/D
MD5:	8154E711D750D204E5358034800D4FCB
SHA1:	1ABD5BEC7F082B1A9183D36A298173A28BA37B40
SHA-256:	A00EAFECFB99C1C63FB7B33A5EE330680888215F55698B03CCAA340D74F2FA97
SHA-512:	20EF0B9A80EA8FC122EB5E5800E6CF0FCA70E95C08567675D8E46A37926B9D11C835CABCB7874F553092D34CF93CA2021DD671A437780D028A32461C736AA7DF
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classm....A....j.T1...o7.%..K......cw..3.3..s....J.L....o.\|...y.x}.p.}.D..~&..W..a..#..'N..&...+.U&.J...qx......#..Q..wR..av..JX..R..ElT.`bxF!.......S..qm.4..9..#r!MX.)..a.....5..n........SiD!y.v.rm.a.'L..O=..._=..".n@.K"t.G.UB. .u...aE.g..u.......?.<.......jp..q.....q..0..s....<ON.^..\|.....Ql...c.eT1..>'.lz.x.y.x..e....K...f{.[Nb.....'PK..>..e...i...PK.........n/Q............D...classes/com/sun/tools/jconsole/JConsoleContext$ConnectionState.class.S.O.P.=.u.V.2'. ...6P.T.X..1ud...%.O.V,..d....D.F.g.(.}..0.1[.w{.=.....~......CE...4....Q.x..k.~.x..^>y!.9..I..cGn....9.0(.I..2.z.R..1,.z.g..i..h...iO....EB....K...1.,.:.x^{S1.....!..........w.....g......TC.a\W1.1..$.....g.....{.....g..q&`F-..1.2....8.M.bH-....0../VV..4...b<.L.\........2..B.s!...(....d...N...vZ..G.._..z'......V...c.....]`.\..%}....."\"_h.B-.^<...!/..o..53h.l.+..vU..".;a..#...S..F._%..\.1...."}.a....}..Ll...Qq)...x../.7AV

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdeps.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	747316
Entropy (8bit):	7.912940714319912
Encrypted:	false
SSDEEP:	12288:C73JYuZSRMmg+2l8ZUAKJUUvF9MnHczIf+z71M5Ns9ey:wZS5g+JUAOtrMni571Wsv
MD5:	29D0A4D06C197F265501AAD6BAF45E62
SHA1:	83E71B0BEF3DFCB56F3E2476B1CA53A16ACEF850
SHA-256:	A9775CF5EC65239428BB5C55BDC058BB60B8CBB4F5C0B4B070D413708EAD81E6
SHA-512:	F58B00D9D151AF763B8FCB95008E154D8506023C82490714E1D23228177283643C5B1A1EF2BC52565A651A87BA9200899F2ADEF02D8BEA7E5916CA7ACFE03595
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuR.N.0......-..... ..G..HHH..&1(m.Tq..\|..\|...X..-..d{wgf.#.....8..a....H...!.@.B[..'A.U..[.d]..#......s....f.5.$R......H:..vgQ+........T....R9......E.`....1F...k......:....B......v.6..#&dZ....!.i...o..0..X .j..l....w.n..).dja...O.".KW.._....-.9.;.k..n.....L.,..-...M..c...!.a..Xx...3.6..0.:....5,.J..Q6...0..gU..........]^.9...l".......4..e.....p4..Y..;oV.Y...e.U.kt...B..(p.`......PK..f`......C...PK.........n/Q............6...classes/com/sun/tools/classfile/AccessFlags$Kind.class.SmO.P.~.{.V/n...A.P.M....9!."q...O..Q....d$B4.>....^j...&.....y..._..0.Z...f.-=..z..^....{.....g5.......C.#.4CjM..J.A.....vu.......+.\.n..'u.r.D%....Y..Q...2__.}X7....WW1.q.#..q..l/...Q.X;..-.....s...a'qS...4n......i..C..8.{..ZO.<..S0...7.^.A .g8.`..Xq}7.2.k....z.)..?.A6..ANdE...b...}...x.a.....Z.Ks..\...v..{k.J..~...(.....V...1k.Z....h.%GY.m.V.i.....tk..O...,+.;...j....l..K...(hIi...7A.).0...../....[Y..4I?Yj

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	873528
Entropy (8bit):	7.899120036221473
Encrypted:	false
SSDEEP:	12288:va0YbDnpUDzGiOkyBcWLuexX9B5QjTQyJ9S38DMZz6zb2lPT6kax8uMCIJuTNDt2:i0wzMzrOpCWLgXSMYOzUPTtZVC71c
MD5:	70EE207E89DDCAEBBDBFE57B7274DB71
SHA1:	CBAEAC1512A8ED53D391BDF008E3490B5B19455E
SHA-256:	35C6FA0FF16DE8D51DD51448BBA85A3B43CE32E7553779B30A3AD71EEF8F3353
SHA-512:	61E299B33D34239DF362591CD2A5D37EA94F1811C80D44733CF9D536089431443FB19911D7B608D3F1B48C597CD4FB559A88A1D07B26B751168194B54E7F0E2B
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.SMS.A.}..J...("..`v....,.<..P..6.$;.gv...<...Q.....Yq.=...........7..p(...8.S-Q...!.Z..]9..^7...8.1+0.8..A...NC...3Ux.~!.FZ).....K...0kQ`...!).,.U...,'n.l_%2..6./2..)..<o.70U..l].....' w.;..Sa.`un".U..,....KK>..T..Y&......I.F.@..:>6.6.Zp49..%.....F;.&k..&.yx,.7-..hVh.;%.j..?-..M.(GG:M.......U.!F?..F.t.....k...f...U..U..=.z..#...jsQ..._V.....r......c..<....z<T+.4..J.L`y..X.lM....%0..g.....x........r.}.0....MwV.]rv..._.f..'.%..gx....5....l\....f.f...a...~.PK..............PK.........n/Q............4...classes/com/sun/jdi/AbsentInformationException.class...N.A...... ..Jclt........`66....8d.5.c.Q.}.+......-l.w.....b..........MT.H ...C.i...r..jlu..&..bH...a.!i...X..e..i..../.Ys2Xa..zS+..5.I.x......O.f~.....u..P}.;a`g.........n$R.V........x#.P.....t ..>p.S..!q8.^4..Z......4ix.Q....{.?..Rsw.f.j/v...0T.C..U...0.l..sD.QL.g`O..H....&J..."l..Ci..@..Z..7f..$4Hy..s....6..[.g..PK.....LM.......PK.........

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jdwp.agent.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	127873
Entropy (8bit):	7.995171911648754
Encrypted:	true
SSDEEP:	3072:BJ/WTQagxB70gu3KeURn3xm1aJr2lUdrwEfNQT0:XWSBzean3xm4JcAr3Y0
MD5:	62D094CAED8190D1752D97C6EF9DF7A5
SHA1:	6351CB0057606D2B44B8AED4AF01DB32FA9079D1
SHA-256:	27CC1468B8BA7A78E5DEB2560CAD5D6CEA1D4FE63EED380C80D90A3481F30BB0
SHA-512:	EEE33F1B646AEFDD6F52DA3CB8CEEDBCBD26091BE328A8BB441DB94846CBF25BF163DC478B562CCAAE923EDDAC5583F8ADE8E09FA7B84DCBD9A3B190AA8BA7D1
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@.D.EA~..[0.D.w.J/08#..1\|d.\x..e...o.].y.......K.3%.T.q~U.....X....H.%..3...0%....Y@0{.......uRuq..8..t.~.._8."...m.\...y&v.......}.`u{.Y7u..-F..\|.PK..b..C........PK.........n/Q................include/jdwpTransport.h.Yms.F....q>....'nR<...C..G.g./.C:..qRu'.O...{w.....i....s.......h...0z......{....3..{w......<3.....r..>..w`....q.)..z.ioj..c....=.....9.N.GW.d>..;..S.9.d.H]."..w).QA.5.F~..l.L...dC...........P.n..<&.Ga,`......=..!.%qiG[z./.G........LfwS{.\|h..A....8..A.Q8yd~gu.jQ......k.}o..t.........n......^..k=_*....Q.p...q..N.'...e..l......G.[.o....C.e;.9...YlS.I<ET....r.+.p..pC..4!.F.-.(0.".B..8.cL.O.M..@..\|...>...G&.....+.7$..3.+......p,.\^.'.4#2.Q.l{j;.......F..c.f0v...[<......O?..sk.N./...g\|2...`.p{.f$f..\..s..<.o...7..Z.V.......6...`4..1....K.#.....u..%..u#=.......)..R.[:L.......L.....M.D8D..$.....X..h.]a..+..`....v^{.o..^......#....z...=..;.{~.....G`/^`.........G...FD.T@@.0%SiE.}

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jfr.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	534760
Entropy (8bit):	7.936953895862843
Encrypted:	false
SSDEEP:	12288:vtLqgAzEIiaPQ0NSuKWTdJLwUa3RPM71yj9aAP4E4:5qis+QdFw93RSyI8w
MD5:	6687450EE0EFC3CF002A404A31F0CF0B
SHA1:	2A3AF738821E03C7CB80D73F0051775D6A2DFC60
SHA-256:	BF4CE18BC133EECB6E0D7607553C0B911D780A430948B804F3BC9040ED0AE73D
SHA-512:	BA8E24DAB000C7A8C5777481679470C620486A1E394AA234B1B3E5F15A08C68FE210B489205736BC17CB642BA52BD0DEA46C1D3AA32EA278C7E23838E74AAB50
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmQ.N.@.=W.d......Q$Q_\|...D.`l.l.S...o\|..~..e....t...r.d......{\.r.k...i.....Js.n.. .m......$!...v....f...2\....h.P..r(U.k..)-.HO........+.J.......oB.}.q....@[..<....U.. .;...8.#....Z.k.. .T.[7...H......O..j......L...\|Y.!......(.cB...x.\|....z...aD.'a.......".......Lw.7.c...%.F.......~.e^S ..C6...;Y7y.N..s.;(.".<.%......m1........PK....^.W.......PK.........n/Q............'...classes/jdk/jfr/AnnotationElement.class.Z.xT.~.I&gfr.....EFD...EAL...".b.H.........o..[.V..l.w..Z...d..u.n.v.[....^.vw...Z.....dnA..<...?.............h..>.Pd...%..[C.Bu.PlK..[....d~$.I-..UO_..^.>..0.#5yo.u...uUo$a5.c..`juS....[^......#..........[...S.T$.[.....UN...c..4.X.J.B.5\|...(T..mb.....R..[.....Si......).L5.b....`b"N.Y..D2r....h (.=D.JDb[..#1+..d...`..6x0._.}..j......Y..J...V..j...O_.t.51.3..........e]..O..p...M..9.A>....%...)mh.:1..\.G.cz{Tu.X.8..I.}](.k-....H...0..&....g..C.V.....O.....)?...f..L.3.@&....R..pqV..d

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jlink.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	410728
Entropy (8bit):	7.940858294306596
Encrypted:	false
SSDEEP:	6144:Q0N3mgGVIQyaTOMi93AcpXpRfT+JjHS4W6dTL/doNBnUCNllxPZ+6UOP15If:vHKPXOMozpjsHS47RLF2BUqlTZ9UOof
MD5:	6B537512C2F426FB7D0EA53B2C9B88F3
SHA1:	52648A05552B27E9F7E8FFE39EC12688DA901E16
SHA-256:	09E7D2A027BDDD185DF18CD8D7042B1C6464664B82F798FB7DD81205E16B8A98
SHA-512:	E51CAED2A7181D2A275F34093F45E1C727196B30DFB26B16BC0439E7C449F98CD65F257AE6E3DCDB1BF55390CC876EE644F6BB9C16E06052DB56F07AA297F2CD
Malicious:	false
Preview:	JM..PK.........o/Q................classes/module-info.class..YW.@....Be.heS\.W.vYTd....B}.6C.4............x...V<I.....s.;w~.....:.1..M...4N....`....g.i.JM..i.....Ye.\.:...jM.yU..`....M..;.n....S-.R..B/.X.4.a.\O.....f..V.A..e...jN.0.0.9..-.0..&.R........I...-..oJ..Y)f.I.~ .&.v.....'...G..<.)..:RW.T..9o.g.tJ...TGR9......=.1....x.v.9.J...8....K6vD...`..},C[..M.^.#. .+.%2.....j"`.0,.e..~....j\..(*.4..W..#.r..td._;`..-F...vD=...V...k.d>..<..f...../1,E...D!...}.g..A.6....U..Z.r...'..SY..C:}..q..!,.L6..s..7..#...5.4u..d...65..Rk..85\..fZ[n......8.5.R...S.....P........P#.lF...N.....?./m.....=E...SDWQ.TP.n..rJ7...5.G.....\.....^../...~.....2.,r..4...g...M..yD~@..M\x...}.B...>..L.x./..o.`..X.2V.....O...........;.A..0H\.#...v./PK...D..........PK.........o/Q............+...classes/jdk/tools/jimage/JImageTask$1.class.R]o.@..k.8..ICiCK!....5 .K....p..D).O...8q}.v...g@B.B...(...!..nwFs7......3..x...R:4..H3.'....#k....m..<..jaH.p.&"..J..u.~7..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jshell.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	663529
Entropy (8bit):	7.949945206904611
Encrypted:	false
SSDEEP:	12288:tLcJdcxVT6CFASpD7Qzw8EunjWLmxQ2jWE+6pyTACA4oqu:lcJdcn6KdY9iTop3CAvZ
MD5:	5914B236665D99E5E396D3C727ACCEB2
SHA1:	6610D9A8F450DAC3AEDB06306AA0F99224D13F8B
SHA-256:	3A73276654319554366BFB46AC82BC1D6F2C93989D9DB2104EDA519BA310D654
SHA-512:	A4ED568482BDDAE0A06A530555ABAAEA31987674693ED34FD460C8960CDD29615984174A85D60D324619844CB80CF86B9CC310132ED6D763311347B5149A7F75
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuS[S.@....\......6)J............].m..I........(.M;m.&._.\|g.e.......>.+.\[..u..i...6B....2....J...\T.f6.~..dX%G .L.$TA.#...{p.V&.3....Z.70".]....\Q........@\...I.xX......8.I;..4..M.......\..4L..U.yk..2.]......T.._......w...RQ.....;..'....0.\....q..Xgp.\|.t.a}....@.o:.VGF.$....C}l...L......Ov-3...]R.K+N...:..6J.......4tu.....sY..[.7..~.(T.qM....P..0..H.c;.=R.n..}.t...Q....Hi..q..Xd4...p}...6....0.....G..\#.A.w.r.=...G..,>...r/,..X....,z.......>a.......m......:f1O.5.${.+.l....PK...`#I....!...PK.........n/Q............<...classes/jdk/internal/jshell/debug/InternalDebugControl.class.U]o.T.~..6..tM.....h7..#..6.R..k.I.5%]..p......i.BB.!n...._..n...@ .@.7!.{N..6.4.............~..@..:..!h.Z...e.I.,....[..1.NXe.dPc.\|..h.A7...a\|kc;i.=.M;..m'7.z..L...aMW.S....e..e8..\U...H......w.tK.....#..........R......3._.d....v........C..;e.[.d..2G+.j..]....s8O.s.Ne.3\.@;&...WD.Z..v..E\..Qu."3Y..N....#

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jsobject.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	3098
Entropy (8bit):	7.5832881194591995
Encrypted:	false
SSDEEP:	48:pCDh92jG/7jnZhQyhuW0KjhRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DVGOveUz:QDhLQ2XKvJX/Agxo7RA1LZZALCGOveI
MD5:	E495331A4B7EFC861687151B3647CCED
SHA1:	2EC5BE517CD31D9FBA085EBB432DAD9BC7D2186C
SHA-256:	04F7529F454B7B3DE70187C4B8457EB1F1F81B4F38F64B4509B5CB733AA80CC0
SHA-512:	C2A85AEB8B01FB37CD82235FF55D1E766FF3F45B6B4BA93A51A60D0D2A1DD19C2F95FA40B640BBA75D284175646CCCD3F5920DEF420BA7C4824829EFCFA54A39
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMM...A...~..._.A....D.......,......(1.".....\|.......G....G.NWA.. by..V..El.6f.y(....1.K83J.x.F..).J.;....:....T.":.M/..B.s.....m.........(.......&7../Jh.."Zv.P...[ts_B.?.s..:y...PK...5.........PK.........n/Q............-...classes/netscape/javascript/JSException.class...NB1.....DP..7.0..;1l.$..B..e96Z.=............d..H$.q.N.o.i..o..'.B8.H.Q..+..A..B./z..<yrd.(W.b.J+S%...M..Y.L....0...!1c.$ay.....G.jK..#.4.#..l!..T.k...)_zJ....y}uvL..a.....4E.'.[../..u..9ro$a...<.uZ......G.....S>a...=\.......}....D..y.<U.XjL.cylb.[.p.1......!.0../<...>..s.4...$.c"H. ."..%.....H..F........O.v.....!52.(.W......t.0Y........l\|.PK..k1bUt.......PK.........n/Q...............classes/netscape/javascript/JSObject.class}..N.@...@.XA....t....\..7F.L.....R'8.....[.......2..S..L./...............<2.2..........!.%C.-\!....VOE...r....:.}1..U7P...P4..o&.>..C.lz...,_.....G.0....5HG...i....p.....h-".....c)<7PQf

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.jstatd.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	33913
Entropy (8bit):	7.925452325822178
Encrypted:	false
SSDEEP:	768:UBjs99RXqRNMZEJvWg/hm6LY15x/C0WcqutzJuUyS5m9u8ynj:F9EWoJYNC0F/z8UJITq
MD5:	C40DFD30EFE94EB2E213E0B12215B482
SHA1:	AC7B8037B7FBF1BEC19AA62E9792598E6CA6CF72
SHA-256:	A4D36A1A5112F9F3E793BBABC690255962ED8894519004E7EA28F17C3AC39A32
SHA-512:	0522C1A23A4CBBE4CEA61EAA443ACAF2FBEA09F1EC657CACF254489ABDB36DCD8617C586431304E25D51253A1625C088C36AC76EA0759E73F0720A82866958CC
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class.P.N.0.......^...C.V.... .....L.VN...........Q.')U.8`.;...h>..?....Hd..y_..Y...;.^..P...i.L.D(.o..7$.."..e...D..H.+.H.]T...9W....%.42.....fWgt#e..b..........Z.j.......I...e..Y...p...Q.y.$..s.....!<.[.../..9.N..B..Q...4.$....36..,.^..rCh.D...$..Y.{.9%."..8.y.......Y..s..h..cw.\{Opn..WQG..\|..7PK....`.5.......PK.........n/Q............3...classes/sun/jvmstat/monitor/remote/RemoteHost.class...N.0.E.i.#...@J6xO.TTj.D.lX.`.G..b7..X..\|.b(.......^.g.....3..G1"._XQ5....qV.W.Z....^.K.C.6aP.F...3qu[....!Y...vBW. .......x.j.jmgy6.sgarB..T.A;.cl...mZ_..%..6t.Q..w.>..._ YA..2.'...f.tS..K5.s.r....s!..lq.-..F.U.U....ao...o......V....PK..&Q7.........PK.........n/Q............1...classes/sun/jvmstat/monitor/remote/RemoteVm.classe..N.A.....A>.....\........D..x....fg...".....e...i.k...<.....B.pSm...B.u...X...N?.....a....)..i.9..-..e......t."$....yx.n.>..B.p}..-..".7.c=....dN..{...i.....cc_.j..q[Z7....\\|{\!.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.agent.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	81621
Entropy (8bit):	7.930307384934393
Encrypted:	false
SSDEEP:	1536:b4z1HiSObJI7P6ahupea/dABbwU5wkwoKlzX6juezDDW6zrV+RZwOZjO2:b4z1HiS0OyCuEjchLoKlL6juofKxNz
MD5:	1A0F24297CFE2D15AAB00F31458640B6
SHA1:	5F4D91F26DCAE7AB0FB2B0FFE69C610E6B6AC273
SHA-256:	6BBE768A88034193C63670B2C037A7C229155C08275A69321A09715690422855
SHA-512:	27EBD97ED0E9C0BC9D29DCAE5837A0B478DFB7404233131E11AD46128FE110EF3D371AB5EAFF41EDC9D503BA6509FA61C8AB8D1536DAE7B5100087AD9233C1C7
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classmP.N.1.=W...2#..c.Rf$Q7..3!...L%3....%........A...{O.}......=...T....#.&......c6g./.'~.....7Vd...............,....C...............F......`.8...:....2....r>...4w.Oh.p.v.....Wi..P.w.GRh...C........9.B.....v..(..k..?..+g.F...M.....g.."..\.>K..%...S...x.=c..g.h..2....c.P..xl....(.bl.-..Z.?PK.....3.......PK.........n/Q............6...classes/jdk/internal/agent/Agent$StatusCollector.class.Xi`\U..nf.7..$.iH[.%.).L.L..@b.M[J....i..e.%....7mcQ6E@D...EE.VQ.@.).V.q..}.}......d..$..}..s..s.97O>w.1..EA.....H<i.fR3"..."k..^.+.P..'....k.CK.E....QK..#..[k.<..>.~.yy...'..e.FL7..Dy%.Q..VE.s.B..n.4+..L...L......i...1.u..PQ.y$,`.?......)...t....L.u...B.jvxg.......@..h..&..Z.Z&x.m$q...)Ko3RQ..L%...kc1S.d.h.B..T,....b..u.8;.5....K.....A....T4a.@%.....:.k.....U.8.F6w..i.P..j.P.B.@.....8>......$E..V......z2.2...$:#4.7..T%"Va...J9.D#.<.ZJx....H.7E.&]....'...a.xT.qY....\|..+%..U..C........K.g...q...;.[.n..L

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.jfr.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	35841
Entropy (8bit):	7.895920206921998
Encrypted:	false
SSDEEP:	768:01aLV2OeSrEWXZIj4RiHRdIuRK4jpg9I6app5uU8OIW8Gp9xwFJ2I6fJZdTX:01aLNLq88R7qRQuUT9jp
MD5:	2AF6A1F2D4FB1FA1AD0E8150892C4A12
SHA1:	2A1DFA6D16CE9ED226BB541AF3AD11E8466D205B
SHA-256:	3E223217F96935D6890A6E3BE53F90BE5E52CE6F691844AC53A40CD64481FCFB
SHA-512:	E0CEA8C7A25A86CB61512186D78564AD9CE08B3504D677BA4E797C7FE542B0DABB4C5DEB4F06702EDF449B7531AC4B665BC3B278E92E888E04EFD3CF41F0A982
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}PMO.1.}...7.....^....7..H.z.Z....t...<...Q.n7....t.}..i?>.....P.T..yO.r@.V...l...y.."&.G\&.\|.].....w..3..K.........B&\K.vP&.S....E..FV.Nhl..h.........R.].W.C.L..Fw..V+.p..%..3.?...%.........}@.<......y..~..5;..dadcB-.....P_...u.cQp=...\|."...wpl...&..Z...ll..D..O/.c.!NlO.T8.j./PK...}..'.......PK.........n/Q............2...classes/jdk/management/jfr/ConfigurationInfo.class.Vis.U.=/.Iw2M..... ..!!.F4A.........;3.....8......}.}..Xe.H.....7h.....U.o.$3i1V.^.....=........O.P.j.!.a.(\4j..m);3.wh.I..5...oR.nj....Z.u."....&..F.sm]^f..).l..2.....w\|.....45....M......\|..YX...jI..3...v2...aO..O.._.Pp-................9../...R.PF.Eg{I.e....&...CNJB/..BB.).....V.[=.;.D...fq..B.8G..v.i..,!...7.&......".f.d.....;.........s.d4. .v\k`...p.B....Lj...I.9v....^....o.....4.....EAv..ia#nP.M...wX..UM.}+ko"f`K....Xa..D....v......);'.#..,tc..:n....rq..T.X.~...r..Mv..aE....Y..}TNP,..w.:.$t.a7.........p..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.management.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	69486
Entropy (8bit):	7.914145548898423
Encrypted:	false
SSDEEP:	1536:wQk+DDx0BvxFbTf8sCDrGvo9SFOwliS7QWAfRbfjM/Rd3N8CkQdyyFKLpW:wcDSFbD8s+A54E6fMH3N8CkQ+W
MD5:	295ECFC1A63647735DE3918D7B61AD15
SHA1:	7EAD8158CC54073AD4B5594446FC1275989D750E
SHA-256:	032F0DF66BD529D7D9838C9A0A76B7B825430EA2089B9C732B86F25EBC99DEA0
SHA-512:	52EDEA1A5315D5110B9031A0BE23C3952311BAC1FBFEAB758C59F89F1BABD3256C19D713FB3473CBB9F3498B2634883E3E57E55B7679B9392570779971619DD7
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}P.N.0.....]...c/M.D.p...C.H..&q+..]9I{.wq...(....a....v_._....:..>.j....x...l...E..%Sl.%W....:..W......\.......7...q.X.N.....K..&.[...m...A..A..l...N8S..k.s.K.....{.J................$d......xdf.3B{#T.7....z....T.....;...U.[..K.../.]..}.\|.jh.t8{.PK..s...........PK.........n/Q............7...classes/com/sun/management/DiagnosticCommandMBean.class;.o.>...k.Nv.&F....\...<.........}........d..\.x..Sjb.;..#.@VbY.~Nb^...RVjr.;..#.,H.......d.FF......T..TF.i............ ....$..8.PK....`.........PK.........n/Q............B...classes/com/sun/management/GarbageCollectionNotificationInfo.class.U.S.U..nH..... ..6.6,.X...4....K../.fY..d.I6.u...h..>9...XGf..........7.....B..R.d..{..\|.9.......0...\|hQ.W.@+C......n..+..0..3-.ah..g....._JW..%...4wM76....1....y=.F..T....'...^vJ............U...T.....n.U....3..v1^.X.".x.(...O.R....P0$J.v.uS.b.`..$..!\|7..._...>.KD..T1(.J..c*...."......i..1$<.e.,^h@]8'..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.naming.dns.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	60084
Entropy (8bit):	7.94170672965016
Encrypted:	false
SSDEEP:	1536:Ko+W+rGMpEXYiqAD+gL24MrD9OYvVng1y3iX2r:L+r5pkYit8PJOAVntd
MD5:	29EA5E44B576D8EDC8334535ED8152BD
SHA1:	3D42D41A1E32054DE879F95D3E8D26EF2C7D0A66
SHA-256:	004819FB8B5C46995DEED0477F074CB15DB7862E4C4A83B5FFB891D4FAB700CC
SHA-512:	91546F0FE574F78CC02A7E285ED981129EEB5F2077AF970B6B620DB739CCF105ECE333DD6C9E13150CBAA54D710EF6FBAFD910EF68091D4F6D72DCAF9C4D8DAF
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class]OKN.0.}....C!.f...6...KP%.HHp....mb.8.e.s......$T.Z..Go<_.....qL.fV...i.b..a..`S.&....1#2m.&..."....?..w..S#5.r....c.<m...Se.g.T..._.&<D.pZ...0.j~gt.EzcM...D......N.g.[..}{..G[..T..........g"Q..k.'.'. ...H;w#...%...i!D.7..~.-_.....:.=~l]Wh..>.~..^=.3.~.PK..<..........PK.........n/Q............;...classes/com/sun/jndi/dns/BaseNameClassPairEnumeration.class.UMs.T.=.O.bYM.$v...i..v.......K...=a.NQ4..-e$.........`..S......f..;`.?0....M:YX...{.=....}....u.1p...8...[....6....-....%..U...'1...EE.....h~...M[.t\|..[u.c...m.^..v,..l..f..0_....e....@W0.....b.a:d...v..[.........g....1.p. ;."..C.q7-.......aN.q.Y.`H..b.h.~...J..T........q.....TqJ.=....g.,..P..3...(...1.....1:6}..Ke........}.u..5[..~..<.x.Qq..CR4.lt}.....n.<..!.....<..(F..$........_.-si..bX...}Ug8.;p4.#fA...e.@..U.v6,.....k..u..{..M.....^...I.!.8...V..Qj6C..F..Z..<R_...G..a.W3.C62.0d...a.....U..+f.]gP..J....$.CJ..h..Q.-.>

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.naming.rmi.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	18962
Entropy (8bit):	7.879095599349228
Encrypted:	false
SSDEEP:	384:JEJj14/v6ubRBwV+mtm5VpVAlF+D+6XZsLA2:JE74/CMemx+lgS6XOt
MD5:	F11E5D65863146758D0650872CB3A164
SHA1:	0E5EA724EB4EC991DF4FC7626DDBFE77FF313EFB
SHA-256:	9EE120517DD4F711C5C3662ED77555059861291DC78CF349615F0A51BC79A7E7
SHA-512:	242A225DEB9A88FF208511F772F19BA691EAFE2CF42597FA29A9D27B07CD7F5C7C5D5CA1B1B1DE381D8705E9F4D6751E7084A17642A56CB1802E0B3C9CD0E962
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuPKN.0.}SJ.-..O9......%R%.H...IL.6....v.s......8 ...<3....?^..\..MuT$b,.n....D0./.0.G.@.T.80..P'4.g.$..F.NYV(6W.dVfF.2...G.......)>.v.x..3.k.q...Oh9...!..h..e.]+.K.\i..U>.a...].....W..#t.uaB1....._..W.-..<...W...."'..REz..y...n...O..(..........z.R.....5t....r.b.{..8tu5.up.G.PK..e:..".......PK.........n/Q............8...classes/com/sun/jndi/rmi/registry/AtomicNameParser.class.R.n.1.=.l..&..BJ..P.. ..R!P.O.RQT.....v.....(<D....G!...6.<.s<>s.._.........TC.M,`..<._D..}....e....J+..P..:.Q#.z.$."W..\|d.z.'rYG.F.f.7p....<..:..m.K......3.J}.....8.NL...41v....I.,..B,{...;....g.Gw~..\|..w...g..V...oWA..$a)QZ...D?.L+1....U.<K.../....KX.yDx1g...5...Xz..'D.&..9et.....U....Bm7.f.....M.{.Gi..9......2X..0.;...G._T...3+.b..3.S.).....Q...yN`....!.2...A...g..v..>...+..R.s.ix..k\|..8...5l\..(.@....)..Q?-[_..x.Z.z..PK..............PK.........n/Q............:...classes/com/sun/jndi/rmi/registry/BindingEnumeration

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.net.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	16691
Entropy (8bit):	7.835716025973249
Encrypted:	false
SSDEEP:	384:X35ZZ+W608/ykiL+E3OgSd2yDLDoWlgv6LA2/c:XpZZ+W6zzPn4y3Dn750
MD5:	7B3BE04EFC27E0560C20006170E899DD
SHA1:	8FE7D7B4A04DC3F1A31F97CC17BAB31A94EC42E7
SHA-256:	6DBF1422C48BA474C70426686229DF1AD32A20582EEEE1E5D79F288933CFF20D
SHA-512:	E64FD473691976F4DFAB2001D15C7D72F2E64FB6F126E41D906A11BDDF600D0E5ACF6ABA54B0535DFA12104EDAFBE4309CF22F4A64BCE3EAC33DE6D949A97B80
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@.D..E.....g.D.wgb...a$(0..l=............z..O.k...X.y$.09I.Dp..;..'.g.....`...%..yE...a~.P.a....yFh......P.[.O.U.{......._....E...H].......+.].{.=.'h..J.C.v........=..PK...y[.........PK.........n/Q............-...classes/jdk/net/ExtendedSocketOptions$1.class.V[p.U...-M.n..-.r.R.....PR...46$..E@.....lw..Il._.~..8<..."......_}..~...Q....nz.I..3........k.>...>,@.......a..3........O.n.xa&3\.B3....[34.....=.............j.........G..]}..{.....0-..yU.R.Um.=..a..)#....I....b.z.a...i.........9..J.K3....X..R...a.T..]aG.Phpt.p$4...`X....W1......p{LS..C.V)X-7.....U.q.e.P..7.........$3.;....K...v..`..^.7......!.6...1.Os..hW......!....#2........D.......]..A....\|.D.d.).E&.L'........=7....=.i.\..Pp.4\<c......J..u!.7]gL.........uc">.....".......h.W..V.=.-..4..15.ER.q".....f....a.,h.=-.g........F....f.W3<d.IU...qZ.B5.!..V.O.K[...~0.y.%....U.[.i..4..0...fP.~..Z.K{..b..F....I.....c..._....Fdk..

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.nio.mapmode.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	2573
Entropy (8bit):	7.585716552925947
Encrypted:	false
SSDEEP:	48:pIVaWgvq2vIt8Fn3fjPRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DHGavq5:Kavqbkn3jKvJX/Agxo7RA1LZZAL8Gav4
MD5:	6580F1626A2C55DA21AC50143B4C92C0
SHA1:	A28A5BA9620948355E0CCC9637C740963D3EDA92
SHA-256:	624B5898A3FBCD11E6E6D681871B9E8B307684CB068C6F17E66B7A637D7531F5
SHA-512:	820BF4E3A1BFE0711F1D52FFF9755B0D16C36E0B50B5E2D11D1FE90F906DACDF3453084BD1EA0E776E3084386ED39CEBF9E1922B53F82B0E03FEF00B224DF3C5
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.M..P.......C[.&...I$l..GZ.'....,...kK...s.sr.........e....&{....."~..;..,.%..YQ1.Fh.S6f~M=E...B't.$..L....Z..N,.P.e..`.... 2.Y....../.$.E..8.Mn@...`...0....z......~...fU...PK..I..........PK.........n/Q............-...classes/jdk/nio/mapmode/ExtendedMapMode.class.Q.N.A.}...."......9y....d.D...i..6........L<..~......R.U.......7.e...B.A.......x.^(.w.h. !d..V.>!..u.G.y....p.+..t"#-B.....>&R7e.D.t..0\|V=8.......u.B..-.V./..Z.0..T(+_.Z.g9.a.U$,...o..6.~..U%..FR..].._T-..R"dVL.WZ...D#....Dx)"e.~2...... ..r{A._P...if!......1..UB..2v.HX..6.,..~...>.+<t....9..f.vl&e.......l...ly.m.&70....`...s.....C.pz..0f..mR..v.~.Y.\|...`.U.?.PK..8.~M........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQgHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S\|t0...:..6x.}.;..i..D..Ye\|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.sctp.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	23570
Entropy (8bit):	7.699516108218091
Encrypted:	false
SSDEEP:	384:/FWdT63qGA2s74PPf+AfdgcirNa6hTbdJ3ZBR6ZhF62WmhSWDdulpLAEU:/c63qXDMvfLirFXd6Z2gDdufS
MD5:	7579F5E9191D26076513F0D62BA63763
SHA1:	A983D608C3087FFDE4E1A2F76C4072766CB52763
SHA-256:	6BE9DE8083B09B782B7520691C2B1B9CD8796ECCFA3101A205853CD3CE22FDF0
SHA-512:	EF643B3E4252448E6AB98CFC2F7309A0D41D53EABA8B3DB4AFA86BC09EDA1EDD49750AE5763E542073B142B40F9F541570655FDFB841709797D59433CB09997E
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classM.K..@...&.x-].D....S..... !.e..sY8.C).................B-T^\|..?......,..N(..iq>va.....k^..::...WN".P"..../....[s-....K......i...BB..,........i+...<u...z....!...$s.MS.(.\.q.%.....S-gX...W..PK...0S[........PK.........n/Q............:...classes/com/sun/nio/sctp/AbstractNotificationHandler.class...n.@...M...J..CiS(4).....".@.R.V$...ico.....7.^...n....x(.....s.....g.ofl.........4b....`.I..c..k]n....0.C.$-....\|.p..XH!...d.V....}K.....:.^p....p.]:<_.7_...3.j.....1l..-W9.Pu[.#ip%mkp0.E.........m...5i.z...N......l.w..#....P..2..s....t^.......J.^&.l...`h.Zg#...G...z...A.0..\)ntz.R^..L.a.....l[\....i.....#d.k..W.R..b....R.."g......TL.....+.L.]..3.~3B.!,s..0g/uD..y.z.\...z.`..L..5{i.!..ja..WV..\|...tM..CC0...!v.7Gs.....:..F....$..F.+...ed..}.E.Y?.s.q.....\.u.K.<.d.n.&.{roi.'.....!...Z...@.[..m.}.+.C:K>%6.Z.D.`.\|k.....\..l.e...37B0..2.Gd>.!...2.........i,.aD....#..V..PK.....}[.......PK.........n/Q.......

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.security.auth.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	75417
Entropy (8bit):	7.957051837625358
Encrypted:	false
SSDEEP:	1536:rLd/gr4QC4zcxQiwrk+79xRDxqWXp4kE/eoBtAi939FMp0t0NmwELQxqbJs8hneK:ejouRxH9qWXFEZ0is85rgyn
MD5:	24AF92517AC1A65B436D2FA612EC7003
SHA1:	32F019F2D9057A52EE79A603637753918991E193
SHA-256:	8D2196DFD3096919F43852D654C99D3D52CA37A58A311A540CE6A14D367B1482
SHA-512:	D4FDC8A4300591297595A2B7051F9ABB41EB5A833E813508160779EDB45FA7C1BAADEEF81B768F74C457C719B7C2987C601C64AC920C8FC18F37685772C908D8
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class...N.P.......@.....b..D.w.hL..8..z....^v<.....2.."..@.............p.CB.....{.. B.O.h..F(..g#.V......)B...81N....6..3..3ft...-.b..d..YBi8....td.....:....F..\.......-'.5.......s4h.J\x.wn..f-.~....H8...y.4....8...o.cu.q.."a..'..........1nN.f...I8.i.5..6!S....W...7.7........!a._h...]....l.5...}q..&.{M..8..._cZ...[T..-E.,....9.%.`..(K~.{.....s.Ws.~.PK......n...#...PK.........n/Q............@...classes/com/sun/security/auth/callback/TextCallbackHandler.class...O.A........."...C).M./x.....F..&...uC....n.?.DC..?.?.8{-5.5.3.3..........XqQ@.A..-...C.E.PF.b.{..C(..6....j.....f.HU.%.....P..(.C.a...w2.*q.XA.....j.&<..#..@f./..R...!..........r..Wq.3.f=..=..M..~......;._..J.......]...v..L...%..)a.}.....e...$.}3...h.g....u,.w&.........4.....%\|".C>.Y....>s./..p,..@.S.!;+<.6..u...(........O..\|.{.W......Jx.z...y#...![.....b[`[m~..v.z..Qn..f.>..J...=.c.=a...X.h)./..PK.....`....`...PK.........n

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.security.jgss.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	25069
Entropy (8bit):	7.861186641428454
Encrypted:	false
SSDEEP:	768:dGve+SEzoJirQXHxGTjCsxc0T3iQCVSJqdSE7g8gGuICe772czgyO/CS:d0e9EzyirQ3xGTjrxViQ0kQg8gGuICeu
MD5:	0818A0480E8735784DF484F633893DAE
SHA1:	B210BB4F8C1DC9EACC0531D645CF77A5EF80E30F
SHA-256:	6193B8935293735A0E075950A43AC9C2FED9EBD333CBC5CA2ECF3508E550FBFF
SHA-512:	9F881002F03343453B7903B6471ADF42F4769E61D26F7AB4AC31524484FB201FE25A9FDCCB90D03B337C42EE8B3072EB2A845E3DC3ED854E39266EFF19E55D1C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.class}P.N.@.=...S.........Wn\.MH......A'.P.;....G...&$N2g.s.g......=.......M. B..aGl....m.<...v.Hi.J.Mn..{B.xb..<u.9N.c. \.I...Qr...:.^...Lr.MBK....0.L..}.....L....aX..g.X.>.....~.'?v..g..B..y...0../.W...2c^.....xeY....:L}..c.........E\|.SuNq.....P;:....k...]-.R{.3]SQJ.....PK..D... .......PK.........n/Q............:...classes/com/sun/security/jgss/AuthorizationDataEntry.class.T]O.A.=S...../.....RYQ...b..M.<@0..3......Yb.%...4.H0!>...wv.@.F.:sg..s.=.w..:>.....bh..O..M...\|..6w6...0%C..Xr..A....-..I.".3.].....f.Y.jlo....[.g}..r.y...#.C\V...+&.v..I\G.!.^`h4m...=S..E^.v%..B..b...C...@Z..$>...{...V..@/....-.0$E.P.66......S.H.r6.)..v.i.a...;b.uL..Zr.,_rG...^,..^.GB.E"Z.....d9.M.[../.t..&..g.s.2..,".-...D.m....M.\1:.wB.3J.f.F.]..4...x.X.T...3..8j...J_z\|. ......<......S..3...wwD.).v...U].I/.9F.K....*..N...O..@..%.........bI.o.s.+..L..f....i..W..'....8....._..:.O.i.f...+uU.1....l.)5.d.........z.N

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.unsupported.desktop.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	13963
Entropy (8bit):	7.775458355384311
Encrypted:	false
SSDEEP:	384:xzRgcWBxiV8wXQMbX9Z0aIg40ED5rfPLAJmnhB:xnWBQLz9Z0aV40EFfPFnhB
MD5:	510CE41F524D16C86791C0064A589E7B
SHA1:	78ED6092E0F150A94460ADDEF8CAAD601AB5ABBC
SHA-256:	AF7E7BDA39FB3EA6A8C41669DBB86B41B6799E7EFF379CE757981E5B956BB24F
SHA-512:	20B6517378381D379A052997642BF23B5B057EA33C2E0BC962AB6B64E989FDAAA4CC3F02BFD7560D26189E55C7CDF13555BA272C476AD984CD0F913730BD16C0
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classuPKN.0......J..V,....a...R%...M.&.#;i.=......NR....G3~..\|{.p.3B7.H.8R.....~.l.W.0Z.....Y.M......\|4...-.fS..&v..p..\........+..h..e.{.V...z......P[.Ym07z..i<........4K<...']..\|....x..&.../b.J..R...2'.]..k;....{.^..(.>..p.j.......UBk.w...1N...:8..F_PK...E..........PK.........n/Q............A...classes/jdk/swing/interop/DispatcherWrapper$DispatcherProxy.class.R.n.Q.]....X.E...R.h"...&....i.m0..a.D...A.?......?..2.3PQ...k..._...h.QD...r.. Ox4p.6...izA"U.5w.8.....Q$Um.y.....\|......Vg.\|..b...%X..@..M_0.7.N...Kv.Y..5..R.e...B.\`..z.y....pS...U.p.Un....}y.HX.;S1..A z.l.%\.p..U...y$.0p.:.aDX..c..%..j.....0Hk{..Z.m/.c..!..]I(u.@.....:...+...~W(O.dN...d..........`..C..=O...Gv_......0.eZ/.@../.X....4...4@......e.8.......c.2l...WP....9....y...2.`...;.`K.^&.......:..3......<....\|.....gX..0.B.a.)Iu.8!..&j.x>..r.>...#'......v.v:.R...oPK..s...........PK.........n/Q............1...classes/jdk/swing/intero

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.unsupported.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	17477
Entropy (8bit):	7.858834131732098
Encrypted:	false
SSDEEP:	384:WssxVkcgUhibEPAZowuCxykS7ug+aM2xbWCwRNXkoYufro8LAC:cekAiwuCxyvugjMqCCwAuzo8p
MD5:	76B5BEB2F821D1CADF6FBC86B4AD3EA4
SHA1:	353EB41AD10248539929CA4D4E52099C2233798E
SHA-256:	E390AE217A83C38651EAAAE4BB00941F53C3E06C70F5F6E335713333432BEA27
SHA-512:	A48301D836C6865B210FDA8D5252611E39C9BCB30A0E328C96A6F934B169B5FD31CC3ACAF0438DF85F1F4B846F1A1FDC815043C885072396F88018BC6DDD212C
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classUNAn.0....!@.M..S$.K.!U.0......\yW.}@.U.6......._.......&....K.+3.....v..0?.#s..........=.._(MSX...LQ.Z.....4.9....ZY..rL...v...3B.f\[....7........#.KK.^.-o..#..J.s.K........#.>..\....>..n.H.+.8....B..N.7..}.d?PK....q.....<...PK.........n/Q............1...classes/com/sun/nio/file/ExtendedCopyOption.class.T.O.P...^e...8......."......,....?...b..#._.$@4.~..2.....bc...{.w..........,..0$5....b...c......VY/..{..{.a[Q0.$..a.Z]..oll..\}U.3<,. .p...Q...X.ea+_d....X......n.0.5.t...\.U.U.T......k.a{..pKB.n3t...z...f]_.a.K.X..j..i..]..V.....0.A.H..7.H.[..%.w0,`D.].c..-.R....K5..Q..q....F.T$G..$p.F....i).\.@8J...-I....)x...~.a.....R.d.y3...H....S.c...R..^0.V.2...`X.Z...;..I..kb.}.f..lM5K.cp.&a.R.:....hP0...^.*.......e[<.l....h.X.[w.....\...jfs".).x...f}.(..y...]w4.....n>.m..iDz.@`y._.@l...t.i.D..St...?....t.C.B'.....'\|..4..xR1..g...q\|..~.V...S.xz.zZ9.{......).......9.qt.../B.N.p..Yr.Y...5.$../.p

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.xml.dom.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	42290
Entropy (8bit):	7.301009409584117
Encrypted:	false
SSDEEP:	768:GyvMIZQqx6mssgRqwShvKe8l5sFCIvV9XaK:GykJqxdevm3ptRaK
MD5:	476A6F2B11BB60D05012AD03D982E3C1
SHA1:	2796654C41EF4AAA09D23450B3F7E616E63ABA33
SHA-256:	905C70A0DD7FC8C9F4547388EB492992B43D26FDC3D6808D9A4DFFFF577C3FAC
SHA-512:	EBF7130DB716B4FFB5C4F2951E16464A683E0BB5B65D633B7F13EFEC69EC570D9B34DB1E7902761402A9068E0EE7A0F7EBAFE0BD96648BE9CFD993BDAF420E17
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classMN.R.0.=W.G....K..TFt..3....6...8M...\..~.C..wq.........x..._.d#.,_....0n.l.?..,.....%..."..w...#U.Qu.G.b.Ct...B....MU./)t&..O..I..~p....z...k.`D.:j.......)c.Ka.=....xy..B..G..0.a...U../....8............]...e...9.8..?..S.u}\....PK...F3.....r...PK.........n/Q............%...classes/org/w3c/dom/css/Counter.class;.o.>...k.nv.&F....t.r.d...\...b}....."v..F....D...t}......F..........."F...M.......tkF...2......T.78. .(.$...+8..(9.-.,..Q.d..#.#.3..0.......r.;....@..@.....PK..............PK.........n/Q............,...classes/org/w3c/dom/css/CSS2Properties.classu..x.G...`.S..N.qh..M. ...bc..):E.P.w..Z{..=[2%@B...{..z....{...3;...w...y...von../..K=.;...y.U.3.3s...L;...f..V..'.4.4..x.....L.G...c.E+.x#......t..M.8.T.4.$.:r.#d..;.[...C;-.K.8..5Z.N..\|4.W..9.;I..&....l.......l....Ig..8......\...Q.D...\.)...G..)..U./g6E..a..'m!g4L...r...#9...n...U.R0.w4{~K.&.....4..P..A0.w..=Y.S.........x.1.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\mods\jdk.zipfs.jmod

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Java jmod module version 1.0
Category:	dropped
Size (bytes):	102661
Entropy (8bit):	7.963859985844485
Encrypted:	false
SSDEEP:	1536:kipzltxqDIygENgDWnkIgwqZOQqcK4kLvPx0aKeXCCIPuV/ingD4IJT8nYjIrSb0:kipXxgIy7Ng6kqr34e7Kw7Kwtmd0c
MD5:	0FF732511F74426FBE09EEC982ED56A2
SHA1:	D06B4A0E2745AF3C47E51721347852827EE18707
SHA-256:	9DB03AC8466E45B2FF32F419686E9B44286B2B29A7FCF2B1C7DBC0BCD46C927B
SHA-512:	E0A5115D5683D2E68E5274D77D007C35ACA02C137D8D52461889289282797ED29F57DC5FE1D604D0B09EE11F4152C7AC168CEF7BC681A8890DF1589301784E05
Malicious:	false
Preview:	JM..PK.........n/Q................classes/module-info.classm..N.1...UdD~D..;..J.l.#!...J;..L'S~"+.....C..h4.I.{..n{>......!.S..K.Y.".....s.Q..\/...Q!T{O.Q..M.ef..........Q#<.2 .]..s+.\L.....m.6E.:...[.....M.....)..e...Z.b...53..8./....G..L...T..{....k...m..p.g.....a....M.....3..PK..........K...PK.........n/Q............,...classes/jdk/nio/zipfs/ByteArrayChannel.class.W.w...~&....E@Hb..$.0.....M"...jB..U..N.!..ev....V..e. Zmm.....,9m.i...?...C.{N.=m....I....{......>..y../.h.%.e.V.6..mi..k.;.5fy..Q....J..s.{G.[I_C..c...B.-.:".nPB9.N.%]'..<....nr"..gq..g..!.....#X..e..r.5.j.B.5.S.m....3...i...<s.g.t.+M..1.!.X.`..v....UXE.#.Q.e..eq....VC8mf....:.....Yy..@#.4TzT.:.i........d..Z...6..N.[6b.....f.-....l..f,G.[.l.e.rR.....)Q.@.P.P..+W..I..`.......r.t}.T.....D).A...-..L..V..1.!...,.3.Y...w.$.....Gp#.I........nE..N...v...DzM...M....x.%..u......'....N....R)..K..s...G.=k.d.9c..r.....J`r.V].n.H,r.].^.[.;.\|.d....Rs$m..U$-.=..}.6.y4.xe2..[)..3E....(...

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1039136
Entropy (8bit):	6.580236835541948
Encrypted:	false
SSDEEP:	24576:fXAsqzXlKZSxpJUlwtC/jCQ6tGh91Ds9H2LUVMhmP3oRaEt:fX4zXlnAlwtCbM891YVH6
MD5:	5E807B5DAD1B6C81982037C714DC9AEF
SHA1:	2B818F50C0CE821CD0278C714E57CB591B89B715
SHA-256:	AC94FBB73EBD0CE13AEA7C1AFCBA0DF9A646CBE5795E804FA0C0AC4EBA259E16
SHA-512:	665EA8069E8D75089EF9292DD6F07E19FA7F7FA1294D44F45D017BCED0D16C8281260BCA4AC7896ACBB0DFFB483BFB13BA4298D767A4BB1A91D9FA437D6BECFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......9.}...}...}...t.[.k...........5.w......i......w......y......x...6...m...6...\|......z...}...L.............\|....7.\|......\|...Rich}...................PE..d....9:.........."....'.....v.................@..........................................`.........................................P...P............`..@........j...... )...p.......`..............................._..@............................................text............................... ..`.rdata...c.......d..................@..@.data........P.......2..............@....pdata...j.......l...6..............@..@.rsrc...@....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\sauighfs.rar

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	420446
Entropy (8bit):	7.999605801282685
Encrypted:	true
SSDEEP:	6144:L4PCnUjc4/SqS+M0A7iz40JA8CdXF7YdS3HeKVrLmunR3DBVZDWm49gTMrfL:L4N9S+MHik0rCdOQX/nR3DBb6f
MD5:	E9EED5A3B74F4F55D27507C5789FA615
SHA1:	36274B493DDC20AAB537B0F7A917C552A671224C
SHA-256:	6F39F289DAD53FD09FFC83965AB4905EFA7D742093B071FC9F2F72E79E5A16B8
SHA-512:	9243505277F3E79B6B98FE21D9B1F014D168BD5766D51499FE0A62B39B765540D6A442EA5990DD3D3F90F3147B881D9FC4F45853A2DB182A7D9111767450D74E
Malicious:	false
Preview:	Rar!.....el.!.....tt.Rd:...[.E.r.u.5`I.....f.?...y.._'../8 6M.>.6.s....oL.<....i....<....$,Jp..(.!.V"R.g..)...D.Q.2.I.....Y......_..Q.p..0......vJ.(....G.{c...v..SDI....&Q...a....$i.....sW..a.......-N.P.m<.....o....Gb)A.n./..Y.~..r.V......H.5..<..zxvT..M.0y..7.F.U...6k..u.F...'.g3..{K.P.U.D.#.b>z.H.y.&).l...$.Dmf..H..&.v.........c.e.m..lu.fs'..9H....v..8...R9...K.5]A..tD......-#..b......uw....4{M...>. YY1......V.8....Vm..Ec....\....o...t.0..~....s8.{.4:E.^...;...G..L.`..d.j.r..TH>....t...Q......X.8#..@.6,!..g.kK.N....`/T2.]..F...d......6Z.....[.8K.'K......J..04)....%.K.3dhOg`.}.Z.+......o...t.]y.X...C..Q..C...#..QTC_.e....7.DK.#KO.. .I5..8.i-:/{/.B..........'.]..U..o..)iI..7Jl.9........?V.v.[IGD.......i...h..I.G.O.....>K.....U-.......R..M....A.2[U.&.E.m.Io......2a.9X.M%.....v!.[.BB1>.....F.%....2.._\arW./0+.[0..JF...r...F[..\6......:$.#0<.......NxRi...:f.e.....{X;...0.^T.w.B....z.Oc..8=<..2DC..b..+.D..GA.\|r&..z...........q....8i.

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\vlc.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	984312
Entropy (8bit):	6.338396454828307
Encrypted:	false
SSDEEP:	24576:ee3xAibB85Z1HrWtB8z1L1OBJB5zzz3zzzozzz3zzz6O:lxAibBEZ1LWtBzxDO
MD5:	37CA63447784D68545801EB2F9DFE1AF
SHA1:	4575FA78C6E54480A1F2DA51082BFB9538649DDF
SHA-256:	31F5E43E9283CF2469D8B3E51E7C28C132C6ECB0DAB855DF52CBF21D5394AE0B
SHA-512:	49A16F4ADE2A434D0E502571E077529CAB54BC98BD4D3EEC45C86A9CFC9623F6830F4046B94730517C6706FDA71C54490EB5ADA538A157D0CC90DC413FA008C7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.............................................@.................................... ]....`... .........................................B............ ...(......D........:...P.............................. ...(...................h................................text...X...........................`.P`.data...h".......$..................@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..D...........................@.0@.xdata..p...........................@.0@.bss..................................`..edata..B............f..............@.0@.idata...............h..............@.0..CRT....h...........................@.@..tls....h...........................@.`..rsrc....(... ...*..................@.0..reloc.......P......................@.0B/4...........p......................@.0B................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\71da1f76509d9c721d84655251014c87_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	2.219411074181711
Encrypted:	false
SSDEEP:	3:/lGlle2QwXln:8A2ZXln
MD5:	62E024FE2476732F71542D38DDF3F263
SHA1:	304A79B7904E2E1017AF6BC24461D2D7B4EDBDE2
SHA-256:	A05BE7F1BA1635E6CB5A46F778B93A0CA8FDDCD60C0E91BE3A9E86040DB067A5
SHA-512:	33162E2CA0135E03436491349B6DA65660B5D0F295B97E5243F4A4E380B51D7D6F00AE51CD48894B4149B6771C8E193E70061A190B6ABFC8B1FCAD3AFE084A7D
Malicious:	false
Preview:	........................................Advanced Installer.

C:\Users\user\AppData\Roaming\Microsoft\Installer\{F65C12FB-F21E-46AC-B40E-DA85278EC407}\icon_27.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	175255
Entropy (8bit):	3.85622158771748
Encrypted:	false
SSDEEP:	1536:45DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPU:45Dt+e7GVBFvvMg0Vj5Ho4CIDPU
MD5:	333EE8442C6101D0CD9C874D0AD83EAE
SHA1:	22278A01E88B826B16D4936FA254E457B9ACA059
SHA-256:	B5FDF4A4143964A46B7F2BBD1357D075C786F7AFBBA0BE3DD7B2623F379271BF
SHA-512:	04F3BE053ECB44B11FE9ABDE941BFD367B17C0532B2C634FC42AF85CF1BE68C0F495B13F4B3CA35A4DD9E4535629EE1A615001A244DC1B68C871AB364A0A704F
Malicious:	false
Preview:	............ .A4............ .(....4..``.... ......<..HH.... ..T......@@.... .(B../&..00.... ..%..Wh.. .... ............... ............... .h.../....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yt..}.....8....H$EI<$Q$%..:.Hv,.Rly.......#..N6...v...dm.....%.2e.<.."-.$x..A.$@..\=.w...68.....`..}..7.X.U...[..U....A..A..A..A..A..A..A..A..A..A..A..A..A..A..)Q.l7...MM/.Q..J)[Q.0........e..u;l...q...X"....v.nj.hV2.j.IR.CS<..C!.O..iY`..f4j.....Y..w.....c$........HB!.....e.A.h...+L...4{i,f,QU.A..D.Z`...R..b..B-B..qd<.b.D...$......E...NQd:..D-..S)..5..Q......e..Y...E.....Y.LZ.E"..D.\5>..4MZG....RJ9..WW..C!....=....y..*.I$...HX..w..E..A.(....E..pl8....F]....16......M. .v..D.......Xm-.,..{.Lw,.+.e.u.z.....,......$Q.......?u..E.h#..".^.P<....K...4..D4..;..g.q....<--/.55....FF.?..K}<..n.....e.UQ.._......y.e....zj..[.....@.hn..,Z.....48.}..%...b/..v..>..t.ow}.......=..A.A.(.MM/.p....~.......R....r..g.]w..7........Y....3(.(.y...7lM.S.(..;:.......

C:\Users\user\AppData\Roaming\Microsoft\Installer\{F65C12FB-F21E-46AC-B40E-DA85278EC407}\icon_32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 96x96, 32 bits/pixel, 72x72, 32 bits/pixel
Category:	dropped
Size (bytes):	74814
Entropy (8bit):	4.157215135011018
Encrypted:	false
SSDEEP:	384:2y2eKfQdkzvDKIeTzumt2yr8XbAVzpEoYR:23eKfMkjBozuI2yr8XQze
MD5:	346BAEB443ED5807042532D5A8CBEE66
SHA1:	9DF37248D164B816E0060FC61DB52968E5753644
SHA-256:	578D9022F7CFF1B54D354757D9A49859A65B168F6D9D42936317D893E6106940
SHA-512:	A51DD07A8E8D1CD4F2ECEB6869438F1EFBC030AF42C9248769A82B85307BC955FA06A0A05328C406F94541B1C238A010B4612744ECF22984C9FFDF1F9651B71D
Malicious:	false
Preview:	......``.... .....V...HH.... ..T......00.... ..%...... .... ............... .h.......(...`......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\4659c4.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {564632B4-D632-4965-A808-AC4D3E1DC9DD}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 7 14:17:41 2024, Last Saved Time/Date: Sat Dec 7 14:17:41 2024, Last Printed: Sat Dec 7 14:17:41 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	56207872
Entropy (8bit):	7.979381500046698
Encrypted:	false
SSDEEP:	786432:r+Jh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4Z:r06FnkF2d6VXXtzR5mgvkz1d2x5wKk
MD5:	5D5BF0697A16502AD90C1A0945859215
SHA1:	756580443533D77296238335BEF2D6553DFB8FDC
SHA-256:	1E5CE241801CCBEF1583B30D15BC5340897F02797C496F524B56412515936FCA
SHA-512:	4CA0D6EFD1C49C9FC63E19C295AA240C5AC4988914AD18CF1D779990F42F88EA8322F9321C339A08B261468F3BDE46E3094869295D538FCCF748258DA6317C14
Malicious:	false
Preview:	......................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?......+...,...-...$...%...&...'...(...)............................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0......................................7...9................................................................................... ...!..."...#...$...%...&...'...1...)......+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

C:\Windows\Installer\4659c7.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {564632B4-D632-4965-A808-AC4D3E1DC9DD}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 7 14:17:41 2024, Last Saved Time/Date: Sat Dec 7 14:17:41 2024, Last Printed: Sat Dec 7 14:17:41 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	56207872
Entropy (8bit):	7.979381500046698
Encrypted:	false
SSDEEP:	786432:r+Jh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4Z:r06FnkF2d6VXXtzR5mgvkz1d2x5wKk
MD5:	5D5BF0697A16502AD90C1A0945859215
SHA1:	756580443533D77296238335BEF2D6553DFB8FDC
SHA-256:	1E5CE241801CCBEF1583B30D15BC5340897F02797C496F524B56412515936FCA
SHA-512:	4CA0D6EFD1C49C9FC63E19C295AA240C5AC4988914AD18CF1D779990F42F88EA8322F9321C339A08B261468F3BDE46E3094869295D538FCCF748258DA6317C14
Malicious:	false
Preview:	......................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?......+...,...-...$...%...&...'...(...)............................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0......................................7...9................................................................................... ...!..."...#...$...%...&...'...1...)......+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

C:\Windows\Installer\MSI61B3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6231.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6270.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI62A0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI62FF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6D51.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8C72.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608727172078022
Encrypted:	false
SSDEEP:	24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
MD5:	EE09D6A1BB908B42C05FD0BEEB67DFD2
SHA1:	1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
SHA-256:	7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
SHA-512:	2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8CC1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380520
Entropy (8bit):	6.512348002260683
Encrypted:	false
SSDEEP:	6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
MD5:	FFDAACB43C074A8CB9A608C612D7540B
SHA1:	8F054A7F77853DE365A7763D93933660E6E1A890
SHA-256:	7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
SHA-512:	A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI906C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	787808
Entropy (8bit):	6.693392695195763
Encrypted:	false
SSDEEP:	24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
MD5:	8CF47242B5DF6A7F6D2D7AF9CC3A7921
SHA1:	B51595A8A113CF889B0D1DD4B04DF16B3E18F318
SHA-256:	CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
SHA-512:	748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI99B4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	256864
Entropy (8bit):	6.8622477797553
Encrypted:	false
SSDEEP:	3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
MD5:	E0BFA64EEFA440859C8525DFEC1962D0
SHA1:	4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
SHA-256:	8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
SHA-512:	04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9CA3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	275003
Entropy (8bit):	4.599007180374064
Encrypted:	false
SSDEEP:	3072:N9a99WemZyzT5Dt+e7GVBFvvMg0Vj5Ho4CIDPCQoJ:Li9dmZGTx0RFvvMg09DPDC
MD5:	536F34BEE07593CC771E38293A6ED130
SHA1:	53E9CAE3D9D400D0EB88863B05CE0327E669E268
SHA-256:	800925BACD60F44117F86F3A0FFF5075631DF367B2ACE7946FBDC3EE31CDCCED
SHA-512:	3063FFC571E92609B83B02DEF09DA31A85BDE82C80CCE490974E9B1AA7B90C360FB43FB2956784D5E84A98D962D45FE3DCF36878C77A942AC7F22327D2FDBB0E
Malicious:	false
Preview:	...@IXOS.@.....@.T.Y.@.....@.....@.....@.....@.....@......&.{F65C12FB-F21E-46AC-B40E-DA85278EC407}..Ifid Apps..m9u08f2pMF.msi.@.....@.....@.....@......icon_32.exe..&.{564632B4-D632-4965-A808-AC4D3E1DC9DD}.....@.....@.....@.....@.......@.....@.....@.......@......Ifid Apps......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@(....@.....@.]....&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}5.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\.@.......@.....@.....@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}).21:\Software\Grovi Tend\Ifid Apps\Version.@.......@.....@.....@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}E.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\libssl-3-x64.dll.@.......@.....@.....@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}@.C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe.@.......@.....@.....@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}E

C:\Windows\Installer\SourceHash{F65C12FB-F21E-46AC-B40E-DA85278EC407}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164378630993869
Encrypted:	false
SSDEEP:	12:JSbX72Fj7mSAGiLIlHVRpZh/7777777777777777777777777vDHFm2+sVahit/z:J4SQI5t5D1iF
MD5:	AAACCDBB38A6259255C8F6F86008DC59
SHA1:	6145EAEF7B4C05D7B775C61F2A650961AE9638EA
SHA-256:	5B00FCD6CA1F722BAEFDC60EE3CFAA670A744CBF77340F9D22A09685A6A0C3B0
SHA-512:	99CC475E48AA9DAC9783E3286A44EF59C1E360BBDD6ECDE2AB0D2774C215E7F27181327E064CA0A3788FF6A07014210C0D6FA6877563EEC9C656FE62A11C2952
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.544033651183617
Encrypted:	false
SSDEEP:	48:Z8PhquRc06WXJWjT5+rl5Sy3AEkCyJpXQ5SyjT3n:Uhq1tjTw3ovCiX6
MD5:	BDD162C654BB08B103406C5EAC96E6F1
SHA1:	37DACDA00EEB86238F5F8898D4435BE4C2E1FA5F
SHA-256:	3B9F49C9781A9CBE83423278F1807267B01A7085919D93291BB3A53A403DDF64
SHA-512:	47FEF4B7C2E4C3212371805170E9610F42B7A7CD30C0BBE9CDF25AC44922F6C2D023D61DD2FBF9CCBC31BF9C146EF77C6AD78D928875A0A454FFD7A9A78874FD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362963605734507
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauF:zTtbmkExhMJCIpE0
MD5:	DE79D5AD3FC66D7CF57722918BFBB6B5
SHA1:	AC6E2789DF639DADAD4B9AA44B51F8BE30216CE2
SHA-256:	2E479914713A9D88EEDDB147BC4EE6126A572E447D0FB9F6A6459AF953386870
SHA-512:	6DA0E0B8FBCF272EFFA4556867DBA9D3A2B361A9D03D0A88422F5D0AAB783990B9095ED98F472D1ECD94D46A24F584996862881327EF29BD38919B805DB00E6A
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF22B1AADD7E05B5A5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07145322917235106
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOm2xssVaMtgVky6lit/:2F0i8n0itFzDHFm2+sVaMZit/
MD5:	193F116ED26649C0B913345D647867A4
SHA1:	9B7B609F62D4287959F6B462ED184C88E935357D
SHA-256:	F6F23448342E58E66BB46A3AA06BF692EB1492EEDC49363EB665236AA4F925C4
SHA-512:	FD8A1D11D40C6FF15B475484809D1B18800DF7D2BA771518F51F10540272ACD9123E954F574FF64EB2645455CF57305BC1CCF2732D5E8942ADCA32D9B49FC478
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2EFFAEB38E9DAA6F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF626E6BA6BF8AB0F2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2393515122924477
Encrypted:	false
SSDEEP:	48:l1iuEWI+CFXJxT5mrl5Sy3AEkCyJpXQ5SyjT3n:LiRZTI3ovCiX6
MD5:	8C90DC1DAE22B34C9184E6C9D7911892
SHA1:	98D0E223E11ADF390201B90E54472E67FDE7FAC8
SHA-256:	6283B0785B20F2E064A27F58B15B86DE6E51A6B5723F035203A534352C5174BC
SHA-512:	1BBCE669389088097993872F8969D46E3433EA88D7CCB7345D0E79F954CDB69ADDE5118156EC61EC22346A1A261B240772647A9567DBC12646C26D764AC6FE1E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF68E06AF43313F540.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12976874946840264
Encrypted:	false
SSDEEP:	24:bigl5ZTxbXojADsipVbXojAD+bXojADsipVbXojAD2AEVbyjCyJVPwGBR80ir+Es:bnZTu5SyU5Sy3AEkCyJpXir
MD5:	684B2A86B2F909C7788304D4FC5B6EB2
SHA1:	09AF15D3748C223198C86F813B24DB36F6B418CF
SHA-256:	D1479A745861A252D916F6C1F6D7764C4EF33F8A7F1E36C35448AAC614FE8489
SHA-512:	FF8C0A2BB1FE0E830DE83266B1D430BFFF738DB045295038C4A829B8022150DCB418B2095D8266D6CFBAF8D9C01CC5791D1894D5B5E187F8F0E426DEB8225954
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF77ADD15F362D225F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.544033651183617
Encrypted:	false
SSDEEP:	48:Z8PhquRc06WXJWjT5+rl5Sy3AEkCyJpXQ5SyjT3n:Uhq1tjTw3ovCiX6
MD5:	BDD162C654BB08B103406C5EAC96E6F1
SHA1:	37DACDA00EEB86238F5F8898D4435BE4C2E1FA5F
SHA-256:	3B9F49C9781A9CBE83423278F1807267B01A7085919D93291BB3A53A403DDF64
SHA-512:	47FEF4B7C2E4C3212371805170E9610F42B7A7CD30C0BBE9CDF25AC44922F6C2D023D61DD2FBF9CCBC31BF9C146EF77C6AD78D928875A0A454FFD7A9A78874FD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81D392892BF7E657.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81E1108E6863C926.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.544033651183617
Encrypted:	false
SSDEEP:	48:Z8PhquRc06WXJWjT5+rl5Sy3AEkCyJpXQ5SyjT3n:Uhq1tjTw3ovCiX6
MD5:	BDD162C654BB08B103406C5EAC96E6F1
SHA1:	37DACDA00EEB86238F5F8898D4435BE4C2E1FA5F
SHA-256:	3B9F49C9781A9CBE83423278F1807267B01A7085919D93291BB3A53A403DDF64
SHA-512:	47FEF4B7C2E4C3212371805170E9610F42B7A7CD30C0BBE9CDF25AC44922F6C2D023D61DD2FBF9CCBC31BF9C146EF77C6AD78D928875A0A454FFD7A9A78874FD
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA6BB55B2C770EBA0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBA289EC0E9476672.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC7D7533230D26187.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD5698B3F29057496.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2393515122924477
Encrypted:	false
SSDEEP:	48:l1iuEWI+CFXJxT5mrl5Sy3AEkCyJpXQ5SyjT3n:LiRZTI3ovCiX6
MD5:	8C90DC1DAE22B34C9184E6C9D7911892
SHA1:	98D0E223E11ADF390201B90E54472E67FDE7FAC8
SHA-256:	6283B0785B20F2E064A27F58B15B86DE6E51A6B5723F035203A534352C5174BC
SHA-512:	1BBCE669389088097993872F8969D46E3433EA88D7CCB7345D0E79F954CDB69ADDE5118156EC61EC22346A1A261B240772647A9567DBC12646C26D764AC6FE1E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEC2CBF8BE5F44718.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2393515122924477
Encrypted:	false
SSDEEP:	48:l1iuEWI+CFXJxT5mrl5Sy3AEkCyJpXQ5SyjT3n:LiRZTI3ovCiX6
MD5:	8C90DC1DAE22B34C9184E6C9D7911892
SHA1:	98D0E223E11ADF390201B90E54472E67FDE7FAC8
SHA-256:	6283B0785B20F2E064A27F58B15B86DE6E51A6B5723F035203A534352C5174BC
SHA-512:	1BBCE669389088097993872F8969D46E3433EA88D7CCB7345D0E79F954CDB69ADDE5118156EC61EC22346A1A261B240772647A9567DBC12646C26D764AC6FE1E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {564632B4-D632-4965-A808-AC4D3E1DC9DD}, Number of Words: 10, Subject: Ifid Apps, Author: Grovi Tend, Name of Creating Application: Ifid Apps, Template: x64;1033, Comments: This installer database contains the logic and data required to install Ifid Apps., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Dec 7 14:17:41 2024, Last Saved Time/Date: Sat Dec 7 14:17:41 2024, Last Printed: Sat Dec 7 14:17:41 2024, Number of Pages: 450
Entropy (8bit):	7.979381500046698
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	m9u08f2pMF.msi
File size:	56'207'872 bytes
MD5:	5d5bf0697a16502ad90c1a0945859215
SHA1:	756580443533d77296238335bef2d6553dfb8fdc
SHA256:	1e5ce241801ccbef1583b30d15bc5340897f02797c496f524b56412515936fca
SHA512:	4ca0d6efd1c49c9fc63e19c295aa240c5ac4988914ad18cf1d779990f42f88ea8322f9321c339a08b261468f3bde46e3094869295d538fccf748258da6317c14
SSDEEP:	786432:r+Jh66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4Z:r06FnkF2d6VXXtzR5mgvkz1d2x5wKk
TLSH:	B7C73360B596C137D66D11B7D529EEEE423F7D220BB148DBB7E4392E0E348C19232A17
File Content Preview:	........................>...................Z.......................2...........t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)..................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 16:36:19.844310045 CET	61898	53	192.168.2.8	1.1.1.1
Dec 9, 2024 16:36:20.216269016 CET	53	61898	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 16:36:19.844310045 CET	192.168.2.8	1.1.1.1	0x9a0e	Standard query (0)	taco-keys.com	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:36:04
Start date:	09/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\m9u08f2pMF.msi"
Imagebase:	0x7ff782840000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:36:04
Start date:	09/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff782840000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:36:07
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 95F1AF63E07BF3D6D84FF23ADB29ED1A
Imagebase:	0x450000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:36:19
Start date:	09/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss90F4.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi90E1.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr90E2.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr90E3.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Imagebase:	0xb80000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:36:19
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:36:29
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\openvpn.exe"
Imagebase:	0x7ff673e10000
File size:	1'039'136 bytes
MD5 hash:	5E807B5DAD1B6C81982037C714DC9AEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:36:29
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 04AD36B0 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d3034cf5fa3fecd75b6ffa7063030871d8e3ffcb1ac5ecf4d698b087b03a06
Instruction ID: 359d8f725c2eab2986d593a887fc0e9266e831ca8747852f63416fec1047da64
Opcode Fuzzy Hash: f7d3034cf5fa3fecd75b6ffa7063030871d8e3ffcb1ac5ecf4d698b087b03a06
Instruction Fuzzy Hash: 7E327F74B043448FCB15DF68C490AAABBB2FF89700B148999D8869B756D739FC42CB52

Function 04AD8478 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a458de613074ec984a4455b630cc583b63831b3b9436f73c9c9e6e2252b6ecae
Instruction ID: 9272c27a40250dec00efddc1638827eabc6a3d55e2d759d2b7a03beceda0ca67
Opcode Fuzzy Hash: a458de613074ec984a4455b630cc583b63831b3b9436f73c9c9e6e2252b6ecae
Instruction Fuzzy Hash: 69A19F75A002088FDB14EFA5D944AADBBB2FF88740F15856CD416AB368DB38ED49CB40

Function 04AD8D36 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8aa2a242b9dd519cbcf7077e381971b855aa8d7d0a1306a29e91f54dabee27
Instruction ID: 15e682addd170d06f52f1fef900fc53a2904a6e6a7fa089c462a84357631634c
Opcode Fuzzy Hash: 4d8aa2a242b9dd519cbcf7077e381971b855aa8d7d0a1306a29e91f54dabee27
Instruction Fuzzy Hash: 9F713C70A00208DFDB18EFB5D854BADBBF6BF88744F14842DD416AB294DB38AD46CB50

Function 04AD8BC8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3258181b2908594005b0aac89a93e4d39f19c81534077084c76270c59ddd4b1b
Instruction ID: db202c08b66ae8f54822c27054a5e0d789e2a9b4109dccc44de9e660b042dabe
Opcode Fuzzy Hash: 3258181b2908594005b0aac89a93e4d39f19c81534077084c76270c59ddd4b1b
Instruction Fuzzy Hash: A171BE30A00244CFDB18EF68D884A9EBBF6BF89314F18896DD466DB650DB75EC46CB40

Function 04AD8959 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb80c1f2637a3b5cdf917d68e36fbe1d78e8fa10aabfba12a49a4d3ca57d15d
Instruction ID: 8e58b2166989d04239d9a851e35d611ca3fcb5f823db0456a8d173e01830b40b
Opcode Fuzzy Hash: eeb80c1f2637a3b5cdf917d68e36fbe1d78e8fa10aabfba12a49a4d3ca57d15d
Instruction Fuzzy Hash: E64182757002009FEB18EF64C459AAE7BB6EF8D750F19416DE416EB3A4DB38AC41CB50

Function 04AD8BB3 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222c858353a7b84c62f4d7db9ad263405fe956868ff2fab5c1a1e7df3ef1637f
Instruction ID: 6a0229a5e6c7c9899f1540dd4eb5c730ce07e52e3b3291191033ea2c87c52fc4
Opcode Fuzzy Hash: 222c858353a7b84c62f4d7db9ad263405fe956868ff2fab5c1a1e7df3ef1637f
Instruction Fuzzy Hash: 30415370A00308DFDB18EFA5C844B9EBBB6BF89740F14856DD056AB794DB78AC45CB50

Function 07951BCC Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1774492551.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10a7767940aa3e6ede8ea385bbc831bf084aef3147cd181aad26f4ccb20304c
Instruction ID: d8e3b5cbe1eadd18f3dfc83281a68c29865540c672ddddf6a05ab34f8a98fe3a
Opcode Fuzzy Hash: e10a7767940aa3e6ede8ea385bbc831bf084aef3147cd181aad26f4ccb20304c
Instruction Fuzzy Hash: 6D314CB174022EDFDB25DE68D4407BA77EAEB84219F14C436ED029B281DB76CD80C761

Function 04AD3D10 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b662cc226316c8a517823947af27d693c66d92175d6587e17ccd287d1dde1ca7
Instruction ID: 7d7b527caced9cf2d7b88345445054c8197fbe578ed0a3f66ea4f2a0b53cda2b
Opcode Fuzzy Hash: b662cc226316c8a517823947af27d693c66d92175d6587e17ccd287d1dde1ca7
Instruction Fuzzy Hash: 9E412574A006058FCB06CF59C594AAAFBB1FF88310B258599D852AB3A4C732FC50CBA1

Function 04AD3E85 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2d7acaf0f427892173d921c86390ba487888f81aa662742d2a1fa683990b08
Instruction ID: be753cedcbb8d7310853f1babb45f37f23fc13ac3db9877888dfb872e2181da0
Opcode Fuzzy Hash: 3f2d7acaf0f427892173d921c86390ba487888f81aa662742d2a1fa683990b08
Instruction Fuzzy Hash: 4811863150A3D08FDB03C76CDC607D97F71AF46124F0981DBC4849B6A3C619980AC766

Function 0318D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1769462496.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_318d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab30ee8d2b5c65d952e9c7cc0b87d556fe9dd5836c0226a3ae0ddb89d9a71270
Instruction ID: da76005e534681a2ab164613398a11d32447fc918cfa834576beee72c32f4ac4
Opcode Fuzzy Hash: ab30ee8d2b5c65d952e9c7cc0b87d556fe9dd5836c0226a3ae0ddb89d9a71270
Instruction Fuzzy Hash: AD01F7714043449FE724EB11EC84B67FB98EF89624F1CC059DC480B282C7799441CEBA

Function 0318D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1769462496.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_318d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a7ba412289f4498968aebb606de15858cbd1c38a94047573157b644642326b
Instruction ID: 10fda94a9eda03133f05798c4c7eac854e8ad3973cf61fd75e872984b6a572cd
Opcode Fuzzy Hash: 19a7ba412289f4498968aebb606de15858cbd1c38a94047573157b644642326b
Instruction Fuzzy Hash: 3001407240E3C09FD7128B259C94B52BFB4DF47224F1D81DBD8888F2A3C2695844CB76

Function 04AD88ED Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1770089593.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ef4d7a4e3b521fe964ad143141f580e05ac4cbe41bc127135474d1bf6d060e
Instruction ID: 740d5fb3e7087ce0e236c5e54e5200886339a89d8aef1443fe4a30e68ca76de3
Opcode Fuzzy Hash: 66ef4d7a4e3b521fe964ad143141f580e05ac4cbe41bc127135474d1bf6d060e
Instruction Fuzzy Hash: AAF01C74A4030A9FEB04EBA4C595B6E77B2AF84740F108858D1529F254DB7CA9498B81

Analysis Process: openvpn.exePID: 6868, Parent PID: 4500COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFBA95FC940 Relevance: 282.1, APIs: 134, Strings: 26, Instructions: 2105registrymemoryfileCOMMON

Download Yara Rule

APIs

FreeLibraryWhenCallbackReturns.KERNEL32 ref: 00007FFBA95FC9A9
CloseThreadpool.KERNEL32 ref: 00007FFBA95FC9B1
GetLargePageMinimum.KERNEL32 ref: 00007FFBA95FC9B7
SetWindowsHookExW.USER32 ref: 00007FFBA95FC9C7
ChangeClipboardChain.USER32 ref: 00007FFBA95FC9D1
ReadConsoleOutputAttribute.KERNEL32 ref: 00007FFBA95FC9EA
RegisterApplicationRestart.KERNEL32 ref: 00007FFBA95FC9F9
EnableScrollBar.USER32 ref: 00007FFBA95FCA06
IsBadCodePtr.KERNEL32 ref: 00007FFBA95FCA0E
CharLowerBuffW.USER32 ref: 00007FFBA95FCA18
GetCommandLineW.KERNEL32 ref: 00007FFBA95FCA1E
SetConsoleTextAttribute.KERNEL32 ref: 00007FFBA95FCA28
CreateMailslotW.KERNEL32 ref: 00007FFBA95FCA38
GetAltTabInfoW.USER32 ref: 00007FFBA95FCA4D
EnumDisplayDevicesW.USER32 ref: 00007FFBA95FCA5D
AdjustWindowRectEx.USER32 ref: 00007FFBA95FCA6D
GetDCEx.USER32 ref: 00007FFBA95FCA7A
GetNLSVersionEx.KERNEL32 ref: 00007FFBA95FCA8C
GetProcessWorkingSetSizeEx.KERNEL32 ref: 00007FFBA95FCA9C
RemoveDirectoryW.KERNEL32 ref: 00007FFBA95FCBFD
GetCalendarInfoW.KERNEL32 ref: 00007FFBA95FCC17
CreateRectRgnIndirect.GDI32 ref: 00007FFBA95FCC1F
DefineDosDeviceW.KERNEL32 ref: 00007FFBA95FCC2C
GetTextExtentPoint32W.GDI32 ref: 00007FFBA95FCC3C
WriteProfileSectionW.KERNEL32 ref: 00007FFBA95FCC46
VerifyScripts.KERNEL32 ref: 00007FFBA95FCC64
GetKerningPairsW.GDI32 ref: 00007FFBA95FCC71
EnumResourceTypesExW.KERNEL32 ref: 00007FFBA95FCC87
GetFinalPathNameByHandleW.KERNEL32 ref: 00007FFBA95FCC97
CreateDiscardableBitmap.GDI32 ref: 00007FFBA95FCCA4
EnterCriticalSection.KERNEL32 ref: 00007FFBA95FCCAC
StretchDIBits.GDI32 ref: 00007FFBA95FCCE9
GetDefaultCommConfigW.KERNEL32 ref: 00007FFBA95FCCF6
GetCurrentPositionEx.GDI32 ref: 00007FFBA95FCD00
CreateICW.GDI32 ref: 00007FFBA95FCD10
GetConsoleTitleW.KERNEL32 ref: 00007FFBA95FCD1A
VirtualUnlock.KERNEL32 ref: 00007FFBA95FCD4B
EnterSynchronizationBarrier.KERNEL32 ref: 00007FFBA95FCD55
InterlockedPushListSListEx.KERNEL32 ref: 00007FFBA95FCD65
SetProcessPreferredUILanguages.KERNEL32 ref: 00007FFBA95FCD72
AddSecureMemoryCacheCallback.KERNEL32 ref: 00007FFBA95FCD7A
ResetEvent.KERNEL32 ref: 00007FFBA95FCD82
CreatePipe.KERNEL32 ref: 00007FFBA95FCD92
GetNumaHighestNodeNumber.KERNEL32 ref: 00007FFBA95FCD9A
GetProcessAffinityMask.KERNEL32 ref: 00007FFBA95FCDA7
EnumDateFormatsW.KERNEL32 ref: 00007FFBA95FCDB4
HeapUnlock.KERNEL32 ref: 00007FFBA95FCDBC
SetConsoleActiveScreenBuffer.KERNEL32 ref: 00007FFBA95FCDC4
GetProcessMitigationPolicy.KERNEL32 ref: 00007FFBA95FCE35
WaitNamedPipeW.KERNEL32 ref: 00007FFBA95FCE3F
GetNumaProcessorNode.KERNEL32 ref: 00007FFBA95FCE49
LocalReAlloc.KERNEL32 ref: 00007FFBA95FCE56
SetDllDirectoryW.KERNEL32 ref: 00007FFBA95FCE5E
lstrcatW.KERNEL32 ref: 00007FFBA95FCE68
IsValidLocale.KERNEL32 ref: 00007FFBA95FCE72
ApplicationRecoveryFinished.KERNEL32 ref: 00007FFBA95FCE7A
CreateFileMappingNumaW.KERNEL32 ref: 00007FFBA95FCE99
NeedCurrentDirectoryForExePathW.KERNEL32 ref: 00007FFBA95FCEA1
SetThreadpoolWait.KERNEL32 ref: 00007FFBA95FCEAE
WriteTapemark.KERNEL32 ref: 00007FFBA95FCEBE
CreateDirectoryW.KERNEL32 ref: 00007FFBA95FCEC8
QueryIdleProcessorCycleTimeEx.KERNEL32 ref: 00007FFBA95FCED5
CreateSemaphoreExW.KERNEL32 ref: 00007FFBA95FCEEF
SetConsoleActiveScreenBuffer.KERNEL32 ref: 00007FFBA95FCEF7
PathFileExistsA.SHLWAPI ref: 00007FFBA95FCF5A
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBA95FCF9A
ApplicationRecoveryInProgress.KERNEL32 ref: 00007FFBA95FCFA2
TryAcquireSRWLockShared.KERNEL32 ref: 00007FFBA95FCFAA
IsDBCSLeadByte.KERNEL32 ref: 00007FFBA95FCFB2
ReadConsoleInputW.KERNEL32 ref: 00007FFBA95FCFC2
SwitchToFiber.KERNEL32 ref: 00007FFBA95FCFCA
FlushProcessWriteBuffers.KERNEL32 ref: 00007FFBA95FCFD0
AllocateUserPhysicalPagesNuma.KERNEL32 ref: 00007FFBA95FCFE0
SetConsoleActiveScreenBuffer.KERNEL32 ref: 00007FFBA95FCFE8
BackupWrite.KERNEL32 ref: 00007FFBA95FD007
SetFileApisToANSI.KERNEL32 ref: 00007FFBA95FD00D
GetPriorityClass.KERNEL32 ref: 00007FFBA95FD015
GetConsoleProcessList.KERNEL32 ref: 00007FFBA95FD01F
GetTapeStatus.KERNEL32 ref: 00007FFBA95FD027
GetVersionExW.KERNEL32 ref: 00007FFBA95FD02F
FindFirstFileA.KERNEL32 ref: 00007FFBA95FD116
FindNextFileA.KERNEL32 ref: 00007FFBA95FD193
FindClose.KERNEL32 ref: 00007FFBA95FD1A0
OutputDebugStringA.KERNEL32 ref: 00007FFBA95FD576
FindClose.KERNEL32 ref: 00007FFBA95FD77F
RegOpenKeyExA.ADVAPI32 ref: 00007FFBA95FDB20
RegQueryValueExA.ADVAPI32 ref: 00007FFBA95FDB62
OutputDebugStringA.KERNEL32 ref: 00007FFBA95FDD88
RegCloseKey.ADVAPI32 ref: 00007FFBA95FDE44
ReleaseSemaphore.KERNEL32 ref: 00007FFBA95FE0CD
VirtualProtectEx.KERNEL32 ref: 00007FFBA95FE0E4
WriteProcessMemory.KERNEL32 ref: 00007FFBA95FE0F9
FindNextFileW.KERNEL32 ref: 00007FFBA95FE103
SetProtectedPolicy.KERNEL32 ref: 00007FFBA95FE110
EnumSystemFirmwareTables.KERNEL32 ref: 00007FFBA95FE11D
OpenFileMappingW.KERNEL32 ref: 00007FFBA95FE12A
GetNamedPipeServerSessionId.KERNEL32 ref: 00007FFBA95FE134
CreateFileW.KERNEL32 ref: 00007FFBA95FE151
CommConfigDialogW.KERNEL32 ref: 00007FFBA95FE15E
GetFileType.KERNEL32 ref: 00007FFBA95FE166
FindNextChangeNotification.KERNEL32 ref: 00007FFBA95FE16E
LocalAlloc.KERNEL32 ref: 00007FFBA95FE178
CreateDirectoryW.KERNEL32 ref: 00007FFBA95FE182
GetConsoleCursorInfo.KERNEL32 ref: 00007FFBA95FE18C
CreateThreadpool.KERNEL32 ref: 00007FFBA95FE194
SetProcessAffinityUpdateMode.KERNEL32 ref: 00007FFBA95FE19E
GetFileAttributesExW.KERNEL32 ref: 00007FFBA95FE1AB
CallbackMayRunLong.KERNEL32 ref: 00007FFBA95FE1B3
GetTempPathA.KERNEL32 ref: 00007FFBA95FE23F
CreateDirectoryA.KERNEL32 ref: 00007FFBA95FE2EC
GetLastError.KERNEL32 ref: 00007FFBA95FE2F6
OutputDebugStringA.KERNEL32 ref: 00007FFBA95FE6A8
Wow64DisableWow64FsRedirection.KERNEL32 ref: 00007FFBA95FE843
GlobalReAlloc.KERNEL32 ref: 00007FFBA95FE850
DefWindowProcW.USER32 ref: 00007FFBA95FE860
EnumSystemFirmwareTables.KERNEL32 ref: 00007FFBA95FE86D
DialogBoxIndirectParamW.USER32 ref: 00007FFBA95FE885
GetNumaNodeProcessorMask.KERNEL32 ref: 00007FFBA95FE88F
GetConsoleCursorInfo.KERNEL32 ref: 00007FFBA95FE899
lstrcpyW.KERNEL32 ref: 00007FFBA95FE8A3
GetDllDirectoryW.KERNEL32 ref: 00007FFBA95FE8AD
LocalSize.KERNEL32 ref: 00007FFBA95FE8B5
FindNextStreamW.KERNEL32 ref: 00007FFBA95FE8BF
CreateNamedPipeW.KERNEL32 ref: 00007FFBA95FE8E3
WakeConditionVariable.KERNEL32 ref: 00007FFBA95FE8EB
TrackMouseEvent.USER32 ref: 00007FFBA95FE8F3
Wow64DisableWow64FsRedirection.KERNEL32 ref: 00007FFBA95FE8FB
RegisterHotKey.USER32 ref: 00007FFBA95FE90B
GetActiveProcessorCount.KERNEL32 ref: 00007FFBA95FE913
FileTimeToSystemTime.KERNEL32 ref: 00007FFBA95FE91D
GetNumaProximityNodeEx.KERNEL32 ref: 00007FFBA95FE927
ExitProcess.KERNEL32 ref: 00007FFBA95FE947
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA95FE9D8
ExitProcess.KERNEL32 ref: 00007FFBA95FEC12

Strings

File Content: , xrefs: 00007FFBA95FD59C
VUUU, xrefs: 00007FFBA95FDF96
VUUU, xrefs: 00007FFBA95FD97A
VUUU, xrefs: 00007FFBA95FDF69
VUUU, xrefs: 00007FFBA95FDFE9
VUUU, xrefs: 00007FFBA95FD7D3
VK34yKdb3vcW2h3623Q8Wu, xrefs: 00007FFBA95FCA83
VUUU, xrefs: 00007FFBA95FD933
VUUU, xrefs: 00007FFBA95FE003
VUUU, xrefs: 00007FFBA95FD90B
s.txt, xrefs: 00007FFBA95FE40A
VUUU, xrefs: 00007FFBA95FEAF3
VUUU, xrefs: 00007FFBA95FD9A3
CRC64: , xrefs: 00007FFBA95FD450, 00007FFBA95FD4CC
SkCf8p8sw935oV2, xrefs: 00007FFBA95FC9F2
VUUU, xrefs: 00007FFBA95FDEF2
ios_base::failbit set, xrefs: 00007FFBA95FE986, 00007FFBA95FE9EF
ios_base::badbit set, xrefs: 00007FFBA95FE97A, 00007FFBA95FE9E3, 00007FFBA95FEA43
2Ojit53GK3DaC7xe, xrefs: 00007FFBA95FCC51
ios_base::eofbit set, xrefs: 00007FFBA95FE98D, 00007FFBA95FE9F6
CRC64 (Generated): , xrefs: 00007FFBA95FE593, 00007FFBA95FE603
logoq, xrefs: 00007FFBA95FCF53, 00007FFBA95FD0A2, 00007FFBA95FD1C0, 00007FFBA95FE290
CRC64 (Registry): , xrefs: 00007FFBA95FDC69, 00007FFBA95FDCDE
JLYR18H71UcU1cLEv, xrefs: 00007FFBA95FCC5B
Software\logoq, xrefs: 00007FFBA95FDB12
VUUU, xrefs: 00007FFBA95FEB93

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Create$File$ConsoleProcess$DirectoryFind$Numa$EnumWrite$ActiveCloseInfoNextNodeOutputPathPipeProcessorWow64$AllocApplicationBufferCallbackDebugListLocalNamedScreenStringSystemThreadpoolTime$AffinityAttributeChangeCommConfigCurrentCursorDialogDisableEnterEventExitFirmwareIndirectMappingMaskMemoryOpenPolicyQueryReadRecoveryRectRedirectionRegisterSectionSemaphoreSizeTablesTextUnlockVersionVirtualWaitWindow$AcquireAdjustAllocateApisAttributesBackupBarrierBitmapBitsBuffBuffersByteCacheCalendarChainCharClassClipboardCodeCommandConcurrency::cancel_current_taskConditionCountCriticalCycleDateDefaultDefineDeviceDevicesDiscardableDisplayEnableErrorExceptionExistsExtentFiberFilterFinalFinishedFirstFlushFormatsFreeGlobalHandleHeapHighestHookIdleInputInterlockedKerningLanguagesLargeLastLeadLibraryLineLocaleLockLongLowerMailslotMinimumMitigationModeMouseNameNeedNotificationNumberPagePagesPairsParamPhysicalPoint32PositionPreferredPriorityProcProfileProgressProtectProtectedProximityPushReleaseRemoveResetResourceRestartReturnsScriptsScrollSecureServerSessionSharedStatusStreamStretchSwitchSynchronizationTapeTapemarkTempTitleTrackTypeTypesUnhandledUpdateUserValidValueVariableVerifyWakeWhenWindowsWorkinglstrcatlstrcpy
String ID: 2Ojit53GK3DaC7xe$CRC64 (Generated): $CRC64 (Registry): $CRC64: $File Content: $JLYR18H71UcU1cLEv$SkCf8p8sw935oV2$Software\logoq$VK34yKdb3vcW2h3623Q8Wu$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$logoq$s.txt
API String ID: 378123429-976420356
Opcode ID: fd27a149bbc0aa0a9143e5afe967cf8c9ba72f7fa9ef2069d07f69cda315a45e
Instruction ID: f697e3d2e568192ff0d8d765efcd906db91ac7a7c2a0559d44764af67cc1894d
Opcode Fuzzy Hash: fd27a149bbc0aa0a9143e5afe967cf8c9ba72f7fa9ef2069d07f69cda315a45e
Instruction Fuzzy Hash: 8323D2B2A15B8286FB26CF39D8453ED37A1FB84758F405235DE0E86A99DF38D248D700

Function 00007FFBA95F54B0 Relevance: 228.8, APIs: 104, Strings: 26, Instructions: 1295
timethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32 ref: 00007FFBA95F54FC
CreateSemaphoreA.KERNEL32 ref: 00007FFBA95F55E0
GetCurrentProcess.KERNEL32 ref: 00007FFBA95F55E6
GetProcessTimes.KERNEL32 ref: 00007FFBA95F560B
FileTimeToSystemTime.KERNEL32 ref: 00007FFBA95F5620
GetTempPathA.KERNEL32 ref: 00007FFBA95F5632
TrySubmitThreadpoolCallback.KERNEL32 ref: 00007FFBA95F57FB
GetSystemDefaultUILanguage.KERNEL32 ref: 00007FFBA95F5801
QueryProtectedPolicy.KERNEL32 ref: 00007FFBA95F580B
FreeConsole.KERNEL32 ref: 00007FFBA95F5811
InitializeSListHead.KERNEL32 ref: 00007FFBA95F5819
GetTimeFormatW.KERNEL32 ref: 00007FFBA95F5833
GetStdHandle.KERNEL32 ref: 00007FFBA95F583B
GetConsoleAliasesLengthW.KERNEL32 ref: 00007FFBA95F5843
FileTimeToSystemTime.KERNEL32 ref: 00007FFBA95F584D
AreFileApisANSI.KERNEL32 ref: 00007FFBA95F5853
QueryThreadProfiling.KERNEL32 ref: 00007FFBA95F585D
GetNumaProcessorNodeEx.KERNEL32 ref: 00007FFBA95F5867
InitOnceComplete.KERNEL32 ref: 00007FFBA95F5874
GlobalSize.KERNEL32 ref: 00007FFBA95F587C
FindFirstFileNameTransactedW.KERNEL32 ref: 00007FFBA95F5896
SetConsoleTitleW.KERNEL32 ref: 00007FFBA95F589E
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFBA95F58AE
DeleteBoundaryDescriptor.KERNEL32 ref: 00007FFBA95F58B6
GetComputerNameW.KERNEL32 ref: 00007FFBA95F58C0
SetThreadIdealProcessor.KERNEL32 ref: 00007FFBA95F58CA
InitializeConditionVariable.KERNEL32 ref: 00007FFBA95F58D2
GetThreadTimes.KERNEL32 ref: 00007FFBA95F58E7
GetProcessWorkingSetSize.KERNEL32 ref: 00007FFBA95F58F4
EqualRect.USER32 ref: 00007FFBA95F593D
WaitForThreadpoolTimerCallbacks.KERNEL32 ref: 00007FFBA95F5947
SetThreadpoolThreadMinimum.KERNEL32 ref: 00007FFBA95F5951
GetSubMenu.USER32 ref: 00007FFBA95F595B
GetApplicationRestartSettings.KERNEL32 ref: 00007FFBA95F5973
ReadConsoleOutputW.KERNEL32 ref: 00007FFBA95F5990
PhysicalToLogicalPoint.USER32 ref: 00007FFBA95F599A
EnumResourceNamesW.KERNEL32 ref: 00007FFBA95F59AA
PackDDElParam.USER32 ref: 00007FFBA95F59B7
HeapCreate.KERNEL32 ref: 00007FFBA95F6710
GetLastError.KERNEL32 ref: 00007FFBA95F6731
HeapAlloc.KERNEL32 ref: 00007FFBA95F6763
GetLastError.KERNEL32 ref: 00007FFBA95F6784
HeapDestroy.KERNEL32 ref: 00007FFBA95F680E
EnumResourceTypesExW.KERNEL32 ref: 00007FFBA95F6877
IsValidCodePage.KERNEL32 ref: 00007FFBA95F687F
IsBadWritePtr.KERNEL32 ref: 00007FFBA95F6889
ConvertThreadToFiber.KERNEL32 ref: 00007FFBA95F6891
GetPhysicallyInstalledSystemMemory.KERNEL32 ref: 00007FFBA95F6899
QueryUnbiasedInterruptTime.KERNEL32 ref: 00007FFBA95F68A1
GetSystemRegistryQuota.KERNEL32 ref: 00007FFBA95F68AB
ClearCommBreak.KERNEL32 ref: 00007FFBA95F68B3
InitAtomTable.KERNEL32 ref: 00007FFBA95F68BB
ConvertFiberToThread.KERNEL32 ref: 00007FFBA95F68C1
CreateDirectoryW.KERNEL32 ref: 00007FFBA95F68CB
GlobalFindAtomW.KERNEL32 ref: 00007FFBA95F68D3
SetProcessPriorityBoost.KERNEL32 ref: 00007FFBA95F68DD
FatalAppExitW.KERNEL32 ref: 00007FFBA95F68E7
SetWaitableTimer.KERNEL32 ref: 00007FFBA95F6901
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA95F6909
GetProcessTimes.KERNEL32 ref: 00007FFBA95F691E
GetTickCount.KERNEL32 ref: 00007FFBA95F6924
GlobalAddAtomW.KERNEL32 ref: 00007FFBA95F692C

Strings

Heap creation failed: , xrefs: 00007FFBA95F671E
- Compressed, xrefs: 00007FFBA95F5D7B
Memory allocation failed: , xrefs: 00007FFBA95F6775
Semaphore Name: MorningSemaphore, xrefs: 00007FFBA95F6558
yESgpuSriscYBdjh.txt, xrefs: 00007FFBA95F5676
- Encrypted, xrefs: 00007FFBA95F5D94
nUjj77psZpMwTc5IH1Sk2Y, xrefs: 00007FFBA95F588F
VUUU, xrefs: 00007FFBA95F5901
w6y7xGe3tFLhKIpsmXrtQYbu, xrefs: 00007FFBA95F61D5
Current Directory: , xrefs: 00007FFBA95F5CB4
Attributes:, xrefs: 00007FFBA95F5CE5
- Temporary, xrefs: 00007FFBA95F5DAD
- Archive, xrefs: 00007FFBA95F5D62
Allocated Memory Address: , xrefs: 00007FFBA95F67A5
SGxEALRghmcYkVF, xrefs: 00007FFBA95F55D2
ios_base::failbit set, xrefs: 00007FFBA95F69F8
- Hidden, xrefs: 00007FFBA95F5D30
- System, xrefs: 00007FFBA95F5D49
- Read-only, xrefs: 00007FFBA95F5D17
ios_base::badbit set, xrefs: 00007FFBA95F69EC
Current Date & Time: , xrefs: 00007FFBA95F63B1
s8KI459ZR9v84dTthcUmqprFe37q, xrefs: 00007FFBA95F6314
Process Creation Time: , xrefs: 00007FFBA95F6568
ios_base::eofbit set, xrefs: 00007FFBA95F69FF
- Directory, xrefs: 00007FFBA95F5CFE
me8BHhX6ZeDWu5b6u9Xz, xrefs: 00007FFBA95F62F9

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Time$Thread$ProcessSystem$ConsoleFile$AtomCreateGlobalHeapQueryThreadpoolTimes$ConvertEnumErrorFiberFindFreeInitInitializeLastNameProcessorResourceSizeTimer$AliasesAllocApisApplicationBoostBoundaryBreakCallbackCallbacksClearCodeCommCompleteComputerConditionCountCurrentDefaultDeleteDescriptorDestroyDirectoryDiskEqualExclusiveExitFatalFirstFormatHandleHeadIdealInstalledInterruptLanguageLengthListLocalLockLogicalMemoryMenuMinimumNamesNodeNumaOnceOutputPackPageParamPathPhysicalPhysicallyPointPolicyPriorityProfilingProtectedQuotaReadRectRegistryReleaseRestartSemaphoreSettingsSpaceSubmitTableTempTickTitleTransactedTypesUnbiasedValidVariableWaitWaitableWorkingWrite
String ID: - Archive$ - Compressed$ - Directory$ - Encrypted$ - Hidden$ - Read-only$ - System$ - Temporary$Allocated Memory Address: $Attributes:$Current Date & Time: $Current Directory: $Heap creation failed: $Memory allocation failed: $Process Creation Time: $SGxEALRghmcYkVF$Semaphore Name: MorningSemaphore$VUUU$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$me8BHhX6ZeDWu5b6u9Xz$nUjj77psZpMwTc5IH1Sk2Y$s8KI459ZR9v84dTthcUmqprFe37q$w6y7xGe3tFLhKIpsmXrtQYbu$yESgpuSriscYBdjh.txt
API String ID: 1498084445-79382683
Opcode ID: 41c4d286336259d5067748a92bac0c80b9f8da05f7893086f72917e6e8ec6109
Instruction ID: 40e76892279704dd5e8fbab264052cde44ff7e4c6d9bdef6e5265cad79e3a54e
Opcode Fuzzy Hash: 41c4d286336259d5067748a92bac0c80b9f8da05f7893086f72917e6e8ec6109
Instruction Fuzzy Hash: CFD29DB2A06B8296EB16CF74D8556AE3361FF84788F409136DE4E8BA69DF3CD145D300

Function 00007FFBA95F47C0 Relevance: 174.1, APIs: 95, Strings: 4, Instructions: 834
threadmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFBA95FC290: GetClipboardViewer.USER32 ref: 00007FFBA95FC300
Part of subcall function 00007FFBA95FC290: CloseWindowStation.USER32 ref: 00007FFBA95FC308
Part of subcall function 00007FFBA95FC290: CreateFileW.KERNEL32 ref: 00007FFBA95FC327
Part of subcall function 00007FFBA95FC290: WaitForInputIdle.USER32 ref: 00007FFBA95FC331
Part of subcall function 00007FFBA95FC290: IsThreadAFiber.KERNEL32 ref: 00007FFBA95FC337
Part of subcall function 00007FFBA95FC290: GetProcessPriorityBoost.KERNEL32 ref: 00007FFBA95FC341
Part of subcall function 00007FFBA95FC290: StartThreadpoolIo.KERNEL32 ref: 00007FFBA95FC349
Part of subcall function 00007FFBA95FC290: CalculatePopupWindowPosition.USER32 ref: 00007FFBA95FC35E
Part of subcall function 00007FFBA95FC290: WakeAllConditionVariable.KERNEL32 ref: 00007FFBA95FC366
Part of subcall function 00007FFBA95FC290: RegisterClassExW.USER32 ref: 00007FFBA95FC36E
Part of subcall function 00007FFBA95FC290: WriteConsoleInputW.KERNEL32 ref: 00007FFBA95FC37E
Part of subcall function 00007FFBA95FC290: SetRectEmpty.USER32 ref: 00007FFBA95FC386
Part of subcall function 00007FFBA95FC290: ScrollDC.USER32 ref: 00007FFBA95FC3A5
Part of subcall function 00007FFBA95FC290: SetProcessRestrictionExemption.USER32 ref: 00007FFBA95FC3AD
Part of subcall function 00007FFBA95FC290: ExitWindowsEx.USER32 ref: 00007FFBA95FC3B7
Part of subcall function 00007FFBA95FC290: EndMenu.USER32 ref: 00007FFBA95FC3BD
Part of subcall function 00007FFBA95FC290: GetProcessWorkingSetSizeEx.KERNEL32 ref: 00007FFBA95FC3CD
Part of subcall function 00007FFBA95FC290: SetPhysicalCursorPos.USER32 ref: 00007FFBA95FC3D7
Part of subcall function 00007FFBA95FC290: SwitchToThisWindow.USER32 ref: 00007FFBA95FC3E1
Part of subcall function 00007FFBA95FC290: SetClipboardViewer.USER32 ref: 00007FFBA95FC3E9
Part of subcall function 00007FFBA95FC290: CompareStringW.KERNEL32 ref: 00007FFBA95FC403
Part of subcall function 00007FFBA95FC290: RegisterHotKey.USER32 ref: 00007FFBA95FC413

RequestWakeupLatency.KERNEL32 ref: 00007FFBA95F4C97
IsSystemResumeAutomatic.KERNEL32 ref: 00007FFBA95F4C9D
AngleArc.GDI32 ref: 00007FFBA95F4CBC
GetThreadUILanguage.KERNEL32 ref: 00007FFBA95F4CC2
DuplicateHandle.KERNEL32 ref: 00007FFBA95F4CDE
RtlUnwind.KERNEL32 ref: 00007FFBA95F4CEE
SetThreadPriorityBoost.KERNEL32 ref: 00007FFBA95F4CF8
FindFirstFileTransactedW.KERNEL32 ref: 00007FFBA95F4D16
SetProcessDEPPolicy.KERNEL32 ref: 00007FFBA95F4D1E
GetTapeStatus.KERNEL32 ref: 00007FFBA95F4D26
GetMemoryErrorHandlingCapabilities.KERNEL32 ref: 00007FFBA95F4D2E
FindFirstFileExW.KERNEL32 ref: 00007FFBA95F4D47
GetHandleInformation.KERNEL32 ref: 00007FFBA95F4D51
GetSystemWindowsDirectoryW.KERNEL32 ref: 00007FFBA95F4D5B
GlobalReAlloc.KERNEL32 ref: 00007FFBA95F4D68
lstrcmpiW.KERNEL32 ref: 00007FFBA95F4D72
SetThreadpoolWaitEx.KERNEL32 ref: 00007FFBA95F4D82
AddFontMemResourceEx.GDI32 ref: 00007FFBA95F4D92
CreateSemaphoreW.KERNEL32 ref: 00007FFBA95F4DA2
SetLayout.GDI32 ref: 00007FFBA95F4DAC
GetProfileIntW.KERNEL32 ref: 00007FFBA95F4DB9

Part of subcall function 00007FFBA9657C1C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9657C4C
Part of subcall function 00007FFBA9657C1C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9657C52

ConvertDefaultLocale.KERNEL32 ref: 00007FFBA95F4DC1
GlobalUnlock.KERNEL32 ref: 00007FFBA95F4DC9
AttachConsole.KERNEL32 ref: 00007FFBA95F4DD1
CreateHardLinkW.KERNEL32 ref: 00007FFBA95F4DDE
GetModuleHandleW.KERNEL32 ref: 00007FFBA95F4DE6
GetDCBrushColor.GDI32 ref: 00007FFBA95F4DEE
GetFontLanguageInfo.GDI32 ref: 00007FFBA95F4DF6
SetThreadLocale.KERNEL32 ref: 00007FFBA95F4DFE
GetROP2.GDI32 ref: 00007FFBA95F4E06
SetThreadErrorMode.KERNEL32 ref: 00007FFBA95F4E72
GetNLSVersion.KERNEL32 ref: 00007FFBA95F4E7F
GetGeoInfoW.KERNEL32 ref: 00007FFBA95F4E94
RemoveDirectoryW.KERNEL32 ref: 00007FFBA95F4E9C
GetTempFileNameW.KERNEL32 ref: 00007FFBA95F4EAC
GetTimeZoneInformation.KERNEL32 ref: 00007FFBA95F4EB4
GetProcessGroupAffinity.KERNEL32 ref: 00007FFBA95F4EC1
GetNumberFormatW.KERNEL32 ref: 00007FFBA95F4EDA
RegisterApplicationRestart.KERNEL32 ref: 00007FFBA95F4EE9
FlsSetValue.KERNEL32 ref: 00007FFBA95F4EF3
AssignProcessToJobObject.KERNEL32 ref: 00007FFBA95F4EFD
CreateThreadpoolIo.KERNEL32 ref: 00007FFBA95F4F0D
SetTapeParameters.KERNEL32 ref: 00007FFBA95F4F1A
BackupSeek.KERNEL32 ref: 00007FFBA95F4F34
GlobalMemoryStatus.KERNEL32 ref: 00007FFBA95F4F3C
MoveFileW.KERNEL32 ref: 00007FFBA95F4F46
CreateHardLinkW.KERNEL32 ref: 00007FFBA95F4F53
SetDefaultDllDirectories.KERNEL32 ref: 00007FFBA95F4F5B
GetCurrentThread.KERNEL32 ref: 00007FFBA95F4F61
WaitNamedPipeW.KERNEL32 ref: 00007FFBA95F4F6B
CreateEventExW.KERNEL32 ref: 00007FFBA95F5031
VirtualFree.KERNEL32 ref: 00007FFBA95F503E
ReadFileEx.KERNEL32 ref: 00007FFBA95F5053
GetConsoleOriginalTitleW.KERNEL32 ref: 00007FFBA95F505D
ReadConsoleOutputW.KERNEL32 ref: 00007FFBA95F5074
CreateSemaphoreExW.KERNEL32 ref: 00007FFBA95F508C
RtlCaptureStackBackTrace.KERNEL32 ref: 00007FFBA95F509C
DebugSetProcessKillOnExit.KERNEL32 ref: 00007FFBA95F50A4
GetCommMask.KERNEL32 ref: 00007FFBA95F50AE
GetTempFileNameW.KERNEL32 ref: 00007FFBA95F50BE
GetNumaNodeProcessorMaskEx.KERNEL32 ref: 00007FFBA95F50C8
AddSIDToBoundaryDescriptor.KERNEL32 ref: 00007FFBA95F50D2
HeapSize.KERNEL32 ref: 00007FFBA95F50DF
GetProcAddress.KERNEL32 ref: 00007FFBA95F50EE
GetNumaNodeProcessorMask.KERNEL32 ref: 00007FFBA95F50F8
SetProcessWorkingSetSize.KERNEL32 ref: 00007FFBA95F5108
SetConsoleHistoryInfo.KERNEL32 ref: 00007FFBA95F5110
GetPrivateProfileSectionNamesW.KERNEL32 ref: 00007FFBA95F511D
CommConfigDialogW.KERNEL32 ref: 00007FFBA95F512A
lstrcpyW.KERNEL32 ref: 00007FFBA95F5134
QueryIdleProcessorCycleTimeEx.KERNEL32 ref: 00007FFBA95F5141
GetThreadPreferredUILanguages.KERNEL32 ref: 00007FFBA95F5151
AddScopedPolicyIDAce.KERNEL32 ref: 00007FFBA95F5166
HeapCompact.KERNEL32 ref: 00007FFBA95F51FA
CheckTokenMembershipEx.KERNEL32 ref: 00007FFBA95F520A
lstrcatW.KERNEL32 ref: 00007FFBA95F5214
SetWaitableTimer.KERNEL32 ref: 00007FFBA95F522D
GetSystemWow64DirectoryW.KERNEL32 ref: 00007FFBA95F5237
GetConsoleTitleW.KERNEL32 ref: 00007FFBA95F5241
InterlockedPushListSListEx.KERNEL32 ref: 00007FFBA95F5251
SetTimeZoneInformation.KERNEL32 ref: 00007FFBA95F5259
GetActiveProcessorGroupCount.KERNEL32 ref: 00007FFBA95F525F
HeapValidate.KERNEL32 ref: 00007FFBA95F526C
GetConsoleScreenBufferInfoEx.KERNEL32 ref: 00007FFBA95F5276
FindFirstFileExW.KERNEL32 ref: 00007FFBA95F528F
GetConsoleCP.KERNEL32 ref: 00007FFBA95F5295
CreateDirectoryTransactedW.KERNEL32 ref: 00007FFBA95F52A5
GetConsoleAliasW.KERNEL32 ref: 00007FFBA95F52B5
HeapCreate.KERNEL32 ref: 00007FFBA95F52C2
RemoveSecureMemoryCacheCallback.KERNEL32 ref: 00007FFBA95F52CA
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBA95F52D2
GetFileMUIInfo.KERNEL32 ref: 00007FFBA95F52E7
GetSystemWow64DirectoryW.KERNEL32 ref: 00007FFBA95F52F1
InitializeCriticalSection.KERNEL32 ref: 00007FFBA95F52F9
Wow64SuspendThread.KERNEL32 ref: 00007FFBA95F5301

Strings

TxmC0XFCZOdULErqcbMj4wezHIu2Vk2MWAZrIZAExO1z/et6xvYZtqC2LdksnfJOB/Sy5Tg5nYXnkId4L5x277w+fgwtp5goQzaqP4GJP85XyhllqeE86y6UEIt9KzNu6jctGNZGqAir2qvs8/CvO/CPCaBPNj76XYvEaZR9jcCHj0oNWnGOqxFX3vVHdVmi+fleUkpHwufEFLPyh1Mgt2DZJa1t+GWN8dJMAyUzSdlc1NW/+Wl7/XzjwyoJQflwaqtc, xrefs: 00007FFBA95F4E50
fyeF3UQ5K5J553uwI, xrefs: 00007FFBA95F4EE2
qJIQ2T2MU3eQovQPehgQR993E, xrefs: 00007FFBA95F52DE
K9qg36v5a5PatmmoIDyhiMcbwd, xrefs: 00007FFBA95F50E5

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: File$ConsoleCreate$ProcessThread$DirectoryInfoSystemTime$HeapProcessor$FindFirstGlobalHandleInformationMaskMemoryRegisterSizeThreadpoolWaitWindowWow64$BoostClipboardCommConcurrency::cancel_current_taskDefaultErrorExitFontGroupHardIdleInputLanguageLinkListLocaleNameNodeNumaPolicyPriorityProfileReadRemoveSectionSemaphoreStatusTapeTempTitleTransactedViewerWindowsWorkingZone$ActiveAddressAffinityAliasAllocAngleApplicationAssignAttachAutomaticBackBackupBoundaryBrushBufferCacheCalculateCallbackCapabilitiesCaptureCheckClassCloseColorCompactCompareConditionConfigConvertCountCriticalCurrentCursorCycleDebugDescriptorDialogDirectoriesDuplicateEmptyEventExemptionFiberFormatFreeHandlingHistoryInitializeInterlockedKillLanguagesLatencyLayoutMembershipMenuModeModuleMoveNamedNamesNumberObjectOriginalOutputParametersPhysicalPipePopupPositionPreferredPrivateProcPushQueryRectRequestResourceRestartRestrictionResumeScopedScreenScrollSecureSeekStackStartStationStringSuspendSwitchThisTimerTokenTraceUnlockUnwindValidateValueVariableVersionVirtualWaitableWakeWakeupWritelstrcatlstrcmpilstrcpy
String ID: K9qg36v5a5PatmmoIDyhiMcbwd$TxmC0XFCZOdULErqcbMj4wezHIu2Vk2MWAZrIZAExO1z/et6xvYZtqC2LdksnfJOB/Sy5Tg5nYXnkId4L5x277w+fgwtp5goQzaqP4GJP85XyhllqeE86y6UEIt9KzNu6jctGNZGqAir2qvs8/CvO/CPCaBPNj76XYvEaZR9jcCHj0oNWnGOqxFX3vVHdVmi+fleUkpHwufEFLPyh1Mgt2DZJa1t+GWN8dJMAyUzSdlc1NW/+Wl7/XzjwyoJQflwaqtc$fyeF3UQ5K5J553uwI$qJIQ2T2MU3eQovQPehgQR993E
API String ID: 1751010196-2263470566
Opcode ID: d13b04b0aa15d14dd010fd0b8fa0420e4e0a46e04f5ce9680bdcfe7d9ebf6e57
Instruction ID: bc210799e55db1f247726487e603622fa9c77f7f764181e76462f0c2e45db338
Opcode Fuzzy Hash: d13b04b0aa15d14dd010fd0b8fa0420e4e0a46e04f5ce9680bdcfe7d9ebf6e57
Instruction Fuzzy Hash: BD828172A197928AF719CFB4E8556AE33B5FF98748F00813AEE4986A58DF3CD145C700

Function 00007FFBA95FA110 Relevance: 167.5, APIs: 78, Strings: 17, Instructions: 1229
encryptiontimememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFBA96638C4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBA96638D8

CryptAcquireContextW.ADVAPI32 ref: 00007FFBA95FA1C2
CryptGenRandom.ADVAPI32 ref: 00007FFBA95FA1DF
CryptReleaseContext.ADVAPI32 ref: 00007FFBA95FA1EE
GetTempPathW.KERNEL32 ref: 00007FFBA95FA964
GetTempFileNameW.KERNEL32 ref: 00007FFBA95FA982
VirtualFree.KERNEL32 ref: 00007FFBA95FACC1
EscapeCommFunction.KERNEL32 ref: 00007FFBA95FACCB
DeleteFileTransactedW.KERNEL32 ref: 00007FFBA95FACD5
CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFBA95FACDF
GetCommConfig.KERNEL32 ref: 00007FFBA95FACEC
FlsFree.KERNEL32 ref: 00007FFBA95FACF4
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBA95FACFC
HeapQueryInformation.KERNEL32 ref: 00007FFBA95FAD11
CompareStringW.KERNEL32 ref: 00007FFBA95FAD2B
GlobalFlags.KERNEL32 ref: 00007FFBA95FAD33
CreateSemaphoreW.KERNEL32 ref: 00007FFBA95FAD56
CloseHandle.KERNEL32 ref: 00007FFBA95FAD64
FillConsoleOutputCharacterW.KERNEL32 ref: 00007FFBA95FAE75
SetProcessDEPPolicy.KERNEL32 ref: 00007FFBA95FAE7D
QueryMemoryResourceNotification.KERNEL32 ref: 00007FFBA95FAE87
ReadFile.KERNEL32 ref: 00007FFBA95FAE9C
VirtualUnlock.KERNEL32 ref: 00007FFBA95FAEA6
SetConsoleWindowInfo.KERNEL32 ref: 00007FFBA95FAEB3
SetFileValidData.KERNEL32 ref: 00007FFBA95FAEBD
FreeLibraryWhenCallbackReturns.KERNEL32 ref: 00007FFBA95FAEC7
GetStringTypeExW.KERNEL32 ref: 00007FFBA95FAEDC
WakeAllConditionVariable.KERNEL32 ref: 00007FFBA95FAEE4
CreateFileMappingFromApp.KERNEL32 ref: 00007FFBA95FAF00
GetSystemTimeAdjustment.KERNEL32 ref: 00007FFBA95FAF0D
GetFileAttributesW.KERNEL32 ref: 00007FFBA95FAF15
VerifyScripts.KERNEL32 ref: 00007FFBA95FAF33
CreateFiber.KERNEL32 ref: 00007FFBA95FAF40
InterlockedFlushSList.KERNEL32 ref: 00007FFBA95FAF48
ReleaseMutexWhenCallbackReturns.KERNEL32 ref: 00007FFBA95FAF52
GetMaximumProcessorGroupCount.KERNEL32 ref: 00007FFBA95FAF58
AllocateUserPhysicalPages.KERNEL32 ref: 00007FFBA95FAF65
EndUpdateResourceW.KERNEL32 ref: 00007FFBA95FB438
FindFirstFileExW.KERNEL32 ref: 00007FFBA95FB451
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFBA95FB45E
GetModuleFileNameW.KERNEL32 ref: 00007FFBA95FB46B
GetCalendarInfoW.KERNEL32 ref: 00007FFBA95FB484
GetProcAddress.KERNEL32 ref: 00007FFBA95FB493
WriteTapemark.KERNEL32 ref: 00007FFBA95FB4A3
ReadConsoleOutputW.KERNEL32 ref: 00007FFBA95FB4C2
FindFirstVolumeMountPointW.KERNEL32 ref: 00007FFBA95FB4CF
OpenProcess.KERNEL32 ref: 00007FFBA95FB4DC
QueryThreadProfiling.KERNEL32 ref: 00007FFBA95FB4E6
CreateMutexExW.KERNEL32 ref: 00007FFBA95FB4F6
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFBA95FB500
GetThreadTimes.KERNEL32 ref: 00007FFBA95FB515
GetConsoleCP.KERNEL32 ref: 00007FFBA95FB51B
GetNamedPipeClientComputerNameW.KERNEL32 ref: 00007FFBA95FB528
SetCommTimeouts.KERNEL32 ref: 00007FFBA95FB532
FindFirstVolumeW.KERNEL32 ref: 00007FFBA95FB53C
AddDllDirectory.KERNEL32 ref: 00007FFBA95FB549
QueryDepthSList.KERNEL32 ref: 00007FFBA95FB551
GetCurrentProcessId.KERNEL32 ref: 00007FFBA95FB557
OpenFileById.KERNEL32 ref: 00007FFBA95FB570
GetEnvironmentStringsW.KERNEL32 ref: 00007FFBA95FB576
SetFirmwareEnvironmentVariableExW.KERNEL32 ref: 00007FFBA95FB58A
OutputDebugStringA.KERNEL32 ref: 00007FFBA95FB61C

Strings

q8MQj7UjIbj83Z4AUM3Tlbcc9P, xrefs: 00007FFBA95FB10E
txt, xrefs: 00007FFBA95FA9B9
l2jovnru29cd8MhP8d6OM, xrefs: 00007FFBA95FB48A
ymTE359rU87887T4m, xrefs: 00007FFBA95FAF2A
ios_base::failbit set, xrefs: 00007FFBA95FB2D0
qKChP, xrefs: 00007FFBA95FA35D
psBNQd, xrefs: 00007FFBA95FB388
c2bKzs3k2kwXbw6568EM6m52khL, xrefs: 00007FFBA95FAF20
rqy7j9ShmlP3m1Pmx4V, xrefs: 00007FFBA95FB105
ios_base::badbit set, xrefs: 00007FFBA95FAA5C
Uzht1rQPTbcx4SZsZh, xrefs: 00007FFBA95FB542
aLvcljpRWao6KR4OEu, xrefs: 00007FFBA95FB189
A979pWQ6ag1233kN6LO418lAdt, xrefs: 00007FFBA95FAEEA
ios_base::eofbit set, xrefs: 00007FFBA95FB2D7
THvdsRxqizlweyPXh, xrefs: 00007FFBA95FAD45
HEX, xrefs: 00007FFBA95FA974
xLqackAIHinuFqCHBAHSIkxDtv, xrefs: 00007FFBA95FB615

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: File$Console$CreateQuery$CommCryptEnvironmentFindFirstFreeNameOutputProcessStringTime$CallbackContextInfoListMutexOpenReadReleaseResourceReturnsStringsSystemTempThreadVariableVirtualVolumeWhen$AcquireAddressAdjustmentAllocateAttributesCalendarCharacterCheckClientCloseCompareComputerConditionConfigCountCtrlCurrentDataDebugDebuggerDeleteDepthDirectoryEscapeExceptionExpandFiberFillFilterFirmwareFlagsFlushFromFunctionGlobalGroupHandleHandlerHeapInformationInterlockedLibraryMappingMaximumMemoryModuleMountNamedNotificationPagesPathPhysicalPipePointPolicyPresentProcProcessorProfilingRandomRemoteScriptsSemaphoreTapemarkTimeoutsTimesTransactedTypeUnhandledUnlockUpdateUserValidVerifyWakeWindowWrite
String ID: A979pWQ6ag1233kN6LO418lAdt$HEX$THvdsRxqizlweyPXh$Uzht1rQPTbcx4SZsZh$aLvcljpRWao6KR4OEu$c2bKzs3k2kwXbw6568EM6m52khL$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$l2jovnru29cd8MhP8d6OM$psBNQd$q8MQj7UjIbj83Z4AUM3Tlbcc9P$qKChP$rqy7j9ShmlP3m1Pmx4V$txt$xLqackAIHinuFqCHBAHSIkxDtv$ymTE359rU87887T4m
API String ID: 3792000519-2040863573
Opcode ID: 4bc6e3a6eb31c10491ea35a31c73a1d7975e240b71c7bd7a014f185f2a942040
Instruction ID: 882497209a7cf222c7050de54e25ce08f865a00467b852f628a83efcd061c5be
Opcode Fuzzy Hash: 4bc6e3a6eb31c10491ea35a31c73a1d7975e240b71c7bd7a014f185f2a942040
Instruction Fuzzy Hash: 58D27C72A09B828AE711CFB4E8442ED77B1FB98348F10913ADE8D97A69DF38D155D700

Function 00007FFBA95F7410 Relevance: 157.2, APIs: 77, Strings: 12, Instructions: 1457timethreadregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 00007FFBA95F7469
InvalidateRect.USER32 ref: 00007FFBA95F7795
BeginPaint.USER32 ref: 00007FFBA95F77A4
CreateSolidBrush.GDI32 ref: 00007FFBA95F7802
FillRect.USER32 ref: 00007FFBA95F7829
GetStockObject.GDI32 ref: 00007FFBA95F7834
FrameRect.USER32 ref: 00007FFBA95F7844
DeleteObject.GDI32 ref: 00007FFBA95F784D
CreateSolidBrush.GDI32 ref: 00007FFBA95F78AE
FillRect.USER32 ref: 00007FFBA95F78D4
GetStockObject.GDI32 ref: 00007FFBA95F78DF
FrameRect.USER32 ref: 00007FFBA95F78F0
DeleteObject.GDI32 ref: 00007FFBA95F78F9
EndPaint.USER32 ref: 00007FFBA95F7910
KillTimer.USER32 ref: 00007FFBA95F791F
PostQuitMessage.USER32 ref: 00007FFBA95F7927
SetTimer.USER32 ref: 00007FFBA95F793D
GetCurrentProcess.KERNEL32 ref: 00007FFBA95F7D4C
GetProcessTimes.KERNEL32 ref: 00007FFBA95F7D76
OutputDebugStringW.KERNEL32 ref: 00007FFBA95F8004
GetTextColor.GDI32 ref: 00007FFBA95F80B1
TerminateJobObject.KERNEL32 ref: 00007FFBA95F80BB
InitializeSListHead.KERNEL32 ref: 00007FFBA95F80C3
SetWindowOrgEx.GDI32 ref: 00007FFBA95F80D3
TextOutW.GDI32 ref: 00007FFBA95F80E8
RemoveFontResourceW.GDI32 ref: 00007FFBA95F80F0
SetDefaultDllDirectories.KERNEL32 ref: 00007FFBA95F80F8
GetConsoleSelectionInfo.KERNEL32 ref: 00007FFBA95F8100
MapUserPhysicalPagesScatter.KERNEL32 ref: 00007FFBA95F810D
GetCharWidthFloatW.GDI32 ref: 00007FFBA95F811D
GetSystemDefaultLCID.KERNEL32 ref: 00007FFBA95F8123
RemoveFontResourceExW.GDI32 ref: 00007FFBA95F8130
RemoveDirectoryTransactedW.KERNEL32 ref: 00007FFBA95F813A
ReleaseMutexWhenCallbackReturns.KERNEL32 ref: 00007FFBA95F8144
OpenMutexW.KERNEL32 ref: 00007FFBA95F8158
OutputDebugStringW.KERNEL32 ref: 00007FFBA95F816D
CloseHandle.KERNEL32 ref: 00007FFBA95F8176
GetTempPathW.KERNEL32 ref: 00007FFBA95F8197

Part of subcall function 00007FFBA96001D0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9600282
Part of subcall function 00007FFBA96001D0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA96002AA
Part of subcall function 00007FFBA96001D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA96002D7
Part of subcall function 00007FFBA96001D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960036A

Part of subcall function 00007FFBA96001D0: std::_Facet_Register.LIBCPMT ref: 00007FFBA9600350

OutputDebugStringW.KERNEL32 ref: 00007FFBA95F8185
GetFileAttributesW.KERNEL32 ref: 00007FFBA95F82CD
OutputDebugStringA.KERNEL32 ref: 00007FFBA95F84DC
RegOpenKeyExW.ADVAPI32 ref: 00007FFBA95F8577
OutputDebugStringW.KERNEL32 ref: 00007FFBA95F867C

Part of subcall function 00007FFBA9657C1C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9657C4C
Part of subcall function 00007FFBA9657C1C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9657C52

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA95F87A1

Part of subcall function 00007FFBA95F1770: __std_exception_copy.LIBVCRUNTIME ref: 00007FFBA95F17B4

ClearCommBreak.KERNEL32 ref: 00007FFBA95F8903
InterlockedPushListSListEx.KERNEL32 ref: 00007FFBA95F8913
ClearCommBreak.KERNEL32 ref: 00007FFBA95F891B
GetCurrencyFormatW.KERNEL32 ref: 00007FFBA95F8934
OpenFileById.KERNEL32 ref: 00007FFBA95F894D
CancelThreadpoolIo.KERNEL32 ref: 00007FFBA95F8955
GlobalLock.KERNEL32 ref: 00007FFBA95F895D
GetConsoleTitleW.KERNEL32 ref: 00007FFBA95F8967
InitOnceExecuteOnce.KERNEL32 ref: 00007FFBA95F8977
GetConsoleScreenBufferInfoEx.KERNEL32 ref: 00007FFBA95F8981
SetTapeParameters.KERNEL32 ref: 00007FFBA95F898E
FindNextVolumeW.KERNEL32 ref: 00007FFBA95F899B
IsProcessInJob.KERNEL32 ref: 00007FFBA95F89A8
InitializeConditionVariable.KERNEL32 ref: 00007FFBA95F89B0
RegisterWaitForSingleObject.KERNEL32 ref: 00007FFBA95F89EE
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FFBA95F89FE
GetSystemDefaultUILanguage.KERNEL32 ref: 00007FFBA95F8A04
GetPhysicallyInstalledSystemMemory.KERNEL32 ref: 00007FFBA95F8A0C
CreateWaitableTimerW.KERNEL32 ref: 00007FFBA95F8A19
ReadFile.KERNEL32 ref: 00007FFBA95F8A2E
GetCommModemStatus.KERNEL32 ref: 00007FFBA95F8A38
EnumSystemGeoID.KERNEL32 ref: 00007FFBA95F8A45
QueryIdleProcessorCycleTime.KERNEL32 ref: 00007FFBA95F8A4F
SetThreadpoolThreadMinimum.KERNEL32 ref: 00007FFBA95F8A59
ApplicationRecoveryFinished.KERNEL32 ref: 00007FFBA95F8A61
CreateEventExW.KERNEL32 ref: 00007FFBA95F8A71
GetLogicalDrives.KERNEL32 ref: 00007FFBA95F8A77
ScrollConsoleScreenBufferW.KERNEL32 ref: 00007FFBA95F8A8D
ReadConsoleOutputCharacterW.KERNEL32 ref: 00007FFBA95F8AA3
OpenFileById.KERNEL32 ref: 00007FFBA95F8ABC
SetConsoleHistoryInfo.KERNEL32 ref: 00007FFBA95F8AC4
OpenFileMappingW.KERNEL32 ref: 00007FFBA95F8AD1
OpenEventW.KERNEL32 ref: 00007FFBA95F8ADE

Strings

Software\CeNLpbUwezaqtSlAPLPttom, xrefs: 00007FFBA95F8569
MyUniqueMutex, xrefs: 00007FFBA95F814A
UOvhTzopmYnQCxFn, xrefs: 00007FFBA95F84D5
seoigjisue uioase fuia., xrefs: 00007FFBA95F8166
ios_base::failbit set, xrefs: 00007FFBA95F87CA
ios_base::eofbit set, xrefs: 00007FFBA95F87D1
OIUuaiu faiuhf aiu iawo., xrefs: 00007FFBA95F817E
riMUnsfGWKuzKIgvRUYqpIwY, xrefs: 00007FFBA95F8675
IftrzWURTVbxMkACtuzdTyYWtNma, xrefs: 00007FFBA95F866C
ios_base::badbit set, xrefs: 00007FFBA95F87BE, 00007FFBA95F8812
%s\OwgHUiDyJkURaoArxLS, xrefs: 00007FFBA95F81A4
uiashfiua auifh uiaw: , xrefs: 00007FFBA95F7EAA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ConsoleObjectOpenOutput$DebugFileRectStringstd::_$CreateListLockitSystem$CommConcurrency::cancel_current_taskDefaultInfoInitializeProcessRemoveTimer$BreakBrushBufferClearDeleteEventFillFontFrameLockit::_Lockit::~_MutexOncePaintProcReadRegisterResourceScreenSolidStockTextThreadThreadpoolWindow$ApplicationAttributeAttributesBeginCallbackCancelCharCharacterCloseColorConditionCurrencyCurrentCycleDirectoriesDirectoryDrivesEnumExecuteFacet_FindFinishedFloatFormatGlobalHandleHeadHistoryIdleInitInstalledInterlockedInvalidateKillLanguageLockLogicalMappingMemoryMessageMinimumModemNextPagesParametersPathPhysicalPhysicallyPostProcessorPushQueryQuitRecoveryReleaseReturnsScatterScrollSelectionSingleStatusTapeTempTerminateTimeTimesTitleTransactedUserVariableVolumeWaitWaitableWhenWidth__std_exception_copy
String ID: %s\OwgHUiDyJkURaoArxLS$IftrzWURTVbxMkACtuzdTyYWtNma$MyUniqueMutex$OIUuaiu faiuhf aiu iawo.$Software\CeNLpbUwezaqtSlAPLPttom$UOvhTzopmYnQCxFn$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$riMUnsfGWKuzKIgvRUYqpIwY$seoigjisue uioase fuia.$uiashfiua auifh uiaw:
API String ID: 1690712610-1854859770
Opcode ID: 17a5534ba494e3b2cfd93f4c678e132f2b7e6c4497569f75aafdf0507f04a968
Instruction ID: fdf6b7bb3aa31953de1cca7558a66d6a183e830fa8ef3df18144a637653c60bd
Opcode Fuzzy Hash: 17a5534ba494e3b2cfd93f4c678e132f2b7e6c4497569f75aafdf0507f04a968
Instruction Fuzzy Hash: 3BE291B2A1A7828AEB15CF78D8412AD77A1FF94788F105136DE4E87AA9DF3CD144D700

Function 00007FFBA95FED50 Relevance: 89.5, APIs: 47, Strings: 4, Instructions: 258
memorytimethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryIdleProcessorCycleTime.KERNEL32 ref: 00007FFBA95FEDC0
GetCompressedFileSizeTransactedW.KERNEL32 ref: 00007FFBA95FEDCD
UpdateResourceW.KERNEL32 ref: 00007FFBA95FEDE6
SetupComm.KERNEL32 ref: 00007FFBA95FEDF3
SetThreadPreferredUILanguages.KERNEL32 ref: 00007FFBA95FEE00
VirtualAllocEx.KERNEL32 ref: 00007FFBA95FEE14
UnlockFile.KERNEL32 ref: 00007FFBA95FEE28
SetTimeZoneInformation.KERNEL32 ref: 00007FFBA95FEE30
GetDynamicTimeZoneInformation.KERNEL32 ref: 00007FFBA95FEE38
SetThreadDescription.KERNEL32 ref: 00007FFBA95FEE47
MultiByteToWideChar.KERNEL32 ref: 00007FFBA95FEE64
TryEnterCriticalSection.KERNEL32 ref: 00007FFBA95FEE6C
GetProcessHeap.KERNEL32 ref: 00007FFBA95FEE72
SetUserGeoID.KERNEL32 ref: 00007FFBA95FEE7A
GetFileBandwidthReservation.KERNEL32 ref: 00007FFBA95FEE94
CompareStringW.KERNEL32 ref: 00007FFBA95FEEAD
SetComputerNameW.KERNEL32 ref: 00007FFBA95FEEB5
CreateMailslotW.KERNEL32 ref: 00007FFBA95FEEC5
GetConsoleMode.KERNEL32 ref: 00007FFBA95FEECF
SetFirmwareEnvironmentVariableExW.KERNEL32 ref: 00007FFBA95FEEE3
WakeAllConditionVariable.KERNEL32 ref: 00007FFBA95FEEEB
SetEnvironmentVariableW.KERNEL32 ref: 00007FFBA95FEEF5
MulDiv.KERNEL32 ref: 00007FFBA95FEF02
EndUpdateResourceW.KERNEL32 ref: 00007FFBA95FEF0C
WaitForThreadpoolWorkCallbacks.KERNEL32 ref: 00007FFBA95FF011
VirtualFree.KERNEL32 ref: 00007FFBA95FF01E
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00007FFBA95FF02B
ReleaseSemaphore.KERNEL32 ref: 00007FFBA95FF038
GetActiveProcessorCount.KERNEL32 ref: 00007FFBA95FF040
FindFirstVolumeW.KERNEL32 ref: 00007FFBA95FF04A
WinExec.KERNEL32 ref: 00007FFBA95FF059
SetSystemPowerState.KERNEL32 ref: 00007FFBA95FF063
BeginUpdateResourceW.KERNEL32 ref: 00007FFBA95FF06D
GetMaximumProcessorCount.KERNEL32 ref: 00007FFBA95FF075
SetTapePosition.KERNEL32 ref: 00007FFBA95FF08D
GetThreadId.KERNEL32 ref: 00007FFBA95FF095
GlobalFree.KERNEL32 ref: 00007FFBA95FF09D
HeapDestroy.KERNEL32 ref: 00007FFBA95FF0A5
BeginUpdateResourceW.KERNEL32 ref: 00007FFBA95FF0AF
HeapAlloc.KERNEL32 ref: 00007FFBA95FF0BC
SetStdHandle.KERNEL32 ref: 00007FFBA95FF0C6
SleepConditionVariableCS.KERNEL32 ref: 00007FFBA95FF0D3
GetProcessMitigationPolicy.KERNEL32 ref: 00007FFBA95FF0E3
GetSystemPreferredUILanguages.KERNEL32 ref: 00007FFBA95FF0F3
IsBadStringPtrW.KERNEL32 ref: 00007FFBA95FF0FD
GetModuleFileNameW.KERNEL32 ref: 00007FFBA95FF10A
OutputDebugStringA.KERNEL32 ref: 00007FFBA95FF11B

Strings

D6YwOPzb49pijon, xrefs: 00007FFBA95FEE59
fIXdhHlfeAXIGhON, xrefs: 00007FFBA95FF114
aaQfgTE454qThq1uwGYsNMzQ5lPF, xrefs: 00007FFBA95FEE3E
YNJ83CSN5IE1xKaK4d, xrefs: 00007FFBA95FF052

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Time$FileResourceUpdateVariable$HeapProcessorStringSystemThread$AllocBeginConditionCountEnvironmentFreeInformationLanguagesNamePreferredProcessVirtualZone$ActiveBandwidthByteCallbacksCharCommCompareCompressedComputerConsoleCreateCriticalCycleDebugDescriptionDestroyDynamicEnterExecFindFirmwareFirstGlobalHandleIdleLocalMailslotMaximumMitigationModeModuleMultiOutputPolicyPositionPowerQueryReleaseReservationSectionSemaphoreSetupSizeSleepSpecificStateTapeThreadpoolTransactedUnlockUserVolumeWaitWakeWideWork
String ID: D6YwOPzb49pijon$YNJ83CSN5IE1xKaK4d$aaQfgTE454qThq1uwGYsNMzQ5lPF$fIXdhHlfeAXIGhON
API String ID: 1779332759-4220343184
Opcode ID: da0432c8cc2626400107e69deee25dc8d98022bf60d8a4ee0e216a4b8a4c2e39
Instruction ID: f2544997aab0082fb762c0600064f3e3c562dda1489057c7aea296399d4cb974
Opcode Fuzzy Hash: da0432c8cc2626400107e69deee25dc8d98022bf60d8a4ee0e216a4b8a4c2e39
Instruction Fuzzy Hash: 7FC19272B097529AF72DDF75E81A66E33A2FF98348F40803ADE4A86958DF3DD1049710

Function 00007FFBA95F3C30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00382156352f3801a569f86596323dd6293dcde0ea7e8be4066c5463347c6eaa
Instruction ID: 15db0e9e592f8c193c982cee6cfd90232a7a9c82278c636d600277c417fb2dd7
Opcode Fuzzy Hash: 00382156352f3801a569f86596323dd6293dcde0ea7e8be4066c5463347c6eaa
Instruction Fuzzy Hash: B3011A72A19F4291DF118F10D44969D73A8FB44384FA10276DBAC42310EF7ACA59C740

Function 00007FFBA9658398 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBA96583C0
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFBA9658412
_RTC_Initialize.LIBCMT ref: 00007FFBA9658440
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFBA9658466
__scrt_release_startup_lock.LIBCMT ref: 00007FFBA9658491

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 1a6d2ac95829484d5dfdff3175d41fea777ad3b637e96c69612a76ccb78aab20
Instruction ID: 9ff0c4c3ecaa799c211afd19ce2328ad31c5a8db702ccc0a793cb119d3648e5e
Opcode Fuzzy Hash: 1a6d2ac95829484d5dfdff3175d41fea777ad3b637e96c69612a76ccb78aab20
Instruction Fuzzy Hash: 71816DE0E0A64386FB969F7EDC412792690AF45780F086435DE4DCBB96DF3CE945A700

Function 00007FFBA966BC50 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FFBA966BCC9
GetFileType.KERNEL32 ref: 00007FFBA966BCDF

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: b88e6060e1857685a353ba5638cab9177efe6cdc1d25c97a3ef3f2c22fa93f78
Instruction ID: 9b1ad32433544bb8e3471f16bc8c94bad9d5054780438cfcf6408e34f54bdf70
Opcode Fuzzy Hash: b88e6060e1857685a353ba5638cab9177efe6cdc1d25c97a3ef3f2c22fa93f78
Instruction Fuzzy Hash: 9F316261A19A46D2E7658F39DD901782B50EF46BA0F642326DF6E873E0CF38E451E340

Function 00007FFBA963C9C0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA963CA8D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 901f2fe760f7ccc907f520c551dfeb9c066e07d514b1f6067081a4fd32411fae
Instruction ID: de7babd0b17f0b68792db92759936ed0fb7ce754359a9a2ed854be4808f33611
Opcode Fuzzy Hash: 901f2fe760f7ccc907f520c551dfeb9c066e07d514b1f6067081a4fd32411fae
Instruction Fuzzy Hash: DF2168B1A0AB4395E702CF25E8801697765BF84B90B544236ED4C83364EF3CE554E700

Function 00007FFBA9642960 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA9642A2D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 46908a7f00482e5dab244055130b07891d85d2ea4fdeff257d8550009a1cdc92
Instruction ID: ca55cb94de71a0f78f5d98e478986a9e79b9691073bb2ac12f62847c3a14907d
Opcode Fuzzy Hash: 46908a7f00482e5dab244055130b07891d85d2ea4fdeff257d8550009a1cdc92
Instruction Fuzzy Hash: 9F2115B1A0AA8395E7128F25E8801A97364BB887D4B544236ED8C93764EF3CE595E700

Function 00007FFBA9636AD0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA9636B9D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 2216c1814d632de29ab59466f035d9c48097aa0c66457c4f2017aff3be6cb810
Instruction ID: 7f1c5ef2c25157ec0401ca224d0165466b3563ed0aa941e7eff0f5222c6865c0
Opcode Fuzzy Hash: 2216c1814d632de29ab59466f035d9c48097aa0c66457c4f2017aff3be6cb810
Instruction Fuzzy Hash: 0A212AB2A0AB5391E712CF29EC401A67365BF88790F445236ED8D83764EF3CE569D700

Function 00007FFBA962ACB0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA962AD7D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 8bb0fef1a17d0fe21b6af960e28c267fde39ab1b87e119966cbb2eaecd843525
Instruction ID: 03cff205b8df09aee8eaecb1cd5ee6e908ce2028858e2ac765031f266b02375c
Opcode Fuzzy Hash: 8bb0fef1a17d0fe21b6af960e28c267fde39ab1b87e119966cbb2eaecd843525
Instruction Fuzzy Hash: 0B2175B2A0AB4395F752CF24E8400A87365BF887A0F444236ED8C93764EF7CE994E700

Function 00007FFBA962F060 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA962F12D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: e5ed3c1ce36f9119ba4d02501dc2c8e2d20f26162c5abcd7ce85943491893f14
Instruction ID: c10a75ae63d8459e07c64bad00bf409662db0c8df43ae8b3f50862b6de8b64db
Opcode Fuzzy Hash: e5ed3c1ce36f9119ba4d02501dc2c8e2d20f26162c5abcd7ce85943491893f14
Instruction Fuzzy Hash: 532135B5A0AA4391FB42CF25E8400A873A4FB887A0B405236DD9D83764EF3CE454EB00

Function 00007FFBA962E2F0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA962E3BD

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: f2fad4669aedfaade65bf6803e6503baea71a95b2cfda9b5a9e718260163ed98
Instruction ID: 9ceffdb18be2c0e330a70444d8e62623b8443ae15851abf6aa22d7106f01d623
Opcode Fuzzy Hash: f2fad4669aedfaade65bf6803e6503baea71a95b2cfda9b5a9e718260163ed98
Instruction Fuzzy Hash: B62117B1A0AA5381E7128F29ED4016573B4FF48790F545236DE5C83764EF3CE599D704

Function 00007FFBA96444C0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA964458D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 52159b6f8a97fd83bec276c5f716af0095044c50b08340cd51632139d2771d01
Instruction ID: ac3db8f1a8927f8252110232d260d637c446720e7029b3c1d5dbc923a5dc843a
Opcode Fuzzy Hash: 52159b6f8a97fd83bec276c5f716af0095044c50b08340cd51632139d2771d01
Instruction Fuzzy Hash: C62126B1A0AA8391EB02CF29EC401B47364BF887A4F544236ED8D83764DF7CE585D704

Function 00007FFBA963E570 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA963E63D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 4615feb78baca2c9bf0f36050c72a83fe088676a3d9dce4856788295178d935b
Instruction ID: f3e3a050606aa45a38f8fb1a7bdabc4d844342644ca3dc3e7839e3ade96c7df3
Opcode Fuzzy Hash: 4615feb78baca2c9bf0f36050c72a83fe088676a3d9dce4856788295178d935b
Instruction Fuzzy Hash: FE2139B6A0AB4391EB52CF29ED401A57365BF88790F544236DE8C83764EF3CE954D710

Function 00007FFBA9631920 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA96319ED

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 6c0938fdcfbc85b55fc8b353ece93bb1f880164a684e841e4e9c6df2e5ed99ba
Instruction ID: 3dbd92910d2890ffb1aab5ab684165783ffec381d9826e36d38f4b35e2ef72cd
Opcode Fuzzy Hash: 6c0938fdcfbc85b55fc8b353ece93bb1f880164a684e841e4e9c6df2e5ed99ba
Instruction Fuzzy Hash: 122115B1A0AB4396EB52CF25E8401B973A5EF887A0F445236DD8D93764EF3CE594DB00

Function 00007FFBA9625AF0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA9625BBD

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: f34b7e0f922197a11b29a141981e89114ed00b19fd6ca1f7da39dc8b6dd53b2e
Instruction ID: 72746bb2f5a1f71217fda9ad11635b71344026b67ba37e0b2f3f30d86c3cb643
Opcode Fuzzy Hash: f34b7e0f922197a11b29a141981e89114ed00b19fd6ca1f7da39dc8b6dd53b2e
Instruction Fuzzy Hash: A721D6B5A0AA4395E712CF29EC802A973A5BF88790B545236ED8C83764EF3CF555E700

Function 00007FFBA9635D60 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA9635E2D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 58d0fe770fe65df85388bd25652d1d30580f8f71c63b144daa70fa913399227e
Instruction ID: 4c95c58a47111286bb13ba7cced6d4051088715c59d77ec7886a39b16caa295c
Opcode Fuzzy Hash: 58d0fe770fe65df85388bd25652d1d30580f8f71c63b144daa70fa913399227e
Instruction Fuzzy Hash: FD2133B2A0AB4395F7128F25E8402A57366BB887A0F440236ED8D83764EF3CE494E710

Function 00007FFBA9629F20 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA9629FED

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 2de5efc9e2bdca7c4b5550f55fa36ee5ee23a6ba5c36e095a0a7a07aca3a6ad1
Instruction ID: 1149dd55bd8e0e152dc2ba9213070b827a6c395bfaa5fc16dc8621cf5c256912
Opcode Fuzzy Hash: 2de5efc9e2bdca7c4b5550f55fa36ee5ee23a6ba5c36e095a0a7a07aca3a6ad1
Instruction Fuzzy Hash: 90213BB1A0AB4391E712CF29ED811A5B365BF887D0B445236ED4C83B64EF3CE555E700

Function 00007FFBA962D550 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA962D61D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: 3024d70730032b02487e89086fe319eea2463248c10aa686a73a1053d282a746
Instruction ID: 95b647ee52ae81d65495f7dfa01ff38ebff9bcf7961a427452a7d0836c64a7a5
Opcode Fuzzy Hash: 3024d70730032b02487e89086fe319eea2463248c10aa686a73a1053d282a746
Instruction Fuzzy Hash: 0F2115B5A0AB4395EB12CF25E9401B973A4AB897A0F444236ED8D83764EF3CE555E700

Function 00007FFBA963D7A0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA963D86D

Part of subcall function 00007FFBA9657BA4: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657BB4

Part of subcall function 00007FFBA9657B38: AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B48
Part of subcall function 00007FFBA9657B38: ReleaseSRWLockExclusive.KERNEL32 ref: 00007FFBA9657B88

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release__std_exception_destroy
String ID:
API String ID: 507308885-0
Opcode ID: a9eeaf04479a218de3a67ebf47001aef62457c3bf3ae9ed1559aac773f723b1e
Instruction ID: e9299dc9ba834c864ffcc5770dbd1d09710749fc2120c8589a87f4ed8a09ae45
Opcode Fuzzy Hash: a9eeaf04479a218de3a67ebf47001aef62457c3bf3ae9ed1559aac773f723b1e
Instruction Fuzzy Hash: 5F2104B5A0AA8395F712CF25E8901A57365BB88794B444236ED8C83764EF3CE559E700

Function 00007FFBA96760A8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA96760D3

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a1505b7de73ba63bd3143bb966fd37176ba1da90126faced7c2f745c3969e65b
Instruction ID: 0982d077eef863754fb0401727cdaaea243523a53e1c62eb5232fa05f6152aa7
Opcode Fuzzy Hash: a1505b7de73ba63bd3143bb966fd37176ba1da90126faced7c2f745c3969e65b
Instruction Fuzzy Hash: 75118BB2D0A68382E7169F2CE84013962A5BF84780F052434EE8DC779ADE3CE850AB05

Function 00007FFBA9655B30 Relevance: 1.5, APIs: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 00007FFBA9655B9B

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 63a3769490ac361e987acf101e4ca7f86bc07a43bc2544b466abdcec6eee52cd
Instruction ID: 931cbf575b31df11d0e52f4ad54e811a4495e315315617c663f8ba1342fe5869
Opcode Fuzzy Hash: 63a3769490ac361e987acf101e4ca7f86bc07a43bc2544b466abdcec6eee52cd
Instruction Fuzzy Hash: 34019D7A604F88D6CB50CF1AE58028AB7A0F388BD4F588516EF8D47B28CB38D561CB04

Function 00007FFBA9655BD0 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FFBA9655C26

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1d5b515d84ae4ba224acf11471ed87933b4847b630e0cd98cdfba70a3cd6e0ff
Instruction ID: ba3346dd10bc1d97ccf6f8559c773308b8840ff5e6c0cf5cb115532b19cb4361
Opcode Fuzzy Hash: 1d5b515d84ae4ba224acf11471ed87933b4847b630e0cd98cdfba70a3cd6e0ff
Instruction Fuzzy Hash: B901AE7A600B9886CB50CF1AE48021977B0F398FD4B518116DF9D53728CB79D852CB00

Function 00007FFBA9655DA0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNELBASE ref: 00007FFBA9655DE5

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 1a018f851f1f377f805ad9a735c1e1fbf772d561ae6850e649be887b72fee7e2
Instruction ID: 55650d35114140a62fbf3fd1cb08e4ed52e05ab70d5bc8e037a2c072b5e90ecd
Opcode Fuzzy Hash: 1a018f851f1f377f805ad9a735c1e1fbf772d561ae6850e649be887b72fee7e2
Instruction Fuzzy Hash: 13F09DB6600B8886CB50CF5AE584A5977A0F798FD8B668026DF5D83324DB3AC895CB00

Function 00007FFBA9655570 Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00007FFBA96555AE

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b6c10551646a8ea99d28050b4acfafc8722b47d70e0d3f0d9c19c979f68761b6
Instruction ID: a9be44ab45f700a2c995be776407f930966a92b362fe217323674d9d94b66432
Opcode Fuzzy Hash: b6c10551646a8ea99d28050b4acfafc8722b47d70e0d3f0d9c19c979f68761b6
Instruction Fuzzy Hash: 35F092B6601A58C6DB50CF6AC489A683764F758B9AF168106DF0D43350EB36C485CB40

Function 00007FFBA9658160 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFBA9658174

Part of subcall function 00007FFBA965A074: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFBA965A07C
Part of subcall function 00007FFBA965A074: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFBA965A081

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: cb3cdb35fb88c604c6f419b3b94207eef368c3c320eead282d504f582097a879
Instruction ID: f0a8fb7ba6d20802bd6b8e0a6c02b837fee5fb75107960833d9b225a7122cb14
Opcode Fuzzy Hash: cb3cdb35fb88c604c6f419b3b94207eef368c3c320eead282d504f582097a879
Instruction Fuzzy Hash: BCE07EA4D1A24345FFBA6E39DD022B906400F22388E483079DE4DCA5838E1E240A3621

Function 00007FFBA9655680 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FFBA96556A4

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 87b60db794cc58e71cd187f0e8d28195370d7833891feb7c82face860a6f9392
Instruction ID: acba1fe49ee8351d4f0489dbb5485bd46bb8baaf7d3ea97e89b45ff6e6ab8d73
Opcode Fuzzy Hash: 87b60db794cc58e71cd187f0e8d28195370d7833891feb7c82face860a6f9392
Instruction Fuzzy Hash: BEE0E2F3701A80C6DB14CF69C48536877A1EB58B8AF19D019CB1C4B394EA3AC489CB10

Function 00007FFBA96557F0 Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE ref: 00007FFBA9655815

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 64f5b080c25a1b1305972217582c773acc28e18377de6c7d71395811f79fe030
Instruction ID: bd163c577e9ce18f4b075926397e83b64eecf23374aa37bcc9d73811e0e4acd9
Opcode Fuzzy Hash: 64f5b080c25a1b1305972217582c773acc28e18377de6c7d71395811f79fe030
Instruction Fuzzy Hash: 58E0E2F3701A80C6DF10CF69C48536867A0EB98B8AF19D01ACB1C4B354EA3AC089C710

Function 00007FFBA966BDD4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FFBA966BE29

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 56ba0e4c622bf2780aa53999738d85c8472334b18d1d68e80653ea2547e0f677
Instruction ID: 644318a0446c0748bd498592c27a17dc65f8cc179b88198affad3d70eaa40c37
Opcode Fuzzy Hash: 56ba0e4c622bf2780aa53999738d85c8472334b18d1d68e80653ea2547e0f677
Instruction Fuzzy Hash: ADF03C94B1F20385FFAE5E7DDD453B452915F8A780F8C6430CF4EC6291EE3CA8856150

Function 00007FFBA96558E0 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFBA9655925

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 80cf69ad0915882c5387dd82eb578969a375b42aff4fb57e751b005f4f1ace01
Instruction ID: 9374e4563b7e64cabe8176b1b90e9f23f6c39dbc316fb40c79dedfc070e24f4a
Opcode Fuzzy Hash: 80cf69ad0915882c5387dd82eb578969a375b42aff4fb57e751b005f4f1ace01
Instruction Fuzzy Hash: 9DF0ED76300B8886CB10CF1AE588A2877A0F798BC9B668026DB1D43720CB3AC995CB01

Non-executed Functions

Function 00007FFBA95F8BD0 Relevance: 277.3, APIs: 148, Strings: 10, Instructions: 765threadtimefileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFBA95F8C12
LocalFileTimeToFileTime.KERNEL32 ref: 00007FFBA95F8C1C
EraseTape.KERNEL32 ref: 00007FFBA95F8C29
GetQueuedCompletionStatus.KERNEL32 ref: 00007FFBA95F8C3D
QueryProcessCycleTime.KERNEL32 ref: 00007FFBA95F8C47
CancelWaitableTimer.KERNEL32 ref: 00007FFBA95F8C4F
GetStringTypeA.KERNEL32 ref: 00007FFBA95F8C68
GetSystemWow64DirectoryW.KERNEL32 ref: 00007FFBA95F8C72
BackupSeek.KERNEL32 ref: 00007FFBA95F8C8C
LockFileEx.KERNEL32 ref: 00007FFBA95F8CA5
CreateMemoryResourceNotification.KERNEL32 ref: 00007FFBA95F8CAD
VerifyScripts.KERNEL32 ref: 00007FFBA95F8CCA
MoveFileTransactedW.KERNEL32 ref: 00007FFBA95F8CE3
QueueUserAPC.KERNEL32 ref: 00007FFBA95F8CF0
GetProcessIoCounters.KERNEL32 ref: 00007FFBA95F8CFA
LeaveCriticalSection.KERNEL32 ref: 00007FFBA95F8D02
ChangeTimerQueueTimer.KERNEL32 ref: 00007FFBA95F8D12
SetEvent.KERNEL32 ref: 00007FFBA95F8D1A
AllocateUserPhysicalPagesNuma.KERNEL32 ref: 00007FFBA95F8D2A
GetTickCount.KERNEL32 ref: 00007FFBA95F8D30
GetVolumePathNamesForVolumeNameW.KERNEL32 ref: 00007FFBA95F8D40
GlobalAlloc.KERNEL32 ref: 00007FFBA95F8E23
SetFileAttributesW.KERNEL32 ref: 00007FFBA95F8E33
GetComputerNameW.KERNEL32 ref: 00007FFBA95F8E3D
EndMenu.USER32 ref: 00007FFBA95F8E43
EnumPropsW.USER32 ref: 00007FFBA95F8E4D
EnumResourceNamesW.KERNEL32 ref: 00007FFBA95F8E5D
CreateSemaphoreW.KERNEL32 ref: 00007FFBA95F8E6D
GetForegroundWindow.USER32 ref: 00007FFBA95F8E73
SetProcessMitigationPolicy.KERNEL32 ref: 00007FFBA95F8E80
WaitForMultipleObjectsEx.KERNEL32 ref: 00007FFBA95F8E94
CreateFiberEx.KERNEL32 ref: 00007FFBA95F8EA9
GetThreadDesktop.USER32 ref: 00007FFBA95F8EB1
IsCharLowerW.USER32 ref: 00007FFBA95F8EB9
SetProcessRestrictionExemption.USER32 ref: 00007FFBA95F8EC1
UnregisterDeviceNotification.USER32 ref: 00007FFBA95F8EC9
ScrollDC.USER32 ref: 00007FFBA95F8EE8
RegisterPointerInputTargetEx.USER32 ref: 00007FFBA95F8EF5
SetPhysicalCursorPos.USER32 ref: 00007FFBA95F8F02
GetMenuStringW.USER32 ref: 00007FFBA95F8F16
SetKeyboardState.USER32 ref: 00007FFBA95F8F1E
VkKeyScanExW.USER32 ref: 00007FFBA95F8F28
PostMessageW.USER32 ref: 00007FFBA95F8F38
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFBA95F8F9A
LCIDToLocaleName.KERNEL32 ref: 00007FFBA95F8FAA
LockFileEx.KERNEL32 ref: 00007FFBA95F8FC3
LocalFree.KERNEL32 ref: 00007FFBA95F8FCB
LockFile.KERNEL32 ref: 00007FFBA95F8FDF
QueryIdleProcessorCycleTime.KERNEL32 ref: 00007FFBA95F8FE9
InitializeSListHead.KERNEL32 ref: 00007FFBA95F8FF1
Wow64SetThreadContext.KERNEL32 ref: 00007FFBA95F8FFB
CreateDirectoryExW.KERNEL32 ref: 00007FFBA95F9008
GetNamedPipeServerProcessId.KERNEL32 ref: 00007FFBA95F9012
CreateSymbolicLinkTransactedW.KERNEL32 ref: 00007FFBA95F9022
GetVolumeInformationByHandleW.KERNEL32 ref: 00007FFBA95F9045
EnumResourceNamesExW.KERNEL32 ref: 00007FFBA95F905E
IsValidCodePage.KERNEL32 ref: 00007FFBA95F90B4
GetModuleHandleW.KERNEL32 ref: 00007FFBA95F90BC
CancelIo.KERNEL32 ref: 00007FFBA95F90C4
HeapCompact.KERNEL32 ref: 00007FFBA95F90CE
SwitchToFiber.KERNEL32 ref: 00007FFBA95F90D6
ConvertThreadToFiberEx.KERNEL32 ref: 00007FFBA95F90E0
GetNamedPipeInfo.KERNEL32 ref: 00007FFBA95F90F9
AcquireSRWLockExclusive.KERNEL32 ref: 00007FFBA95F9101
InitOnceComplete.KERNEL32 ref: 00007FFBA95F910E
FormatMessageW.KERNEL32 ref: 00007FFBA95F912E
FlsAlloc.KERNEL32 ref: 00007FFBA95F9136
GetConsoleTitleW.KERNEL32 ref: 00007FFBA95F9140
SwitchToFiber.KERNEL32 ref: 00007FFBA95F9148
CreateDirectoryExW.KERNEL32 ref: 00007FFBA95F9155
CreatePrivateNamespaceW.KERNEL32 ref: 00007FFBA95F9162
QueryPerformanceCounter.KERNEL32 ref: 00007FFBA95F916A
PurgeComm.KERNEL32 ref: 00007FFBA95F9174
EnumUILanguagesW.KERNEL32 ref: 00007FFBA95F9181
CreateEventW.KERNEL32 ref: 00007FFBA95F9191
MoveFileWithProgressW.KERNEL32 ref: 00007FFBA95F91A9
FindFirstFileW.KERNEL32 ref: 00007FFBA95F91B3
CompareStringEx.KERNEL32 ref: 00007FFBA95F91ED
IsBadStringPtrW.KERNEL32 ref: 00007FFBA95F91F7
OfferVirtualMemory.KERNEL32 ref: 00007FFBA95F9204
GetCurrentThread.KERNEL32 ref: 00007FFBA95F920A
ExtSelectClipRgn.GDI32 ref: 00007FFBA95F9253
GetNamedPipeClientSessionId.KERNEL32 ref: 00007FFBA95F925D
LocalFileTimeToFileTime.KERNEL32 ref: 00007FFBA95F9267
RtlCaptureStackBackTrace.KERNEL32 ref: 00007FFBA95F9277
GetProcessHeap.KERNEL32 ref: 00007FFBA95F927D
CreateDirectoryW.KERNEL32 ref: 00007FFBA95F9287
RectVisible.GDI32 ref: 00007FFBA95F9291
FreeEnvironmentStringsW.KERNEL32 ref: 00007FFBA95F9299
SetFileAttributesW.KERNEL32 ref: 00007FFBA95F92A3
AnimatePalette.GDI32 ref: 00007FFBA95F92B3
CopyFile2.KERNEL32 ref: 00007FFBA95F92CA
CreateDIBPatternBrush.GDI32 ref: 00007FFBA95F92D4
SetThreadpoolThreadMaximum.KERNEL32 ref: 00007FFBA95F92DE
CreateMutexExW.KERNEL32 ref: 00007FFBA95F92EE
SetCommTimeouts.KERNEL32 ref: 00007FFBA95F92F8
QueryThreadpoolStackInformation.KERNEL32 ref: 00007FFBA95F9344
GenerateConsoleCtrlEvent.KERNEL32 ref: 00007FFBA95F934E
SetThreadpoolStackInformation.KERNEL32 ref: 00007FFBA95F9358
AddDllDirectory.KERNEL32 ref: 00007FFBA95F9365
GetNativeSystemInfo.KERNEL32 ref: 00007FFBA95F936D
SetThreadpoolWait.KERNEL32 ref: 00007FFBA95F937A
SetFileAttributesW.KERNEL32 ref: 00007FFBA95F9384
SetDefaultDllDirectories.KERNEL32 ref: 00007FFBA95F938C
GetLocaleInfoW.KERNEL32 ref: 00007FFBA95F939C
GetOverlappedResult.KERNEL32 ref: 00007FFBA95F93AC
OutputDebugStringW.KERNEL32 ref: 00007FFBA95F93B4
CallNamedPipeW.KERNEL32 ref: 00007FFBA95F93D3
RtlUnwind.KERNEL32 ref: 00007FFBA95F93E3
SetCommTimeouts.KERNEL32 ref: 00007FFBA95F93ED
GetProfileStringW.KERNEL32 ref: 00007FFBA95F9402
CreateEventExW.KERNEL32 ref: 00007FFBA95F9412
GetPrivateProfileIntW.KERNEL32 ref: 00007FFBA95F9422
WinExec.KERNEL32 ref: 00007FFBA95F9431
GetProfileStringW.KERNEL32 ref: 00007FFBA95F9446
EraseTape.KERNEL32 ref: 00007FFBA95F9453
FindNextVolumeW.KERNEL32 ref: 00007FFBA95F9460
QueryThreadCycleTime.KERNEL32 ref: 00007FFBA95F946A
ResetEvent.KERNEL32 ref: 00007FFBA95F9472
GetNamedPipeHandleStateW.KERNEL32 ref: 00007FFBA95F9491
DeleteFileW.KERNEL32 ref: 00007FFBA95F9518
CalculatePopupWindowPosition.USER32 ref: 00007FFBA95F952D
GetWindowPlacement.USER32 ref: 00007FFBA95F9537
IsCharAlphaW.USER32 ref: 00007FFBA95F953F
GetConsoleAliasExesLengthW.KERNEL32 ref: 00007FFBA95F9545
InterlockedFlushSList.KERNEL32 ref: 00007FFBA95F954D
GetConsoleAliasExesW.KERNEL32 ref: 00007FFBA95F9557
ReadDirectoryChangesW.KERNEL32 ref: 00007FFBA95F957B
QueryPerformanceCounter.KERNEL32 ref: 00007FFBA95F9583
GetOverlappedResultEx.KERNEL32 ref: 00007FFBA95F9598
GetKBCodePage.USER32 ref: 00007FFBA95F959E
GetActiveProcessorCount.KERNEL32 ref: 00007FFBA95F95A6
GetMenuItemID.USER32 ref: 00007FFBA95F95B0
GetCommState.KERNEL32 ref: 00007FFBA95F95BA
FindFirstFileW.KERNEL32 ref: 00007FFBA95F95C4
DdeReconnect.USER32 ref: 00007FFBA95F95CC
CreateRemoteThread.KERNEL32 ref: 00007FFBA95F95EB
GetRawInputData.USER32 ref: 00007FFBA95F9600
GetNamedPipeInfo.KERNEL32 ref: 00007FFBA95F9615
GetAtomNameW.KERNEL32 ref: 00007FFBA95F9622
IsBadStringPtrW.KERNEL32 ref: 00007FFBA95F962C
RtlCaptureStackBackTrace.KERNEL32 ref: 00007FFBA95F964B
FindNextChangeNotification.KERNEL32 ref: 00007FFBA95F9653
HeapReAlloc.KERNEL32 ref: 00007FFBA95F9663
SetThreadErrorMode.KERNEL32 ref: 00007FFBA95F966D
EnterSynchronizationBarrier.KERNEL32 ref: 00007FFBA95F9677
GetLogicalDrives.KERNEL32 ref: 00007FFBA95F967D
ExitProcess.KERNEL32 ref: 00007FFBA95F96BB

Strings

Bia5x4NVTbIz1abNy17RM7iGqG, xrefs: 00007FFBA95F91E6
gYQ5IdRB1w8ApFF6ocZD97yvGo, xrefs: 00007FFBA95F8CC1
VfWM1wxIPv6B7PCrGJIm2j, xrefs: 00007FFBA95F92C3
d5xwleLK1oiJ3z96rLUT, xrefs: 00007FFBA95F935E
yCE94nR79vB76Y6, xrefs: 00007FFBA95F91D1
z6rznIjPe2hxFhzbYrFAqM6AVbGO, xrefs: 00007FFBA95F8CB3
7NAremB4n51L9k4eRWjOiQKRk4E, xrefs: 00007FFBA95F91DD
7XIg1l7Ur8V857oubZNIs4D, xrefs: 00007FFBA95F942A
Sf2RKqySnLIDpFEB7SC6AE7RB, xrefs: 00007FFBA95F8C5D
568rM4RPynzm5e48DQA4yn8Ltr7, xrefs: 00007FFBA95F92BC

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: File$Create$ProcessStringThread$Time$DirectoryNamedPipeQuery$Event$CommConsoleEnumFiberFindInfoLockNameStackThreadpoolVolume$AllocAttributesCycleFreeHandleHeapInformationLocalMenuNamesNotificationProfileResourceStateTimerWindow$AliasBackCancelCaptureChangeCharCodeCountCounterCurrentEraseExesFirstInputListLocaleMemoryMessageMoveNextOverlappedPagePerformancePhysicalPrivateProcessorQueueResultSwitchSystemTapeTimeoutsTraceTransactedUserWaitWow64$AcquireActiveAllocateAlphaAnimateAtomBackupBarrierBrushCalculateCallChangesClientClipCompactCompareCompleteCompletionComputerContextConvertCopyCountersCriticalCtrlCursorDataDebugDefaultDeleteDesktopDeviceDirectoriesDiskDrivesEnterEnvironmentErrorExclusiveExecExemptionExitFile2FlushForegroundFormatGenerateGlobalHeadIdleInitInitializeInterlockedItemKeyboardLanguagesLeaveLengthLinkLogicalLowerMaximumMitigationModeModuleMultipleMutexNamespaceNativeNumaObjectsOfferOnceOutputPagesPalettePathPatternPlacementPointerPolicyPopupPositionPostProgressPropsPurgeQueuedReadReconnectRectRegisterRemoteResetRestrictionScanScriptsScrollSectionSeekSelectSemaphoreServerSessionSpaceStatusStringsSymbolicSynchronizationTargetTickTitleTypeUnregisterUnwindValidVerifyVirtualVisibleWaitableWith
String ID: 568rM4RPynzm5e48DQA4yn8Ltr7$7NAremB4n51L9k4eRWjOiQKRk4E$7XIg1l7Ur8V857oubZNIs4D$Bia5x4NVTbIz1abNy17RM7iGqG$Sf2RKqySnLIDpFEB7SC6AE7RB$VfWM1wxIPv6B7PCrGJIm2j$d5xwleLK1oiJ3z96rLUT$gYQ5IdRB1w8ApFF6ocZD97yvGo$yCE94nR79vB76Y6$z6rznIjPe2hxFhzbYrFAqM6AVbGO
API String ID: 1091978064-3612060987
Opcode ID: d9c070e4be99f4e6a46605f8c5be3e7b478b80876789e582d482d8c75b360d8e
Instruction ID: 63d371a9bf604e2dcd27d82c166f7f7e2a6d5466543505b73b84f4f54e22e7ec
Opcode Fuzzy Hash: d9c070e4be99f4e6a46605f8c5be3e7b478b80876789e582d482d8c75b360d8e
Instruction Fuzzy Hash: BB62A0B2B1965393F72ECF35E82AA2B3262FF88785F409539DE4B85854CF3DD0459600

Function 00007FFBBAF93C40 Relevance: 147.7, APIs: 82, Strings: 2, Instructions: 732COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF93CB2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF93CF6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF93D0E
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF93D2F
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF93D56
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF93D74
SetLastError.KERNEL32 ref: 00007FFBBAF93D92
BIO_read.LIBCRYPTO-3-X64 ref: 00007FFBBAF93DA4
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF948C8

Strings

ssl\d1_lib.c, xrefs: 00007FFBBAF93D07, 00007FFBBAF93D23, 00007FFBBAF93D4A, 00007FFBBAF93D6A, 00007FFBBAF94337, 00007FFBBAF9436E, 00007FFBBAF943A1, 00007FFBBAF943E7, 00007FFBBAF944B5, 00007FFBBAF9455F, 00007FFBBAF9459C, 00007FFBBAF945D3, 00007FFBBAF9460A, 00007FFBBAF94641, 00007FFBBAF94678, 00007FFBBAF946AF, 00007FFBBAF946E6, 00007FFBBAF9471D, 00007FFBBAF94754, 00007FFBBAF94789, 00007FFBBAF947C3, 00007FFBBAF947F3, 00007FFBBAF94823, 00007FFBBAF9486D, 00007FFBBAF94880, 00007FFBBAF948B0
DTLSv1_listen, xrefs: 00007FFBBAF93CFB, 00007FFBBAF9432B, 00007FFBBAF94362, 00007FFBBAF94395, 00007FFBBAF943DB, 00007FFBBAF944A9, 00007FFBBAF94553, 00007FFBBAF94590, 00007FFBBAF945C7, 00007FFBBAF945FE, 00007FFBBAF94635, 00007FFBBAF9466C, 00007FFBBAF946A3, 00007FFBBAF946DA, 00007FFBBAF94711, 00007FFBBAF94748, 00007FFBBAF9477D, 00007FFBBAF947B7, 00007FFBBAF947E7, 00007FFBBAF94817, 00007FFBBAF948A4

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_malloc$ErrorLastO_freeO_readR_clear_errorR_newR_set_debugR_set_error
String ID: DTLSv1_listen$ssl\d1_lib.c
API String ID: 1134317782-1780782668
Opcode ID: a6e507d84cff2ab15b7b0a671dc35dcdb28fa1be44fcbb459d3f1ba971c3f532
Instruction ID: 411b3f6e79ef12a63ba3fd69add1f28fc04c896a7c60756b743bea39e6d4730c
Opcode Fuzzy Hash: a6e507d84cff2ab15b7b0a671dc35dcdb28fa1be44fcbb459d3f1ba971c3f532
Instruction Fuzzy Hash: AB62C0B1E18A5246F7549779D8A46FD2365BF9038AF848132EF1D83AE6DF3CE4048709

Function 00007FFBA95FC290 Relevance: 147.4, APIs: 77, Strings: 7, Instructions: 373threadfiletimeCOMMON

Download Yara Rule

APIs

GetClipboardViewer.USER32 ref: 00007FFBA95FC300
CloseWindowStation.USER32 ref: 00007FFBA95FC308
CreateFileW.KERNEL32 ref: 00007FFBA95FC327
WaitForInputIdle.USER32 ref: 00007FFBA95FC331
IsThreadAFiber.KERNEL32 ref: 00007FFBA95FC337
GetProcessPriorityBoost.KERNEL32 ref: 00007FFBA95FC341
StartThreadpoolIo.KERNEL32 ref: 00007FFBA95FC349
CalculatePopupWindowPosition.USER32 ref: 00007FFBA95FC35E
WakeAllConditionVariable.KERNEL32 ref: 00007FFBA95FC366
RegisterClassExW.USER32 ref: 00007FFBA95FC36E
WriteConsoleInputW.KERNEL32 ref: 00007FFBA95FC37E
SetRectEmpty.USER32 ref: 00007FFBA95FC386
ScrollDC.USER32 ref: 00007FFBA95FC3A5
SetProcessRestrictionExemption.USER32 ref: 00007FFBA95FC3AD
ExitWindowsEx.USER32 ref: 00007FFBA95FC3B7
EndMenu.USER32 ref: 00007FFBA95FC3BD
GetProcessWorkingSetSizeEx.KERNEL32 ref: 00007FFBA95FC3CD
SetPhysicalCursorPos.USER32 ref: 00007FFBA95FC3D7
SwitchToThisWindow.USER32 ref: 00007FFBA95FC3E1
SetClipboardViewer.USER32 ref: 00007FFBA95FC3E9
CompareStringW.KERNEL32 ref: 00007FFBA95FC403
RegisterHotKey.USER32 ref: 00007FFBA95FC413
DdeAddData.USER32 ref: 00007FFBA95FC423
GetConsoleAliasW.KERNEL32 ref: 00007FFBA95FC433
IsCharAlphaW.USER32 ref: 00007FFBA95FC43B
GetCalendarInfoEx.KERNEL32 ref: 00007FFBA95FC463
UnionRect.USER32 ref: 00007FFBA95FC470
FindFirstVolumeW.KERNEL32 ref: 00007FFBA95FC47A
CreateMailslotW.KERNEL32 ref: 00007FFBA95FC4AA
FindNLSString.KERNEL32 ref: 00007FFBA95FC4CD
CloseThreadpoolIo.KERNEL32 ref: 00007FFBA95FC4D5
FindFirstVolumeW.KERNEL32 ref: 00007FFBA95FC4DF
ReleaseMutex.KERNEL32 ref: 00007FFBA95FC4E7
IsBadStringPtrW.KERNEL32 ref: 00007FFBA95FC4F1
FormatMessageW.KERNEL32 ref: 00007FFBA95FC510
CreateMutexExW.KERNEL32 ref: 00007FFBA95FC520
FindNLSString.KERNEL32 ref: 00007FFBA95FC543
MoveFileW.KERNEL32 ref: 00007FFBA95FC54D
GetApplicationRecoveryCallback.KERNEL32 ref: 00007FFBA95FC562
CreateThreadpoolWork.KERNEL32 ref: 00007FFBA95FC56F
FileTimeToSystemTime.KERNEL32 ref: 00007FFBA95FC579
ReadThreadProfilingData.KERNEL32 ref: 00007FFBA95FC586
IsProcessInJob.KERNEL32 ref: 00007FFBA95FC593
QueryUnbiasedInterruptTime.KERNEL32 ref: 00007FFBA95FC59B
GetProcessHandleCount.KERNEL32 ref: 00007FFBA95FC5A5
GetHandleInformation.KERNEL32 ref: 00007FFBA95FC5AF
MapViewOfFile.KERNEL32 ref: 00007FFBA95FC5C4
RtlUnwind.KERNEL32 ref: 00007FFBA95FC5D4
GetThreadUILanguage.KERNEL32 ref: 00007FFBA95FC5DA
ReadProcessMemory.KERNEL32 ref: 00007FFBA95FC643
GetThreadGroupAffinity.KERNEL32 ref: 00007FFBA95FC64D
InterlockedPushListSListEx.KERNEL32 ref: 00007FFBA95FC65D
TrySubmitThreadpoolCallback.KERNEL32 ref: 00007FFBA95FC671
lstrcpynW.KERNEL32 ref: 00007FFBA95FC67E
GetNumberOfConsoleMouseButtons.KERNEL32 ref: 00007FFBA95FC686
SignalObjectAndWait.KERNEL32 ref: 00007FFBA95FC696
GetCurrentDirectoryW.KERNEL32 ref: 00007FFBA95FC6A0
SetThreadGroupAffinity.KERNEL32 ref: 00007FFBA95FC6AD
EnumResourceLanguagesExW.KERNEL32 ref: 00007FFBA95FC6CD
RtlCaptureContext.KERNEL32 ref: 00007FFBA95FC6D5
GetProcessPreferredUILanguages.KERNEL32 ref: 00007FFBA95FC6E5
GetStringScripts.KERNEL32 ref: 00007FFBA95FC6FF
GetUserDefaultUILanguage.KERNEL32 ref: 00007FFBA95FC705
FindVolumeClose.KERNEL32 ref: 00007FFBA95FC70D
CreateTimerQueue.KERNEL32 ref: 00007FFBA95FC713
GetDiskFreeSpaceW.KERNEL32 ref: 00007FFBA95FC728
GetProfileSectionW.KERNEL32 ref: 00007FFBA95FC735
GetEnvironmentVariableW.KERNEL32 ref: 00007FFBA95FC742
SetConsoleScreenBufferInfoEx.KERNEL32 ref: 00007FFBA95FC74C
SetDynamicTimeZoneInformation.KERNEL32 ref: 00007FFBA95FC75C
GetProcessHeaps.KERNEL32 ref: 00007FFBA95FC766
CreatePipe.KERNEL32 ref: 00007FFBA95FC776
DeleteAtom.KERNEL32 ref: 00007FFBA95FC77E
CreatePipe.KERNEL32 ref: 00007FFBA95FC78E
ReadConsoleInputW.KERNEL32 ref: 00007FFBA95FC79E
Wow64GetThreadContext.KERNEL32 ref: 00007FFBA95FC7A8
GetDiskFreeSpaceW.KERNEL32 ref: 00007FFBA95FC7BD

Strings

HTVoa2Dd3bU9ADZjZEaFuYiTI, xrefs: 00007FFBA95FC2CB
cleUGB2eUq8WPKfqJuhzW9, xrefs: 00007FFBA95FC6F6
jYrj5K7TMOiLv93cvdJ9Qx, xrefs: 00007FFBA95FC52B
lf51K122vTxducL1slA9Y15Bs, xrefs: 00007FFBA95FC446
1FM55wtVyGjvkEYx7gVMBRKC7ljem, xrefs: 00007FFBA95FC4B5
x81SoqbpQqZ2GAFcMNX4UeMc, xrefs: 00007FFBA95FC452
Mtj3hSVo7Z7eR55BehgKk2u, xrefs: 00007FFBA95FC2DA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Process$Create$Thread$ConsoleFindString$FileThreadpoolTime$CloseInputReadVolumeWindow$AffinityCallbackClipboardContextDataDiskFirstFreeGroupHandleInfoInformationLanguageLanguagesListMutexPipeRectRegisterSpaceVariableViewerWait$AliasAlphaApplicationAtomBoostBufferButtonsCalculateCalendarCaptureCharClassCompareConditionCountCurrentCursorDefaultDeleteDirectoryDynamicEmptyEnumEnvironmentExemptionExitFiberFormatHeapsIdleInterlockedInterruptMailslotMemoryMenuMessageMouseMoveNumberObjectPhysicalPopupPositionPreferredPriorityProfileProfilingPushQueryQueueRecoveryReleaseResourceRestrictionScreenScriptsScrollSectionSignalSizeStartStationSubmitSwitchSystemThisTimerUnbiasedUnionUnwindUserViewWakeWindowsWorkWorkingWow64WriteZonelstrcpyn
String ID: 1FM55wtVyGjvkEYx7gVMBRKC7ljem$HTVoa2Dd3bU9ADZjZEaFuYiTI$Mtj3hSVo7Z7eR55BehgKk2u$cleUGB2eUq8WPKfqJuhzW9$jYrj5K7TMOiLv93cvdJ9Qx$lf51K122vTxducL1slA9Y15Bs$x81SoqbpQqZ2GAFcMNX4UeMc
API String ID: 2205258115-3112606794
Opcode ID: ff1984ea4a9f5f1fbeccf718d4b097fc4f0164d72de4c8dc4c505406a08dcc38
Instruction ID: 6cbbb858bd9fc4a250ceed0ec09cc44702860e1945b14da421f2d277e486b3c0
Opcode Fuzzy Hash: ff1984ea4a9f5f1fbeccf718d4b097fc4f0164d72de4c8dc4c505406a08dcc38
Instruction Fuzzy Hash: 7BE187B2B1965382F72DCF75F82AA2B3262FF88785F819039DE4B85864CF3DD0459610

Function 00007FFBBB016BB0 Relevance: 68.7, APIs: 35, Strings: 4, Instructions: 420COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBB016C43
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB016C52
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB016C6A
EVP_CIPHER_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBB016C7A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB016C87
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB016C9F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB01723A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB017252
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB01727E
EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBB017286

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFBBB016C36, 00007FFBBB016C63, 00007FFBBB016C98, 00007FFBBB016CD2, 00007FFBBB016D95, 00007FFBBB017165, 00007FFBBB0171B2, 00007FFBBB01720F, 00007FFBBB01724B, 00007FFBBB017271
SHA256, xrefs: 00007FFBBB016E7B
AES-256-CBC, xrefs: 00007FFBBB016DEB
construct_stateless_ticket, xrefs: 00007FFBBB016C57, 00007FFBBB016C8C, 00007FFBBB016CC6, 00007FFBBB016D89, 00007FFBBB0171A6, 00007FFBBB017203, 00007FFBBB017244

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_mallocX_freeX_new
String ID: AES-256-CBC$SHA256$construct_stateless_ticket$ssl\statem\statem_srvr.c
API String ID: 1847107836-3117162005
Opcode ID: 90c366323b68ef24faddebb9dee4dc44e4d6301bb9cdb3a74cbd22a0d6d07597
Instruction ID: b88b23084ce91434dd9a03385bd52c667df195ddde8c351ab4f8bc9514ea1b89
Opcode Fuzzy Hash: 90c366323b68ef24faddebb9dee4dc44e4d6301bb9cdb3a74cbd22a0d6d07597
Instruction Fuzzy Hash: 53025CE1B0C64285FB58AB79D4502FD2365BF45788F808432FF4D47AA6EE3CE5458349

Function 00007FFBBB009B6C Relevance: 68.6, APIs: 37, Strings: 2, Instructions: 333COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB015766
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB01577C
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB015794

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

X509_get0_pubkey.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB0157DE
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB015801
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?), ref: 00007FFBBB015819
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB015C30
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBB015C43
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB015C58

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFBBB01578D, 00007FFBBB015812, 00007FFBBB0158B3, 00007FFBBB0158EF, 00007FFBBB015A12, 00007FFBBB015A48, 00007FFBBB015B23, 00007FFBBB015BCB, 00007FFBBB015BFF, 00007FFBBB015C4E
tls_process_cert_verify, xrefs: 00007FFBBB015781, 00007FFBBB015806, 00007FFBBB0158A7, 00007FFBBB0158E3, 00007FFBBB015A0B, 00007FFBBB015B1C, 00007FFBBB015BC4, 00007FFBBB015BF8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_freeR_newR_set_debug$R_vset_errorX509_get0_pubkeyX_freeX_new
String ID: ssl\statem\statem_lib.c$tls_process_cert_verify
API String ID: 866029706-605054429
Opcode ID: 35390a3ecdc164a0991c63003aae187b0ec28cde386b9a84fd2919fcd9910f69
Instruction ID: 8104674fd60e3da6477d434883c26327576bf533d920c02d328a4a512f11bb11
Opcode Fuzzy Hash: 35390a3ecdc164a0991c63003aae187b0ec28cde386b9a84fd2919fcd9910f69
Instruction Fuzzy Hash: A8E1A0A1A0868281FA289B79D4952BD2390FF94B94FD4C432FF4D4B6B6DF7CE4458309

Function 00007FFBA95F9BC0 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 282windowregistryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FFBA95F9D13

Part of subcall function 00007FFBA95F96D0: GetObjectW.GDI32 ref: 00007FFBA95F971E
Part of subcall function 00007FFBA95F96D0: GetObjectW.GDI32 ref: 00007FFBA95F9734
Part of subcall function 00007FFBA95F96D0: GetDC.USER32 ref: 00007FFBA95F9749
Part of subcall function 00007FFBA95F96D0: CreateCompatibleDC.GDI32 ref: 00007FFBA95F9755
Part of subcall function 00007FFBA95F96D0: CreateCompatibleBitmap.GDI32 ref: 00007FFBA95F9766
Part of subcall function 00007FFBA95F96D0: SelectObject.GDI32 ref: 00007FFBA95F9775
Part of subcall function 00007FFBA95F96D0: CreateCompatibleDC.GDI32 ref: 00007FFBA95F977E
Part of subcall function 00007FFBA95F96D0: CreateCompatibleDC.GDI32 ref: 00007FFBA95F9791
Part of subcall function 00007FFBA95F96D0: SelectObject.GDI32 ref: 00007FFBA95F97A8
Part of subcall function 00007FFBA95F96D0: SelectObject.GDI32 ref: 00007FFBA95F97BC
Part of subcall function 00007FFBA95F96D0: BitBlt.GDI32 ref: 00007FFBA95F97F9
Part of subcall function 00007FFBA95F96D0: BitBlt.GDI32 ref: 00007FFBA95F9838

MessageBoxW.USER32 ref: 00007FFBA95F9CB6
LoadImageW.USER32 ref: 00007FFBA95F9D74
InvalidateRect.USER32 ref: 00007FFBA95F9D8C
BeginPaint.USER32 ref: 00007FFBA95F9D9C
CreateCompatibleDC.GDI32 ref: 00007FFBA95F9DB3
SelectObject.GDI32 ref: 00007FFBA95F9DC6
BitBlt.GDI32 ref: 00007FFBA95F9DFA
DeleteDC.GDI32 ref: 00007FFBA95F9E03
CreateCompatibleDC.GDI32 ref: 00007FFBA95F9E15
SelectObject.GDI32 ref: 00007FFBA95F9E28
BitBlt.GDI32 ref: 00007FFBA95F9E5F
DeleteDC.GDI32 ref: 00007FFBA95F9E68
EndPaint.USER32 ref: 00007FFBA95F9E76
PostQuitMessage.USER32 ref: 00007FFBA95F9E80
RegisterClassW.USER32 ref: 00007FFBA95F9F17
CreateWindowExW.USER32 ref: 00007FFBA95F9F68
CreateWindowExW.USER32 ref: 00007FFBA95F9FBF
CreateWindowExW.USER32 ref: 00007FFBA95FA013
CreateWindowExW.USER32 ref: 00007FFBA95FA067
ShowWindow.USER32 ref: 00007FFBA95FA072
UpdateWindow.USER32 ref: 00007FFBA95FA07B
GetMessageW.USER32 ref: 00007FFBA95FA0A3
TranslateMessage.USER32 ref: 00007FFBA95FA0B5
DispatchMessageW.USER32 ref: 00007FFBA95FA0C0
GetMessageW.USER32 ref: 00007FFBA95FA0D3

Strings

gIazTlrCEyovkiMnACZWZZmhpP, xrefs: 00007FFBA95F9CA5
tLsjGxXmKuAlihKUEu, xrefs: 00007FFBA95F9CAC
OfKSEVgNjBgqxrDdiCAuqFlO, xrefs: 00007FFBA95FA01E
Blended BMP Editor, xrefs: 00007FFBA95F9F25
hVMKKDLVbnyUSHR, xrefs: 00007FFBA95F9F73
BUTTON, xrefs: 00007FFBA95F9F7F, 00007FFBA95F9FD6, 00007FFBA95FA02A
combined.bmp, xrefs: 00007FFBA95F9C43
esyYOJryVgHViUhwsjddvpUOkKpgz, xrefs: 00007FFBA95F9FCA
MainWindowClass, xrefs: 00007FFBA95F9EE9
, xrefs: 00007FFBA95F9E2E

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Create$Object$CompatibleMessageWindow$Select$DeleteImageLoadPaint$BeginBitmapClassDispatchInvalidatePostQuitRectRegisterShowTranslateUpdate
String ID: $BUTTON$Blended BMP Editor$MainWindowClass$OfKSEVgNjBgqxrDdiCAuqFlO$combined.bmp$esyYOJryVgHViUhwsjddvpUOkKpgz$gIazTlrCEyovkiMnACZWZZmhpP$hVMKKDLVbnyUSHR$tLsjGxXmKuAlihKUEu
API String ID: 2701338806-978924107
Opcode ID: 940cd51c2415c54506d246ab38dd73d8b5b4440131487d07c39427bc135c93d9
Instruction ID: 41c6fbc6c78aea328d06ab9dded218287cb54620270b5bf4ff9cc13cd37a7d64
Opcode Fuzzy Hash: 940cd51c2415c54506d246ab38dd73d8b5b4440131487d07c39427bc135c93d9
Instruction Fuzzy Hash: 28D193B2A0AB8382E7218F25F85476AB3A0FB85794F545135EE8D87B58DF7CD148D700

Function 00007FFBBAF9CB70 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 274COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(00000000,?,00007FFBBAFA6D26,?,?,?,?,00007FFBBAF934DD), ref: 00007FFBBAF9CB92
CRYPTO_zalloc.LIBCRYPTO-3-X64(00000000,?,00007FFBBAFA6D26,?,?,?,?,00007FFBBAF934DD), ref: 00007FFBBAF9CBBC
CRYPTO_free.LIBCRYPTO-3-X64(00000000,?,00007FFBBAFA6D26,?,?,?,?,00007FFBBAF934DD), ref: 00007FFBBAF9CBDB
EVP_PKEY_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CC37
X509_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CC89
EVP_PKEY_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CC9F
X509_chain_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CCAD
CRYPTO_memdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CCD9
CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD22
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD3E
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD50
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD68
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD79
EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CD98
X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CDBA
EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CDC6
OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CDD3
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CDED
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE18
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE2E
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE44
X509_STORE_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE4D
X509_STORE_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE56
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE7B
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CE91
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CEA6
CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CEEB
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CF0B
CRYPTO_memdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CF38
X509_STORE_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CF71
X509_STORE_up_ref.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CF87
CRYPTO_strdup.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFBBAF9CFF0

Strings

ssl\ssl_cert.c, xrefs: 00007FFBBAF9CB8B, 00007FFBBAF9CBA3, 00007FFBBAF9CBD4, 00007FFBBAF9CCCC, 00007FFBBAF9CD12, 00007FFBBAF9CD61, 00007FFBBAF9CDDC, 00007FFBBAF9CE0B, 00007FFBBAF9CE21, 00007FFBBAF9CE37, 00007FFBBAF9CE6E, 00007FFBBAF9CE84, 00007FFBBAF9CE9C, 00007FFBBAF9CEDB, 00007FFBBAF9CF2B, 00007FFBBAF9CFE9
gfffffff, xrefs: 00007FFBBAF9CBEC
ssl_cert_dup, xrefs: 00007FFBBAF9CD55

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$X509_$E_freeE_up_refO_mallocO_memdupO_zallocX509_freeY_freeY_up_refmemcpy$O_strdupR_newR_set_debugR_set_errorX509_chain_up_refX509_up_ref
String ID: gfffffff$ssl\ssl_cert.c$ssl_cert_dup
API String ID: 2506476208-2918673968
Opcode ID: 4aabc9e47b0b68d61cbab0a4cf733eace30f04e56d1890a6f5a4c8303ad38d70
Instruction ID: 0562ae980d84a7aea59eaba05edcabc66d349158480f2761e682846efe68add5
Opcode Fuzzy Hash: 4aabc9e47b0b68d61cbab0a4cf733eace30f04e56d1890a6f5a4c8303ad38d70
Instruction Fuzzy Hash: 40D12AB2A05B4296EA58DF7AD4902BC33A4FB48B84F808035DF4D87B65DF38E465C354

Function 00007FFBA95FBBA0 Relevance: 61.5, APIs: 23, Strings: 12, Instructions: 268windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FFBA95FBCB1
ShowWindow.USER32 ref: 00007FFBA95FBCD3
ShowWindow.USER32 ref: 00007FFBA95FBCE2
ShowWindow.USER32 ref: 00007FFBA95FBCF1
ShowWindow.USER32 ref: 00007FFBA95FBD09
ShowWindow.USER32 ref: 00007FFBA95FBD18
ShowWindow.USER32 ref: 00007FFBA95FBD2E
ShowWindow.USER32 ref: 00007FFBA95FBD3D

Part of subcall function 00007FFBA95FBB20: LoadImageW.USER32 ref: 00007FFBA95FBB6E

PostQuitMessage.USER32 ref: 00007FFBA95FBD5A
CreateWindowExW.USER32 ref: 00007FFBA95FBDA9
SendMessageW.USER32 ref: 00007FFBA95FBDEC
SendMessageW.USER32 ref: 00007FFBA95FBE15
SendMessageW.USER32 ref: 00007FFBA95FBE3E
CreateWindowExW.USER32 ref: 00007FFBA95FBE91
CreateWindowExW.USER32 ref: 00007FFBA95FBEF3
CreateWindowExW.USER32 ref: 00007FFBA95FBF55

Strings

Wall, xrefs: 00007FFBA95FBE22
d, xrefs: 00007FFBA95FBF2D
EDIT, xrefs: 00007FFBA95FBF7F, 00007FFBA95FBFD4, 00007FFBA95FC032, 00007FFBA95FC090
BUTTON, xrefs: 00007FFBA95FBEA8, 00007FFBA95FBF4E
Chat, xrefs: 00007FFBA95FBDF9
Previous, xrefs: 00007FFBA95FBE9C
STATIC, xrefs: 00007FFBA95FBE4B
d, xrefs: 00007FFBA95FC0C7
Photo Album, xrefs: 00007FFBA95FBDAF
SysTabControl32, xrefs: 00007FFBA95FBD73
Next, xrefs: 00007FFBA95FBF45
2, xrefs: 00007FFBA95FC0CF

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Window$Show$Message$CreateSend$ImageLoadPostQuit
String ID: 2$BUTTON$Chat$EDIT$Next$Photo Album$Previous$STATIC$SysTabControl32$Wall$d$d
API String ID: 343215222-3801512821
Opcode ID: d45e6f72cf9261985faf633179a9d953c584a846cc023aacac053369a3ddb955
Instruction ID: 11e8c95c61272eeb45caa690dd18830e7c6f2e6c327c95d3ff3410ccde3aaec0
Opcode Fuzzy Hash: d45e6f72cf9261985faf633179a9d953c584a846cc023aacac053369a3ddb955
Instruction Fuzzy Hash: C2E130B190AB9386E7128F25F84426AB7A4FB88794F101135EE8D87B69CF7CD149DB10

Function 00007FFBBAFADAA0 Relevance: 56.4, APIs: 29, Strings: 3, Instructions: 384COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAFADAC9
CRYPTO_THREAD_lock_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFADAF1
CRYPTO_new_ex_data.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB13
CRYPTO_THREAD_lock_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB24
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB3D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB45
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB5D
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB6E
CRYPTO_free_ex_data.LIBCRYPTO-3-X64 ref: 00007FFBBAFADB8D
CRYPTO_THREAD_lock_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFADBAE
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFADBC3

Strings

ssl\ssl_lib.c, xrefs: 00007FFBBAFADAB7, 00007FFBBAFADB33, 00007FFBBAFADB56, 00007FFBBAFADBB9, 00007FFBBAFADCB1, 00007FFBBAFADDCD, 00007FFBBAFADEDF, 00007FFBBAFADF2A, 00007FFBBAFADF7C, 00007FFBBAFAE0C9, 00007FFBBAFAE10C, 00007FFBBAFAE193
ossl_ssl_connection_new_int, xrefs: 00007FFBBAFADB4A, 00007FFBBAFADCA5, 00007FFBBAFADDC1
SSL_set_ct_validation_callback, xrefs: 00007FFBBAFAE187

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: D_lock_freeO_free$D_lock_newO_free_ex_dataO_new_ex_dataO_zallocR_newR_set_debugR_set_error
String ID: SSL_set_ct_validation_callback$ossl_ssl_connection_new_int$ssl\ssl_lib.c
API String ID: 3044204582-3251968464
Opcode ID: 3102baa1412d9dc2fe6f24f4c092df0f04db6a9f7d3249aafc757541ecd36df3
Instruction ID: 08d6d43965e48423371b37b68a8b2e5312251929839f081ed717b99799520f7b
Opcode Fuzzy Hash: 3102baa1412d9dc2fe6f24f4c092df0f04db6a9f7d3249aafc757541ecd36df3
Instruction Fuzzy Hash: C41228B6A09B8286EB999F39D5807E873A8FB48B84F584135DF5C87365DF38E460C314

Function 00007FFBBAFC79E0 Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAF91030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBAF91075
Part of subcall function 00007FFBBAF91030: GetACP.KERNEL32 ref: 00007FFBBAF9108E
Part of subcall function 00007FFBBAF91030: MultiByteToWideChar.KERNEL32 ref: 00007FFBBAF910DC
Part of subcall function 00007FFBBAF91030: MultiByteToWideChar.KERNEL32 ref: 00007FFBBAF91187
Part of subcall function 00007FFBBAF91030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBAF9119D

Part of subcall function 00007FFBBAF91030: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBAF9114E
Part of subcall function 00007FFBBAF91030: GetEnvironmentVariableW.KERNEL32 ref: 00007FFBBAF91237
Part of subcall function 00007FFBBAF91030: WideCharToMultiByte.KERNEL32 ref: 00007FFBBAF91269
Part of subcall function 00007FFBBAF91030: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF91286
Part of subcall function 00007FFBBAF91030: WideCharToMultiByte.KERNEL32 ref: 00007FFBBAF912B6
Part of subcall function 00007FFBBAF91030: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF912CE
Part of subcall function 00007FFBBAF91030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBAF912E3
Part of subcall function 00007FFBBAF91030: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFBBAF912FB

CRYPTO_malloc.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7AC1
memcpy.VCRUNTIME140(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7ADB
BIO_snprintf.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7B08
BIO_snprintf.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7B45
CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7B5C
CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7BB4
CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7BDC
CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C00
CRYPTO_strdup.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C24
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C5D
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C73
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C89
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7C9F
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7CB4
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7CC9
BIO_new_file.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7D09
BIO_free_all.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7D26
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7D74
BIO_free_all.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7D89
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7D9F
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7DB5
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7DCB
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7DE1
CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC7E0B

Strings

server, xrefs: 00007FFBBAFC7B22
%02x, xrefs: 00007FFBBAFC7AFE
ssl\quic\qlog.c, xrefs: 00007FFBBAFC7AA6, 00007FFBBAFC7B50, 00007FFBBAFC7BAD, 00007FFBBAFC7BD5, 00007FFBBAFC7BF9, 00007FFBBAFC7C1D, 00007FFBBAFC7C50, 00007FFBBAFC7C66, 00007FFBBAFC7C7C, 00007FFBBAFC7C92, 00007FFBBAFC7CAA, 00007FFBBAFC7CBF, 00007FFBBAFC7D6A, 00007FFBBAFC7D92, 00007FFBBAFC7DA8, 00007FFBBAFC7DBE, 00007FFBBAFC7DD4, 00007FFBBAFC7DEC, 00007FFBBAFC7E01
_%s.sqlog, xrefs: 00007FFBBAFC7B3B
OSSL_QFILTER, xrefs: 00007FFBBAFC7A14
client, xrefs: 00007FFBBAFC7B29
QLOGDIR, xrefs: 00007FFBBAFC7A08

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$ByteCharMultiO_strdupWide$EnvironmentVariable$O_free_allO_mallocO_snprintffree$O_new_fileO_zallocmallocmemcpy
String ID: %02x$OSSL_QFILTER$QLOGDIR$_%s.sqlog$client$server$ssl\quic\qlog.c
API String ID: 2723435664-422815081
Opcode ID: d291c5b6610de2aacd351f813fe5934e297f341e1d8762b199336e3a418291ea
Instruction ID: dee00a41c90c8434aeb3913e27b8c7b5c81859c891b8ebb64cfcbfb36b52528a
Opcode Fuzzy Hash: d291c5b6610de2aacd351f813fe5934e297f341e1d8762b199336e3a418291ea
Instruction Fuzzy Hash: 04B18BA2F0878245EF54DB7AD8502F82765BF48B84F849035EF4D877A6EEACE554C308

Function 00007FFBBB009B55 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EB2D
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EB45

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EB7A
ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EBBF
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EBD7
OPENSSL_sk_new_null.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EBEC
ERR_new.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EC04
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?), ref: 00007FFBBB00EC1C
X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00EF8D
OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00EFA0

Part of subcall function 00007FFBBB016360: ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB00EB23), ref: 00007FFBBB016431
Part of subcall function 00007FFBBB016360: ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB00EB23), ref: 00007FFBBB016449
Part of subcall function 00007FFBBB016360: CRYPTO_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB00EB23), ref: 00007FFBBB0167A8
Part of subcall function 00007FFBBB016360: EVP_PKEY_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,?,00007FFBBB00EB23), ref: 00007FFBBB0167B0

Strings

tls_process_server_rpk, xrefs: 00007FFBBB00EB32
ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00EB3E, 00007FFBBB00EBD0, 00007FFBBB00EC15, 00007FFBBB00EE3A, 00007FFBBB00EE88, 00007FFBBB00EEB0, 00007FFBBB00EEE7, 00007FFBBB00EF0C, 00007FFBBB00EF36, 00007FFBBB00EF67
tls_process_server_certificate, xrefs: 00007FFBBB00EBC4, 00007FFBBB00EC0E, 00007FFBBB00EEA4, 00007FFBBB00EEE0, 00007FFBBB00EF00, 00007FFBBB00EF2A, 00007FFBBB00EF5B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$X509_freeY_free$L_sk_new_nullO_freeR_vset_error
String ID: ssl\statem\statem_clnt.c$tls_process_server_certificate$tls_process_server_rpk
API String ID: 3083030328-984152608
Opcode ID: 4f77af51717fa47250094d16074ece9982fc57611b79eccb9418e9a006679a37
Instruction ID: 463a7c975d9e9e3ae474a1191a2d738e935290b3ba25c267697ebaf8df8557d8
Opcode Fuzzy Hash: 4f77af51717fa47250094d16074ece9982fc57611b79eccb9418e9a006679a37
Instruction Fuzzy Hash: 71D1C1A2E08A8685EB109B39D4542BD27A0FB54B88FD4C131EB5D576B6DF3CE482C708

Function 00007FFBBB00C9B0 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBB00BC70: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00BCBD
Part of subcall function 00007FFBBB00BC70: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00BCD5
Part of subcall function 00007FFBBB00BC70: OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF0D
Part of subcall function 00007FFBBB00BC70: OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF1C
Part of subcall function 00007FFBBB00BC70: CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF34
Part of subcall function 00007FFBBB00BC70: CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF4C

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00CA59
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00CA87
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00CA9F

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Part of subcall function 00007FFBBB00B540: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00B58C
Part of subcall function 00007FFBBB00B540: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00B5A4

EVP_PKEY_get1_encoded_public_key.LIBCRYPTO-3-X64 ref: 00007FFBBB00CADE
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00CAE8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00CB00
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00CB82
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00CB8A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00CCDC
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00CD11
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00CD3F

Strings

tls_construct_client_key_exchange, xrefs: 00007FFBBB00CCC9
ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00CA98, 00007FFBBB00CAF9, 00007FFBBB00CB47, 00007FFBBB00CB75, 00007FFBBB00CC2E, 00007FFBBB00CC4E, 00007FFBBB00CC93, 00007FFBBB00CCD5, 00007FFBBB00CCFD, 00007FFBBB00CD1D
tls_construct_cke_srp, xrefs: 00007FFBBB00CC87, 00007FFBBB00CCAC
tls_construct_cke_ecdhe, xrefs: 00007FFBBB00CA5E, 00007FFBBB00CA8C, 00007FFBBB00CAED, 00007FFBBB00CB3B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_clear_free$L_cleanse$O_freeR_vset_errorY_freeY_get1_encoded_public_key
String ID: ssl\statem\statem_clnt.c$tls_construct_cke_ecdhe$tls_construct_cke_srp$tls_construct_client_key_exchange
API String ID: 309064216-3169014888
Opcode ID: 47dd147f5dece61c8c85f6c9e8e2785a4fa4c8d8c9abf5c5ad49d04fe83e6340
Instruction ID: f54ee9b787c15bd9bc0c96278734b234a2019a229901929035cd60e2450a9d58
Opcode Fuzzy Hash: 47dd147f5dece61c8c85f6c9e8e2785a4fa4c8d8c9abf5c5ad49d04fe83e6340
Instruction Fuzzy Hash: 5F91A0A1A0C64685FA64AB39D8657FD2351BF85BC8FD48132EF0D0B6B6DF6CE1418308

Function 00007FFBBAF9AB80 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 307COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9ABF6
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AC0E
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AC20
ASN1_item_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AC2F
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AC82
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AC9A
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9ACC3
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9ACDB
memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AD45
memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AD7F
X509_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9ADDB
EVP_PKEY_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9ADF6
d2i_PUBKEY_ex.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AE31
memcpy.VCRUNTIME140(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AE6D
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AEFB
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AF41
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AF59

Part of subcall function 00007FFBBAF9B500: CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF9AE9A,?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9B52E

CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9AFC4
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9B02D
ASN1_item_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAF9AB6E), ref: 00007FFBBAF9B07F

Strings

ssl\ssl_asn1.c, xrefs: 00007FFBBAF9AC07, 00007FFBBAF9AC93, 00007FFBBAF9ACD4, 00007FFBBAF9AED8, 00007FFBBAF9AF52, 00007FFBBAF9AF9E, 00007FFBBAF9B013
d2i_SSL_SESSION_ex, xrefs: 00007FFBBAF9ABFB, 00007FFBBAF9AC87, 00007FFBBAF9ACC8, 00007FFBBAF9AF46

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_freeR_newR_set_debug$memcpy$N1_item_free$R_set_errorX509_freeY_exY_freed2i_
String ID: d2i_SSL_SESSION_ex$ssl\ssl_asn1.c
API String ID: 3345805239-3787699099
Opcode ID: b3d73e685dff178624565b53021dc5f85bd6414ecc8e7a2ca2140fad4d6d86c7
Instruction ID: 53385a3768c47a039eaf2f2ae30ba8bbca4ec1a58c58fb13cca5e027ba592a4e
Opcode Fuzzy Hash: b3d73e685dff178624565b53021dc5f85bd6414ecc8e7a2ca2140fad4d6d86c7
Instruction Fuzzy Hash: EDE161B2A09B8682EB599F39D4902F933A8FB04B85F448076DF4D877A5DF38E455C318

Function 00007FFBBB00BC70 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00BCBD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00BCD5

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

memset.VCRUNTIME140 ref: 00007FFBBB00BCF2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00BD36
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00BD4E
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF0D
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF1C
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF34
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00BF4C

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00BCCE, 00007FFBBB00BD47, 00007FFBBB00BD87, 00007FFBBB00BDE1, 00007FFBBB00BDFE, 00007FFBBB00BE1B, 00007FFBBB00BE4B, 00007FFBBB00BE64, 00007FFBBB00BEE0, 00007FFBBB00BF27, 00007FFBBB00BF3F
tls_construct_cke_psk_preamble, xrefs: 00007FFBBB00BCC2, 00007FFBBB00BD3B, 00007FFBBB00BD7B, 00007FFBBB00BDDA, 00007FFBBB00BED4

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_cleanseO_clear_freeR_newR_set_debug$R_vset_errormemset
String ID: ssl\statem\statem_clnt.c$tls_construct_cke_psk_preamble
API String ID: 1497096399-961470946
Opcode ID: 96c9cc94501576d294ebac76d590668ebc025fcfb407287dbfab9ab9591df6af
Instruction ID: b97d1f44df43e2d3eed8f2dd40abe42f013fb4d5f3bb1e0dd518293081ec0b7f
Opcode Fuzzy Hash: 96c9cc94501576d294ebac76d590668ebc025fcfb407287dbfab9ab9591df6af
Instruction Fuzzy Hash: 8471B2A1B0858645FA10AB39E8547FE6651BF94788FC48032EF4D0B6B6DF3CE5468308

Function 00007FFBBAFAE9C0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAE9EA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAEA02

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAEA52
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAEA6A

Strings

ssl_cache_cipherlist, xrefs: 00007FFBBAFAE9EF, 00007FFBBAFAEA57, 00007FFBBAFAEAF8, 00007FFBBAFAEB9B, 00007FFBBAFAEC4A
C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFBBAFAEBFC, 00007FFBBAFAEC24
ssl\ssl_lib.c, xrefs: 00007FFBBAFAE9FB, 00007FFBBAFAEA63, 00007FFBBAFAEA90, 00007FFBBAFAEACA, 00007FFBBAFAEB04, 00007FFBBAFAEBA7, 00007FFBBAFAEBCF, 00007FFBBAFAEC56

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\ssl_lib.c$ssl_cache_cipherlist
API String ID: 4275876640-2653005832
Opcode ID: b2d3ff2e7460bfd685355b8b56e15b030dc783cb0c699efb69fd5f80ed53db83
Instruction ID: 5377e54b01fed4ccb0362dd52f9bbcdd3f19864f8b1473b711aae85d9610e276
Opcode Fuzzy Hash: b2d3ff2e7460bfd685355b8b56e15b030dc783cb0c699efb69fd5f80ed53db83
Instruction Fuzzy Hash: EE71EFB2A18A8282EB15EB39D4515F93365FF58784F848132EF4D46A66EF3CE544C308

Function 00007FFBBB006C00 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-3-X64 ref: 00007FFBBB006D30
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006D54
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006D6C
memchr.VCRUNTIME140 ref: 00007FFBBB006DA4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006DAE
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB006DD5
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB006DF2
CRYPTO_strndup.LIBCRYPTO-3-X64 ref: 00007FFBBB006E0A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006E1F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006E37
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006E4A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006E62
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006E8C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006EA4

Strings

C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFBBB006DDC, 00007FFBBB006DFD
tls_parse_ctos_server_name, xrefs: 00007FFBBB006D59, 00007FFBBB006DB3, 00007FFBBB006E24, 00007FFBBB006E4F, 00007FFBBB006E91
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB006D65, 00007FFBBB006DC8, 00007FFBBB006E30, 00007FFBBB006E5B, 00007FFBBB006E9D

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$O_free$O_memcmpO_strndupmemchr
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_server_name
API String ID: 780431574-97801704
Opcode ID: 8cd8da31e0efa234568788e742ee5960ecf7d41de1af41978b5eb7089d68118f
Instruction ID: c38005a6acb8500dcbd7e3b6a2be31c200dc0441661c0ba0ac99ffa43eab51af
Opcode Fuzzy Hash: 8cd8da31e0efa234568788e742ee5960ecf7d41de1af41978b5eb7089d68118f
Instruction Fuzzy Hash: 0671C0A2E0C68689EB609B38D4253BD6752FB54784FC4C032EB4D476A6DF6CE584D708

Function 00007FFBBAF99C50 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF99C8B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF99CA3

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3-X64 ref: 00007FFBBAF99CDE
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF99D42
CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF99D5C
EVP_PKEY_encapsulate.LIBCRYPTO-3-X64 ref: 00007FFBBAF99D86
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF99D8F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF99E21
CRYPTO_clear_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF99E50
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF99E65
EVP_PKEY_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF99E6D

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF99C9C, 00007FFBBAF99D3B, 00007FFBBAF99D4C, 00007FFBBAF99DF5, 00007FFBBAF99E1A, 00007FFBBAF99E40, 00007FFBBAF99E5B
ssl_encapsulate, xrefs: 00007FFBBAF99C90, 00007FFBBAF99DE9, 00007FFBBAF99E13

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_mallocR_newR_set_debug$O_clear_freeO_freeR_vset_errorX_freeX_new_from_pkeyY_encapsulate
String ID: ssl\s3_lib.c$ssl_encapsulate
API String ID: 3419928332-3980050716
Opcode ID: 14dc24e26e97b8e29fd39556cd48225bede60dd23707989e48314ad64baebf11
Instruction ID: f58703f848788fdfe43b1b3e22bffee96dac52cb8dad32e66b7037b65bdcf0a3
Opcode Fuzzy Hash: 14dc24e26e97b8e29fd39556cd48225bede60dd23707989e48314ad64baebf11
Instruction Fuzzy Hash: 3B5180B2A08B4241FA25AB7AE4905FE6755FB84784F848032EF4D47BA6DF3CE505C748

Function 00007FFBA9656D6C Relevance: 27.2, APIs: 18, Instructions: 229fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FFBA9656E19
GetLastError.KERNEL32 ref: 00007FFBA9656E23
FindFirstFileW.KERNEL32 ref: 00007FFBA9656E3A
GetLastError.KERNEL32 ref: 00007FFBA9656E46
FindClose.KERNEL32 ref: 00007FFBA9656E54
__std_fs_open_handle.LIBCPMT ref: 00007FFBA9656EE7
CloseHandle.KERNEL32 ref: 00007FFBA9656EFD
CloseHandle.KERNEL32 ref: 00007FFBA9657070

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: 48277d215c04923b88d6237142a889d80030d35aecea6fe47db4b782c5840e03
Instruction ID: d93abdcac1208cba67a65085dc8ecb1b79ff37d1890ca1d917a855ca78c15de2
Opcode Fuzzy Hash: 48277d215c04923b88d6237142a889d80030d35aecea6fe47db4b782c5840e03
Instruction Fuzzy Hash: 6091B0B1A0AA0346FB664F39EC0467922A1AF957B4F046734DDAE876D4DF3CE801E700

Function 00007FFBBAF9FBB0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 370stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAF9FD4A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAF9FD73
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAFA0021
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAFA0059
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFA0080
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFA008C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFA00A4
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFA00B5
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFA00F7
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFA010F
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFA0120

Strings

SECLEVEL=, xrefs: 00007FFBBAFA0052
STRENGTH, xrefs: 00007FFBBAFA001A
ssl_cipher_process_rulestr, xrefs: 00007FFBBAFA0096, 00007FFBBAFA00FC
ssl\ssl_ciph.c, xrefs: 00007FFBBAFA009D, 00007FFBBAFA0108

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: strncmp$R_new$R_set_debugR_set_error
String ID: SECLEVEL=$STRENGTH$ssl\ssl_ciph.c$ssl_cipher_process_rulestr
API String ID: 2651782980-2883399597
Opcode ID: be49c8fbb92ce15e49d716310c819b843e0d8a16d0e530c733032fc10c4ff7d7
Instruction ID: fcd5d0f67a56125908663dfa848fb62d30d5329d2a726ca92d5794f156a220ad
Opcode Fuzzy Hash: be49c8fbb92ce15e49d716310c819b843e0d8a16d0e530c733032fc10c4ff7d7
Instruction Fuzzy Hash: 82E1B4B2E1C24286E7648A7DE0903BA77A5FB45785F408175EF8D83695DF3CE849CB08

Function 00007FFBBAFB7B60 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 146COMMON

Download Yara Rule

Strings

, xrefs: 00007FFBBAFB7DB7
key expansion, xrefs: 00007FFBBAFB7DC5
ssl\t1_enc.c, xrefs: 00007FFBBAFB7C9C, 00007FFBBAFB7D06, 00007FFBBAFB7D2E
, xrefs: 00007FFBBAFB7DCC
tls1_setup_key_block, xrefs: 00007FFBBAFB7C90, 00007FFBBAFB7D22

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID:
String ID: $ $key expansion$ssl\t1_enc.c$tls1_setup_key_block
API String ID: 0-1703762739
Opcode ID: 75910e5e171926d91b1d22f83e03249d724c47a74bb7d714a6100aecbd94a4c8
Instruction ID: 683fd7ca6a76d455ed7b6ee09dc4bc1597743f2ddb13211dc133893f8556eed7
Opcode Fuzzy Hash: 75910e5e171926d91b1d22f83e03249d724c47a74bb7d714a6100aecbd94a4c8
Instruction Fuzzy Hash: 35615CB2A09B8186E760DB68E4407ED73A4FB84B94F844132EF8C47BA9DF3CD1458744

Function 00007FFBBAF98C60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98CA5
EVP_PKEY_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98CBC
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98CF8
OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D0B
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D24
CRYPTO_clear_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D44
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D5D
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D76
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98D8F
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98DB0
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98DC9
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98DE2
memset.VCRUNTIME140(00000000,00007FFBBAF94EF8), ref: 00007FFBBAF98DFE

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF98CEB, 00007FFBBAF98D17, 00007FFBBAF98D30, 00007FFBBAF98D50, 00007FFBBAF98D69, 00007FFBBAF98D82, 00007FFBBAF98DA3, 00007FFBBAF98DBC, 00007FFBBAF98DD5

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$Y_free$L_sk_pop_freeO_clear_freememset
String ID: ssl\s3_lib.c
API String ID: 4031674668-3639828702
Opcode ID: d239469249c074a6f7263cfa99ef2d0d81c5b96c2e022865a3032791c1df6fc3
Instruction ID: 67d9d34b91d4f3d63cfc4c4ce2b897cd9e9fe93d883923a35ac4882550901f2f
Opcode Fuzzy Hash: d239469249c074a6f7263cfa99ef2d0d81c5b96c2e022865a3032791c1df6fc3
Instruction Fuzzy Hash: A8413DE1A18A4741EF09EBB9C4A03FC2315BF54B84F848432EF0D4B2A6CE6DE1058369

Function 00007FFBA967922C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FFBA967927A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA96798E6
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9679A5C
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9679D1A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9679F3A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967A177
memcpy_s.LIBCPMT ref: 00007FFBA967A252
memcpy_s.LIBCPMT ref: 00007FFBA967A2FD
memcpy_s.LIBCPMT ref: 00007FFBA967A3CC

Strings

1#SNAN, xrefs: 00007FFBA967938A
1#IND, xrefs: 00007FFBA9679367
1#QNAN, xrefs: 00007FFBA9679393
1#INF, xrefs: 00007FFBA96793A3

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 84fa3294c7a565b393014983f83818e75cc8c9dc09fb8e1e812fd20593876866
Instruction ID: 420c5ff009888b4b05bd4c31d1536dc1ae95748d8e17fde2499d01e1f8fe77c2
Opcode Fuzzy Hash: 84fa3294c7a565b393014983f83818e75cc8c9dc09fb8e1e812fd20593876866
Instruction Fuzzy Hash: 63B2B5B2A1A2938EE7668E78D9407F937E1FF44748F546135DE0DD7A88DB38A900DB40

Function 00007FFBA95F6F40 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 295windowregistryCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FFBA95F7225
PostQuitMessage.USER32 ref: 00007FFBA95F722D

Part of subcall function 00007FFBA96638C4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBA96638D8

RegisterClassW.USER32 ref: 00007FFBA95F732F
CreateWindowExW.USER32 ref: 00007FFBA95F737B
ShowWindow.USER32 ref: 00007FFBA95F7386
GetMessageW.USER32 ref: 00007FFBA95F73AE
TranslateMessage.USER32 ref: 00007FFBA95F73C5
DispatchMessageW.USER32 ref: 00007FFBA95F73D0
GetMessageW.USER32 ref: 00007FFBA95F73E3

Strings

Game Over!, xrefs: 00007FFBA95F721C
gfff, xrefs: 00007FFBA95F719C
Tetris, xrefs: 00007FFBA95F7215, 00007FFBA95F733A
TetrisGame, xrefs: 00007FFBA95F7308

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Message$TimeWindow$ClassCreateDispatchFilePostQuitRegisterShowSystemTranslate
String ID: Game Over!$Tetris$TetrisGame$gfff
API String ID: 3409167224-4281476174
Opcode ID: 43e2a1d9d3236a56e6d77b0ae2d8826ce1315643911226d9d8df80e459cae0f7
Instruction ID: a0289093b9af2c72dac49b72f59435657e43d812528fc0f1b547978e56f22ac2
Opcode Fuzzy Hash: 43e2a1d9d3236a56e6d77b0ae2d8826ce1315643911226d9d8df80e459cae0f7
Instruction Fuzzy Hash: 31D1D1B2A09B8782EB118F35E8412A973A1FF98B94F445236DE4D87B95DF3CE158D700

Function 00007FFBBAFF6C00 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF6C34
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF6C4C

Part of subcall function 00007FFBBAFF76D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFBBAFF34A0,?,00007FFBBAFF2DD6), ref: 00007FFBBAFF76FE

SetLastError.KERNEL32 ref: 00007FFBBAFF6CF8
BIO_write.LIBCRYPTO-3-X64 ref: 00007FFBBAFF6D3C
BIO_test_flags.LIBCRYPTO-3-X64 ref: 00007FFBBAFF6D5A

Strings

ssl\record\methods\tls_common.c, xrefs: 00007FFBBAFF6C45, 00007FFBBAFF6E0A, 00007FFBBAFF6E7F
tls_retry_write_records, xrefs: 00007FFBBAFF6DFE
tls_write_records, xrefs: 00007FFBBAFF6C39

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: ErrorLastO_test_flagsO_writeR_newR_set_debugR_vset_error
String ID: ssl\record\methods\tls_common.c$tls_retry_write_records$tls_write_records
API String ID: 1843479370-2458201149
Opcode ID: 1c3d643740030ebba10683027bb18aa0663fc07538660bf2464e3744198de7ac
Instruction ID: 4087ca5a293e2ef31c7a07fc5967961f51c1a562ce38e46247986012c0389a81
Opcode Fuzzy Hash: 1c3d643740030ebba10683027bb18aa0663fc07538660bf2464e3744198de7ac
Instruction Fuzzy Hash: 5971B2A2E0AA8582EB949F79D5443FC33A9FB54B85F544130DF4D83BA5DF3AE4618308

Function 00007FFBA95F6AE0 Relevance: 19.7, APIs: 13, Instructions: 230filememoryCOMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32 ref: 00007FFBA95F6BF6
FlushViewOfFile.KERNEL32 ref: 00007FFBA95F6C00
GlobalReAlloc.KERNEL32 ref: 00007FFBA95F6C0D
GetProcessPriorityBoost.KERNEL32 ref: 00007FFBA95F6C17
SetProcessShutdownParameters.KERNEL32 ref: 00007FFBA95F6C21
SetFileAttributesW.KERNEL32 ref: 00007FFBA95F6C2B
GetVolumeInformationByHandleW.KERNEL32 ref: 00007FFBA95F6C4E
GetConsoleOriginalTitleW.KERNEL32 ref: 00007FFBA95F6C58
RemoveDllDirectory.KERNEL32 ref: 00007FFBA95F6C60
GetUserPreferredUILanguages.KERNEL32 ref: 00007FFBA95F6C70
ApplicationRecoveryInProgress.KERNEL32 ref: 00007FFBA95F6C78
IsValidCodePage.KERNEL32 ref: 00007FFBA95F6C80
GetCurrentProcess.KERNEL32 ref: 00007FFBA95F6C86

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Process$File$AllocApplicationAttributesBoostCodeComputerConsoleCurrentDirectoryFlushGlobalHandleInformationLanguagesNameOriginalPageParametersPreferredPriorityProgressRecoveryRemoveShutdownTitleUserValidViewVolume
String ID:
API String ID: 343640435-0
Opcode ID: d01fc4f527d7941e3811a8252fdbf6eef8afb7aee1875555f1389df738ffbb34
Instruction ID: 9ddb072757620321a3e58d1b2576478ab4c9b322fa0e1916b5bec8d4d48f0965
Opcode Fuzzy Hash: d01fc4f527d7941e3811a8252fdbf6eef8afb7aee1875555f1389df738ffbb34
Instruction Fuzzy Hash: 0EC1FB73A19B818DE711CFB8E84029E77B5FFA5348F20512ADB8893A69DF38C155CB14

Function 00007FFBBB004B90 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB004C7F
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBB004CA3
CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFBBB004CC9
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB004CDF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB004CF7

Strings

C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h, xrefs: 00007FFBBB004C86, 00007FFBBB004CAF
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB004C6D, 00007FFBBB004CF0, 00007FFBBB004D42
tls_parse_ctos_alpn, xrefs: 00007FFBBB004CE4, 00007FFBBB004D3B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$O_memdupR_newR_set_debug
String ID: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\include\internal/packet.h$ssl\statem\extensions_srvr.c$tls_parse_ctos_alpn
API String ID: 779157885-2990447755
Opcode ID: 99071bf1c0f39c3966d1226b97a738cf9636e218d2d8595192d6f60a1532231a
Instruction ID: 89b24baad2bda4524e7529fe2429e7a10d2e6e04d0f0973cdd09ecfe29ebe786
Opcode Fuzzy Hash: 99071bf1c0f39c3966d1226b97a738cf9636e218d2d8595192d6f60a1532231a
Instruction Fuzzy Hash: C341BFE2A08AC545FB108B38E4243BD6361FF55784F888536EB8C17AA6DF3CE1918708

Function 00007FFBBAFDEAB0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 291COMMON

Download Yara Rule

APIs

BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEB83
BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEB94
memcmp.VCRUNTIME140(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEBB3
BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEBD0
BIO_ADDR_family.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEBE1
memcmp.VCRUNTIME140(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEC00
CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,00000000,00000000,?,00000001,00007FFBBAFEA0DF,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFDEC5E
BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFBBAFDED6E
BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFBBAFDED98

Strings

ssl\quic\quic_record_tx.c, xrefs: 00007FFBBAFDEC57

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_family$R_clearmemcmp$O_malloc
String ID: ssl\quic\quic_record_tx.c
API String ID: 552621978-2432027203
Opcode ID: 6bfcb68d58344265a4efeaccda8c05a7ad97266604ac16126b3e74441e48d790
Instruction ID: ad75618f136afa62000b459ce47b07a3a9fe448c44932a4c534fedbbadd3d17c
Opcode Fuzzy Hash: 6bfcb68d58344265a4efeaccda8c05a7ad97266604ac16126b3e74441e48d790
Instruction Fuzzy Hash: 5FC1B1A2E08BC282EA6A9B39D5402BD63A9FF44B85F148575DF9D87384DF38E591C304

Function 00007FFBBB009B83 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBB009BF0
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB009C0A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB009C22

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB009C6B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB009C83
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB009CAC
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB009CB8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB009CD0

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFBBB009BE7, 00007FFBBB009C1B, 00007FFBBB009C7C, 00007FFBBB009CC9
tls_process_cert_status_body, xrefs: 00007FFBBB009C0F, 00007FFBBB009C75, 00007FFBBB009CBD

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$O_mallocR_vset_error
String ID: ssl\statem\statem_clnt.c$tls_process_cert_status_body
API String ID: 683522601-145685350
Opcode ID: 6b1c9004cca454a110a8600a8dfc1ff3546eaac744be6963035e3afe3a7165ba
Instruction ID: 07361924509750add0b8f35702167952022897711605617a407ea22f874bcacc
Opcode Fuzzy Hash: 6b1c9004cca454a110a8600a8dfc1ff3546eaac744be6963035e3afe3a7165ba
Instruction Fuzzy Hash: A141CEB2E08A8641EB409B3EE4506BD7791FB94788FC4C532DB5D077A6DF6CE1468308

Function 00007FFBBAFF7AC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7AF6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7B0E

Part of subcall function 00007FFBBAFF76D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFBBAFF34A0,?,00007FFBBAFF2DD6), ref: 00007FFBBAFF76FE

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7B53
COMP_expand_block.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7B7C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7BA1
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7BB9
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7BE3
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7BFB

Strings

ssl\record\methods\tls_common.c, xrefs: 00007FFBBAFF7B07, 00007FFBBAFF7B47, 00007FFBBAFF7BB2, 00007FFBBAFF7BF4
tls_default_post_process_record, xrefs: 00007FFBBAFF7AFB, 00007FFBBAFF7BA6, 00007FFBBAFF7BE8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_mallocP_expand_blockR_vset_error
String ID: ssl\record\methods\tls_common.c$tls_default_post_process_record
API String ID: 496873950-3963434292
Opcode ID: 3254e8f872546ffeed461956e4be197e14653935d0b453bae56f0e3bb3ba8a4f
Instruction ID: c9cf958444adfe31392f8a2d6219ff997b0d8e944f55df811720360fa45272b2
Opcode Fuzzy Hash: 3254e8f872546ffeed461956e4be197e14653935d0b453bae56f0e3bb3ba8a4f
Instruction Fuzzy Hash: D0417FA2E0865282EB44DB29E4053FD63A4FB84784F908471EF5C43BAADF7DE5958708

Function 00007FFBA95FC150 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FFBA95FC1A3
CreateWindowExW.USER32 ref: 00007FFBA95FC1F4
ShowWindow.USER32 ref: 00007FFBA95FC202
UpdateWindow.USER32 ref: 00007FFBA95FC20B
GetMessageW.USER32 ref: 00007FFBA95FC233
TranslateMessage.USER32 ref: 00007FFBA95FC245
DispatchMessageW.USER32 ref: 00007FFBA95FC250
GetMessageW.USER32 ref: 00007FFBA95FC263

Strings

SocialNetworkWindowClass, xrefs: 00007FFBA95FC175
OnofojqxrJCSdDKaYRZt, xrefs: 00007FFBA95FC1B1

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Message$Window$ClassCreateDispatchRegisterShowTranslateUpdate
String ID: OnofojqxrJCSdDKaYRZt$SocialNetworkWindowClass
API String ID: 4213590987-4059688146
Opcode ID: 1253dbdb52e645b515aff333248db59fcc9a54f20c98d21ab40ab7f127ca445f
Instruction ID: 9580b1460c2a33763fd1c469f10867129d945cd11d3d42c71964fe5af5812446
Opcode Fuzzy Hash: 1253dbdb52e645b515aff333248db59fcc9a54f20c98d21ab40ab7f127ca445f
Instruction Fuzzy Hash: A9319272A18B9682EB11CF21F84436EB3A4FB98B94F614235EE8D83A14DF7CD584C700

Function 00007FFBBAF97BEE Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF97C0B
CRYPTO_strdup.LIBCRYPTO-3-X64 ref: 00007FFBBAF97C63
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97C78
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97C90
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97C9F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97CB7
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97CC6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97CDE

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF97BFE, 00007FFBBAF97C59, 00007FFBBAF97C89, 00007FFBBAF97CB0, 00007FFBBAF97CD7
ssl3_ctrl, xrefs: 00007FFBBAF97C7D, 00007FFBBAF97CA4, 00007FFBBAF97CCB

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_strdup
String ID: ssl3_ctrl$ssl\s3_lib.c
API String ID: 2909881267-3530330221
Opcode ID: 744f9d79419faa372c454c5497de04f30c975520e87eec781d7790dc1c658eca
Instruction ID: 00f6c37dce7495befd110dc89e6f8df8efdeb5d947d10eed4db699b28f4fc7b9
Opcode Fuzzy Hash: 744f9d79419faa372c454c5497de04f30c975520e87eec781d7790dc1c658eca
Instruction Fuzzy Hash: E42169A1E1DA4681FE16AB6CD4A03FD2216BF54704FD48436EB4D466AACE6CE946830C

Function 00007FFBA95F3FE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FFBA95F4037
CreateWindowExW.USER32 ref: 00007FFBA95F4083
ShowWindow.USER32 ref: 00007FFBA95F4093
GetMessageW.USER32 ref: 00007FFBA95F40BB
TranslateMessage.USER32 ref: 00007FFBA95F40CA
DispatchMessageW.USER32 ref: 00007FFBA95F40D5
GetMessageW.USER32 ref: 00007FFBA95F40E8

Strings

JSON Formatter, xrefs: 00007FFBA95F4042
JsonEditorWindow, xrefs: 00007FFBA95F4015

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Message$Window$ClassCreateDispatchRegisterShowTranslate
String ID: JSON Formatter$JsonEditorWindow
API String ID: 4062082325-1842938598
Opcode ID: 9ed12eec91f3dfd033d94eb76869ce32c68f38871289f7f9c28369b615399e99
Instruction ID: 6a7567b155d7e969d237e4e0d1c11cc3234461e2818378b5d550534e354ab52d
Opcode Fuzzy Hash: 9ed12eec91f3dfd033d94eb76869ce32c68f38871289f7f9c28369b615399e99
Instruction Fuzzy Hash: F831A172A1CB9282E711CF31F44866E73A4FB98790F658239EF8C86A14DF79D585C700

Function 00007FFBBAFBCB90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,00007FFBBAFC3EA7,?,00007FFBBAF97BE9), ref: 00007FFBBAFBCBC8
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,00007FFBBAFC3EA7,?,00007FFBBAF97BE9), ref: 00007FFBBAFBCBE0
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,00007FFBBAFC3EA7,?,00007FFBBAF97BE9), ref: 00007FFBBAFBCBF0
CRYPTO_malloc.LIBCRYPTO-3-X64(?,?,?,00007FFBBAFC3EA7,?,00007FFBBAF97BE9), ref: 00007FFBBAFBCC1C
CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,00007FFBBAFC3EA7,?,00007FFBBAF97BE9), ref: 00007FFBBAFBCC87

Strings

tls1_set_groups, xrefs: 00007FFBBAFBCBCD
ssl\t1_lib.c, xrefs: 00007FFBBAFBCBD9, 00007FFBBAFBCC15, 00007FFBBAFBCC7D, 00007FFBBAFBCCE4

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_freeO_mallocR_newR_set_debugR_set_error
String ID: ssl\t1_lib.c$tls1_set_groups
API String ID: 3444577743-501428225
Opcode ID: cc75286bb425705fef7834e09f28b632de305e6e622a973262ee144350e80776
Instruction ID: 0c25e8565883b4db694c724cc11d6d7b71b47ac37ee900c95c2c328bbe64b5e5
Opcode Fuzzy Hash: cc75286bb425705fef7834e09f28b632de305e6e622a973262ee144350e80776
Instruction Fuzzy Hash: DE41E4E2A0868642EB15DB29E4406BA6361FF68784F908031EF4C83BE5DE3CD556C708

Function 00007FFBA967B64C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBA967B230: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967B271
Part of subcall function 00007FFBA967B230: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967B2EF
Part of subcall function 00007FFBA967B230: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967B340

CreateFileW.KERNEL32 ref: 00007FFBA967B752
CreateFileW.KERNEL32 ref: 00007FFBA967B7A2
GetLastError.KERNEL32 ref: 00007FFBA967B7D2
GetFileType.KERNEL32 ref: 00007FFBA967B7E7
GetLastError.KERNEL32 ref: 00007FFBA967B7F1
CloseHandle.KERNEL32 ref: 00007FFBA967B824
CloseHandle.KERNEL32 ref: 00007FFBA967B987
CreateFileW.KERNEL32 ref: 00007FFBA967B9BC
GetLastError.KERNEL32 ref: 00007FFBA967B9CB

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 7227bd80648cb5df4d8519c076da45ab3d162401483c5efc6719fe77418d70d8
Instruction ID: 36bda209288361b37f1affa9cce1c5e858326ec9e24fad4538eb81a3baf5b5d4
Opcode Fuzzy Hash: 7227bd80648cb5df4d8519c076da45ab3d162401483c5efc6719fe77418d70d8
Instruction Fuzzy Hash: A2C1AE76B29A4285EB15CF78C8912AC3761FB89B98F016225DF2ED7798DF38E055D300

Function 00007FFBBB01FC20 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBBB01FC3C
memset.VCRUNTIME140 ref: 00007FFBBB01FC60
RtlCaptureContext.KERNEL32 ref: 00007FFBBB01FC69
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBBB01FC83
RtlVirtualUnwind.KERNEL32 ref: 00007FFBBB01FCC4
memset.VCRUNTIME140 ref: 00007FFBBB01FCF7
IsDebuggerPresent.KERNEL32 ref: 00007FFBBB01FD18
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBBB01FD35
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBBB01FD40

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 4b500e0cdaba8bda5ce7d4c35988e25b740622c51b13bd991134b9d58df2b060
Instruction ID: ff478c8a134392a9ae003615774212cee29a35b4fa434f14ec73728f671c305d
Opcode Fuzzy Hash: 4b500e0cdaba8bda5ce7d4c35988e25b740622c51b13bd991134b9d58df2b060
Instruction Fuzzy Hash: 48311CB2609B818AEB648F74E8907F97361FB84744F84803ADB4E47BA5EF38D548C714

Function 00007FFBBAFABC10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFABC6C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFABC84
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFABC94
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFABCC1
CRYPTO_strdup.LIBCRYPTO-3-X64 ref: 00007FFBBAFABCDB

Strings

ssl\ssl_lib.c, xrefs: 00007FFBBAFABC7D, 00007FFBBAFABCAD, 00007FFBBAFABCD1
SSL_use_psk_identity_hint, xrefs: 00007FFBBAFABC71

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_freeO_strdupR_newR_set_debugR_set_error
String ID: SSL_use_psk_identity_hint$ssl\ssl_lib.c
API String ID: 598019968-2430927796
Opcode ID: 3baff2fc1e8685b0d151f9108cfa0568fb7bdcd114a1de066ee2270765700677
Instruction ID: 03c48bb2daabdd50a0ce24d5d757bcb28721bb3d8bca387ca31345b0f6377973
Opcode Fuzzy Hash: 3baff2fc1e8685b0d151f9108cfa0568fb7bdcd114a1de066ee2270765700677
Instruction Fuzzy Hash: 5F31A2A1F18A4245FB958B3DE440BF823A4EF44BC4FA88071DF4DCB6A5DE2CD8858709

Function 00007FFBA96780F8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

TranslateName.LIBCMT ref: 00007FFBA9678162
TranslateName.LIBCMT ref: 00007FFBA967819D
GetACP.KERNEL32 ref: 00007FFBA96781E4
IsValidCodePage.KERNEL32 ref: 00007FFBA967821C
GetLocaleInfoW.KERNEL32 ref: 00007FFBA96783D9

Strings

utf8, xrefs: 00007FFBA9678300

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 01cd00d5ddd00ab2b05f061d9c91774c071778d323d05a94567de8e0c2d09ac9
Instruction ID: 682c369d45d609152d66b8fee31ab565de73d83da12c37a81d30be8157d137f4
Opcode Fuzzy Hash: 01cd00d5ddd00ab2b05f061d9c91774c071778d323d05a94567de8e0c2d09ac9
Instruction Fuzzy Hash: BD917EB2A0A74385EB669F79DC812B923A4EF44B80F485131DE5CCB699DF3CE951E310

Function 00007FFBA9678B40 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FC5

GetUserDefaultLCID.KERNEL32 ref: 00007FFBA9678CB0

Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FF2
Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA966A003
Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA966A014

EnumSystemLocalesW.KERNEL32 ref: 00007FFBA9678C97
ProcessCodePage.LIBCMT ref: 00007FFBA9678CDA
IsValidCodePage.KERNEL32 ref: 00007FFBA9678CEC
IsValidLocale.KERNEL32 ref: 00007FFBA9678D02
GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678D5E
GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678D7A

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 656e47501cfea0a0ea2f87b97c9b25842ee585911fd9908397dd5673104ce058
Instruction ID: fe88fd331f2a9300646d7a22be8df6b22ec1c3d25f95c3ca64a8e027d05db7f8
Opcode Fuzzy Hash: 656e47501cfea0a0ea2f87b97c9b25842ee585911fd9908397dd5673104ce058
Instruction Fuzzy Hash: F2717BA2F066038AFB569F78DC906B827A0AF44B44F585435CE1DCB699EF3CA845E350

Function 00007FFBA965881C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFBA9658838
RtlCaptureContext.KERNEL32 ref: 00007FFBA9658865
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBA965887F
RtlVirtualUnwind.KERNEL32 ref: 00007FFBA96588C0
IsDebuggerPresent.KERNEL32 ref: 00007FFBA9658914
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBA9658931
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBA965893C

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: be10d719294079d87c5b62fb1d1e2af676fa7a380d78c3f040edb14f565e2022
Instruction ID: e7ba0d28008fdc1105e8dbd5512b62075dd8b33599acab18296439b62338bd90
Opcode Fuzzy Hash: be10d719294079d87c5b62fb1d1e2af676fa7a380d78c3f040edb14f565e2022
Instruction Fuzzy Hash: A6316DB260AB8286EB658F74E8443ED7360FB84748F44443ADB4E87B98DF38D248D710

Function 00007FFBA967037C Relevance: 9.3, APIs: 6, Instructions: 335timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFBA96703C1

Part of subcall function 00007FFBA966FA38: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966FA4C

Part of subcall function 00007FFBA966CC34: HeapFree.KERNEL32 ref: 00007FFBA966CC4A
Part of subcall function 00007FFBA966CC34: GetLastError.KERNEL32 ref: 00007FFBA966CC54

Part of subcall function 00007FFBA967A930: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967A87B

_get_daylight.LIBCMT ref: 00007FFBA96703B0

Part of subcall function 00007FFBA966FA98: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966FAAC

_get_daylight.LIBCMT ref: 00007FFBA9670626
_get_daylight.LIBCMT ref: 00007FFBA9670637
_get_daylight.LIBCMT ref: 00007FFBA9670648
GetTimeZoneInformation.KERNEL32 ref: 00007FFBA967066F

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 355007559-0
Opcode ID: 0c2e8801fb2dc04f78ed74c10a6ef9617fad27c53f07f02321e66a6021fb1eff
Instruction ID: 07da2327dee0934101006d291c49ff8e69824c96f83c0e54a747102abfa2150a
Opcode Fuzzy Hash: 0c2e8801fb2dc04f78ed74c10a6ef9617fad27c53f07f02321e66a6021fb1eff
Instruction Fuzzy Hash: 57D103A6A1A25386EB26DF39DC401B92761FF48784F80A036EE0DC7699DF3CE441E750

Function 00007FFBA9663938 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966395A
_get_daylight.LIBCMT ref: 00007FFBA96639BA
_get_daylight.LIBCMT ref: 00007FFBA96639CB
_get_daylight.LIBCMT ref: 00007FFBA96639DC
_isindst.LIBCMT ref: 00007FFBA9663A2D
_isindst.LIBCMT ref: 00007FFBA9663A80

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 9cfd9babe96b075446510684792b614fbcf18e7f3939418273870a4106b61290
Instruction ID: d95de01794a61a673d49dc50472967a57f420fa12499866a7ac5260b83aeb6f0
Opcode Fuzzy Hash: 9cfd9babe96b075446510684792b614fbcf18e7f3939418273870a4106b61290
Instruction Fuzzy Hash: B39194B2B062874AEB5D8F39CD0167863A5EF56788F44A135EF0DCA789EE3CE5409740

Function 00007FFBA96646C0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFBA9664739
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFBA9664751
RtlVirtualUnwind.KERNEL32 ref: 00007FFBA966478C
IsDebuggerPresent.KERNEL32 ref: 00007FFBA96647C5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFBA96647CF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFBA96647DA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 7753515188e689dc433f5d762c120a79ed76e948028c13446575d16f941e486b
Instruction ID: e7ea93a8543beadb26cd3fd8609ff32fe477eb3d3dbd8704493d2cd249796a7b
Opcode Fuzzy Hash: 7753515188e689dc433f5d762c120a79ed76e948028c13446575d16f941e486b
Instruction Fuzzy Hash: 92317F72619B8286EB65CF38E8442AE73A1FB89794F540135EE9D83B98DF38D145CB00

Function 00007FFBBAF9CAB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9CAFA
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9CB06
OSSL_STACK_OF_X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9CB13
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9CB2D

Strings

ssl\ssl_cert.c, xrefs: 00007FFBBAF9CB1C

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: X509_free$O_freeY_free
String ID: ssl\ssl_cert.c
API String ID: 3239439570-188639428
Opcode ID: 9268a1b8882ed91f8901bbb3e86682302bf313b190bfb8a00db69ff10e519511
Instruction ID: 15375c64e27d1fc3fa27dcf087c6c27783503808660f0b81012ec74bbce57f64
Opcode Fuzzy Hash: 9268a1b8882ed91f8901bbb3e86682302bf313b190bfb8a00db69ff10e519511
Instruction Fuzzy Hash: C1118C76A08B818AD7549F2AE49017C7764FB49F84F588035EF8E53B5ACF38E4628748

Function 00007FFBBAFBC9B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAFBC9FF
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFBCA5D
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFBCA88

Strings

ssl\t1_lib.c, xrefs: 00007FFBBAFBC9EE, 00007FFBBAFBCA48

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$O_malloc
String ID: ssl\t1_lib.c
API String ID: 2767441526-1168734446
Opcode ID: 8a540f19bf6c6cce4edfbbe672a87511dc1d221653dfd8b3e9f844bbc82defd4
Instruction ID: 8ad7aa4353dcb96576801c40b4862fdc614f51895714f08925366d12aed6805a
Opcode Fuzzy Hash: 8a540f19bf6c6cce4edfbbe672a87511dc1d221653dfd8b3e9f844bbc82defd4
Instruction Fuzzy Hash: E8218D62B08A5141E751CB29D5201AEA669FB59FC0F948131EF8C83B95EE3DD552C304

Function 00007FFBBAFEA9E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBAFCB94F), ref: 00007FFBBAFEAA2B
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBAFCB94F), ref: 00007FFBBAFEAA40
CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBAFCB94F), ref: 00007FFBBAFEAA69

Strings

ssl\quic\quic_txpim.c, xrefs: 00007FFBBAFEAA17, 00007FFBBAFEAA36, 00007FFBBAFEAA54

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free
String ID: ssl\quic\quic_txpim.c
API String ID: 2581946324-1264249673
Opcode ID: 6328e5f5ab6b1a9dffc21c852796eb498179218bda839ac44fee52acb60c7577
Instruction ID: 236edfa30b4cb157bd8b094b3d77d9953b945116bed89994775d0a64f07003eb
Opcode Fuzzy Hash: 6328e5f5ab6b1a9dffc21c852796eb498179218bda839ac44fee52acb60c7577
Instruction Fuzzy Hash: 9F019EA2A19B8280EE459B6AE9402F86264FB58BC0F889071EF4D47B55DE3CD1408708

Function 00007FFBA96705F8 Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFBA9670626

Part of subcall function 00007FFBA966FA98: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966FAAC

_get_daylight.LIBCMT ref: 00007FFBA9670637

Part of subcall function 00007FFBA966FA38: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966FA4C

_get_daylight.LIBCMT ref: 00007FFBA9670648

Part of subcall function 00007FFBA966FA68: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966FA7C

Part of subcall function 00007FFBA966CC34: HeapFree.KERNEL32 ref: 00007FFBA966CC4A
Part of subcall function 00007FFBA966CC34: GetLastError.KERNEL32 ref: 00007FFBA966CC54

GetTimeZoneInformation.KERNEL32 ref: 00007FFBA967066F

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: e4de9cc3640005c327bb6538f92e0e3fac1eb9fbb5f1a98633e591f6771f07e3
Instruction ID: 7351a536dd39b424c8681ca4ff977aa2bb90520b55972259dda1b800d47e6eb8
Opcode Fuzzy Hash: e4de9cc3640005c327bb6538f92e0e3fac1eb9fbb5f1a98633e591f6771f07e3
Instruction Fuzzy Hash: 2451A1B2A1A65386E712DF39EC804A97760FF48784F806536EE4DC3699DF3CE444AB40

Function 00007FFBA966653C Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9666972
_get_daylight.LIBCMT ref: 00007FFBA9666A0D
_get_daylight.LIBCMT ref: 00007FFBA9666A26

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 248e6750dd39809d77d06cec881b0ad276bb7097c1898be71db1d20c0d781105
Instruction ID: 4bc7efb3cb9e5e42b05517e5949b6e50e430b5da5995e05cf21a6e6029253ad6
Opcode Fuzzy Hash: 248e6750dd39809d77d06cec881b0ad276bb7097c1898be71db1d20c0d781105
Instruction Fuzzy Hash: A492C0B2A0A74386EB2A8F38E95417927A6FF46784F146135DF8987B94DF3DE510E300

Function 00007FFBBAFA49F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CRYPTO_memdup.LIBCRYPTO-3-X64 ref: 00007FFBBAFAE8B1
CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFAE8CE

Strings

ssl\ssl_lib.c, xrefs: 00007FFBBAFAE8A4, 00007FFBBAFAE8C1

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ssl\ssl_lib.c
API String ID: 3962629258-1984206432
Opcode ID: 4bdc884f8559bea3c8bfc6b7a6d1a32371452adfed0a2dd1d3a8d1090ca1afbb
Instruction ID: eacc430d26ca66cdf706ab2c59150e861357750bc998b37147a595f546e91e6b
Opcode Fuzzy Hash: 4bdc884f8559bea3c8bfc6b7a6d1a32371452adfed0a2dd1d3a8d1090ca1afbb
Instruction Fuzzy Hash: DE21C1A1F09B5280FA608A6BE5447F866AABF59BC0F588471EF4C83B95DD3CD504C308

Function 00007FFBBAF92C60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF92C9E

Part of subcall function 00007FFBBAF92860: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF9287D

CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF92D3F

Part of subcall function 00007FFBBAF92860: InitializeCriticalSection.KERNEL32 ref: 00007FFBBAF92893

Part of subcall function 00007FFBBAF92460: CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF9247F

Part of subcall function 00007FFBBAF92940: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF92964
Part of subcall function 00007FFBBAF92940: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFBBAF92990

Strings

crypto\thread\arch.c, xrefs: 00007FFBBAF92C94, 00007FFBBAF92D35

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_zalloc$CriticalInitializeO_freeO_mallocSection_beginthreadex
String ID: crypto\thread\arch.c
API String ID: 4205757297-147645559
Opcode ID: 1c3112d941afe6a30f7f40d9b63247e3cda19d80b9fcd5c1098ac3325d91da15
Instruction ID: 184a5356fcf3f24b77ee6e0a25578c61aa980fb84b20f3ad02f8e75e21e5f3e5
Opcode Fuzzy Hash: 1c3112d941afe6a30f7f40d9b63247e3cda19d80b9fcd5c1098ac3325d91da15
Instruction Fuzzy Hash: 6D2181A1E1AB4245EA54DB39D4A00F922A8FF48B84F541075EF4D8779ADF3CE500C318

Function 00007FFBA965600C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FFBA9656032
FormatMessageA.KERNEL32 ref: 00007FFBA9656065

Strings

!x-sys-default-locale, xrefs: 00007FFBA9656025

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 3545eb06942d3c8c02c5799b8c618517a3fb3a809595f124b116133680c198f1
Instruction ID: b4af0a8874aee8091c0bbb2810eaeda4e44eb0ea75e2c4c0dd3259c557eb532f
Opcode Fuzzy Hash: 3545eb06942d3c8c02c5799b8c618517a3fb3a809595f124b116133680c198f1
Instruction Fuzzy Hash: 4F01C4B1B0878782FB128F36F94076A67A1FB947C4F044035DE8986A98DF3CE501D700

Function 00007FFBBAFC6B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAFC7050: BIO_ctrl.LIBCRYPTO-3-X64(00000000,00007FFBBAFC6B67,00000000,00007FFBBAFC7D85,?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC70C3

CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAFC7D85,?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC6B7A
CRYPTO_free.LIBCRYPTO-3-X64(00000000,00007FFBBAFC7D85,?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC6BA3

Strings

ssl\quic\json_enc.c, xrefs: 00007FFBBAFC6B6B, 00007FFBBAFC6B9C

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_free$O_ctrl
String ID: ssl\quic\json_enc.c
API String ID: 1134426049-3790216822
Opcode ID: 339a19dacbbf345560f7325da9f9d72bddfdd24b3860b04fa443278b3fa4fc41
Instruction ID: c172ea90c067fe3e0fbe0c3c477c8e312018212fc87bad67f068449c5e187f28
Opcode Fuzzy Hash: 339a19dacbbf345560f7325da9f9d72bddfdd24b3860b04fa443278b3fa4fc41
Instruction Fuzzy Hash: 7C0162B2A1865181EB40DB79E8401AC6368FB88B84F849132FB4D47B6ACF7CD592C744

Function 00007FFBA9665B70 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FFBA9665BD6
memcpy_s.LIBCPMT ref: 00007FFBA9665C01

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
Instruction ID: c77c73d944941f767618757ea82b9fa21811aa2569a528a4e089d07ca62ec2e9
Opcode Fuzzy Hash: 8101bab96facb9530bfb020494a0e1e968264cdbe7156957248635d7c5768935
Instruction Fuzzy Hash: EAC117B6B1928687DB298F2DE44476AB7A1FB85784F449134DF4A83B84DB3DE801DB00

Function 00007FFBA96785BC Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FC5

GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678628

Part of subcall function 00007FFBA9674000: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967401D

GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678671

Part of subcall function 00007FFBA9674000: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9674076

GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678739

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 391de5660791344f092c97b75031ff99da82e7b5278da706d7b83a43f1a52df8
Instruction ID: 447ce87d44e00b32316d9ea90cec02375f263766546d2bcf5a01ffc60d147035
Opcode Fuzzy Hash: 391de5660791344f092c97b75031ff99da82e7b5278da706d7b83a43f1a52df8
Instruction Fuzzy Hash: 03617EB2A1A54396EB258F29E98027D63A1FF84780F489135CF4EDB699DF3CE8509700

Function 00007FFBBB002B00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64(?,00000000,?,00007FFBBAFE61D8,?,00007FFBBAFCF4E2,?,00007FFBBAFD0F50), ref: 00007FFBBB002C21

Strings

ssl\statem\extensions_cust.c, xrefs: 00007FFBBB002C1A

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\statem\extensions_cust.c
API String ID: 3931833713-1564674317
Opcode ID: 5dc7d7272c6bfd534e1a47d789c624da942c186901d59761e6a9da8c2f81b571
Instruction ID: 5bf94624c4214d56fe04105c77b7b2f21a5599f69737d7b2640bb948c28fcab2
Opcode Fuzzy Hash: 5dc7d7272c6bfd534e1a47d789c624da942c186901d59761e6a9da8c2f81b571
Instruction Fuzzy Hash: C141A0B2A08F8585EA558F2DD4A0139A3A0FB44794F94C636DF5D437B4DF39E851C708

Function 00007FFBBAFEAAD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64(?,00007FFBBAFE8D4F,?,?,00000004,?,?,00000004,00007FFBBAFE7981,?,?,?,?,?,?,00007FFBBAFCF82E), ref: 00007FFBBAFEAAFF

Strings

ssl\quic\quic_txpim.c, xrefs: 00007FFBBAFEAAF8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_zalloc
String ID: ssl\quic\quic_txpim.c
API String ID: 1208671065-1264249673
Opcode ID: f8be8636c87180ea30fa82bd2c032d5e55fcf9c4df070983545b0fe2c1c1c5b3
Instruction ID: 253f96e40f01b5ac056ee3a25d9f612e8825078f8b741f744c1e41db28c84c55
Opcode Fuzzy Hash: f8be8636c87180ea30fa82bd2c032d5e55fcf9c4df070983545b0fe2c1c1c5b3
Instruction Fuzzy Hash: ED3109B2904B8181DB88CF29E9403A873E8FB59B85F58D236DB8C87B55EF34D4E48304

Function 00007FFBBAFEAC00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64(00000000,00007FFBBAFEA08B,00000000,?,?,00000004,?,?,00007FFBBAFE7D38), ref: 00007FFBBAFEAC8C

Strings

ssl\quic\quic_txpim.c, xrefs: 00007FFBBAFEAC78

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\quic\quic_txpim.c
API String ID: 3931833713-1264249673
Opcode ID: fc242aa284e312594a74a2bea89cccd4ee618b6b78464d2cddba3294317bd399
Instruction ID: 6836eb4f328c7b1915fa67918b237cb47df1f2df870537f631a1cb1ddd593699
Opcode Fuzzy Hash: fc242aa284e312594a74a2bea89cccd4ee618b6b78464d2cddba3294317bd399
Instruction Fuzzy Hash: A0216A62E09B858AEB409B2DE5443E86364FB58BC8F588531EF9D8776ADF28D5818304

Function 00007FFBBAF91C50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF91C95

Part of subcall function 00007FFBBAF91A20: BUF_MEM_grow.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF9136E), ref: 00007FFBBAF91AB1

Strings

crypto\packet.c, xrefs: 00007FFBBAF91C89

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: M_growO_zalloc
String ID: crypto\packet.c
API String ID: 1786808141-224687097
Opcode ID: ce9518be9f35356f5dc96ee70a4c77462c3d6dbdf1d6a790163304a02aabc4d2
Instruction ID: ea2982821c8fb6506ad04b9ee10016390bb4549cc6cd0d3e96ecb6a85e4c300c
Opcode Fuzzy Hash: ce9518be9f35356f5dc96ee70a4c77462c3d6dbdf1d6a790163304a02aabc4d2
Instruction Fuzzy Hash: 2211A5B2A08B4181DB858B29E6903A862E8EF58BD4F555136DF4C87795DF38D8A0C748

Function 00007FFBBAFD19B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1A01

Strings

ssl\quic\quic_demux.c, xrefs: 00007FFBBAFD19FA

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_malloc
String ID: ssl\quic\quic_demux.c
API String ID: 1457121658-194952269
Opcode ID: f4bd08bf262fc76bbaa63431d5fc54462baf3d9b81014e68ac9f25c3f6b250f9
Instruction ID: d5a07592cfb354ab4dcf26171e28dfee7a62053cf0f36490152ee50255613dd1
Opcode Fuzzy Hash: f4bd08bf262fc76bbaa63431d5fc54462baf3d9b81014e68ac9f25c3f6b250f9
Instruction Fuzzy Hash: 25219D72A09B8185D7058F28E40016C77A8FB58F94F588635EF9C87799EF39E8A1C308

Function 00007FFBBAFC6BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3-X64(?,00007FFBBAFC7C44,?,00000000,?,?,02000100,00007FFBBAFCC1FB,02000100,00007FFBBAFCE4EA,?,00007FFBBAFD0F24), ref: 00007FFBBAFC6C0F

Strings

ssl\quic\json_enc.c, xrefs: 00007FFBBAFC6BE6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_malloc
String ID: ssl\quic\json_enc.c
API String ID: 1457121658-3790216822
Opcode ID: a812761d5be0521279246a99b307856972bfaf4717839bd69038e363915a064f
Instruction ID: 2695689b80653e621832afec58cfeab2b433b6aae85a92a257ce836b4b78024a
Opcode Fuzzy Hash: a812761d5be0521279246a99b307856972bfaf4717839bd69038e363915a064f
Instruction Fuzzy Hash: DE01A163D187C085E340CF6CE5403BD77A0FB68B8CF64A225EB8803266EA7AD5D2C304

Function 00007FFBA966ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FFBA966ED44

Strings

GetLocaleInfoEx, xrefs: 00007FFBA966ECEC, 00007FFBA966ECFD

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: d8a23bc6dca394336b82b2ac790f2e8e6bf63dafc7cb831a25f0854d10cd8d48
Instruction ID: f49bf7dce118d6df85e2567b967af279963a334150c4241b8065ce651bbc270c
Opcode Fuzzy Hash: d8a23bc6dca394336b82b2ac790f2e8e6bf63dafc7cb831a25f0854d10cd8d48
Instruction Fuzzy Hash: 3E018465F09682C6EB4A8F66F8044A6A760FF85BC0F584436EF4D87765CF3CD5419350

Function 00007FFBBAFE89A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-3-X64(?,00007FFBBAFE87E3,?,?,?,?,?,00000000,?,00007FFBBAFE7CC1), ref: 00007FFBBAFE89F1

Strings

ssl\quic\quic_txp.c, xrefs: 00007FFBBAFE89DD

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_realloc
String ID: ssl\quic\quic_txp.c
API String ID: 3931833713-3700743932
Opcode ID: 7f0d074b31978773a87242dd835540c81a5dcb31978fde13dd91076c6bfffc33
Instruction ID: f9f2ec2ee84d68af472ae8f9b74d6471e01478d7ce129559d48ec5aca2c787df
Opcode Fuzzy Hash: 7f0d074b31978773a87242dd835540c81a5dcb31978fde13dd91076c6bfffc33
Instruction Fuzzy Hash: ADF0AFE2F1574182EF445729E6002A82295FB58B88F581036EF5C97799EF2DE9A2C348

Function 00007FFBBAFDBC50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAFDC220: CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBAFDBC7D,?,00007FFBBAFCBA05), ref: 00007FFBBAFDC29B

Part of subcall function 00007FFBBAFDD7F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,00007FFBBAFDE85B,?,00007FFBBAFCB964), ref: 00007FFBBAFDD879
Part of subcall function 00007FFBBAFDD7F0: OPENSSL_cleanse.LIBCRYPTO-3-X64(?,00007FFBBAFDE85B,?,00007FFBBAFCB964), ref: 00007FFBBAFDD88F
Part of subcall function 00007FFBBAFDD7F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,00007FFBBAFDE85B,?,00007FFBBAFCB964), ref: 00007FFBBAFDD8C9
Part of subcall function 00007FFBBAFDD7F0: OPENSSL_cleanse.LIBCRYPTO-3-X64(?,00007FFBBAFDE85B,?,00007FFBBAFCB964), ref: 00007FFBBAFDD8DF
Part of subcall function 00007FFBBAFDD7F0: EVP_MD_free.LIBCRYPTO-3-X64(?,00007FFBBAFDE85B,?,00007FFBBAFCB964), ref: 00007FFBBAFDD8ED

CRYPTO_free.LIBCRYPTO-3-X64(?,00007FFBBAFCBA05), ref: 00007FFBBAFDBCCF

Strings

ssl\quic\quic_record_rx.c, xrefs: 00007FFBBAFDBCBA

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_cleanseO_freeX_free$D_free
String ID: ssl\quic\quic_record_rx.c
API String ID: 605114375-3047069087
Opcode ID: 16fe0e4dbf4aae1d5425485b8cf7adb74aec45e053169e44d698899bdbd40c0c
Instruction ID: bad1edd4602e7816873aca3184ed741799ecd7c33ed61e3aa1034d7fd431b42b
Opcode Fuzzy Hash: 16fe0e4dbf4aae1d5425485b8cf7adb74aec45e053169e44d698899bdbd40c0c
Instruction Fuzzy Hash: F201A2A6F1828151EA45A779E2912FC5315FF457C1F805071FF8E43A96DF1CE0528309

Function 00007FFBBAF91BE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF91C13

Strings

crypto\packet.c, xrefs: 00007FFBBAF91C07

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_zalloc
String ID: crypto\packet.c
API String ID: 1208671065-224687097
Opcode ID: 345f99134737494993e9b607a0b7145cb7d727d02967e98820a42e582d3babb3
Instruction ID: a140659b5d1b6312e480be582a9cbbcf5db154e28807642aeedbc0814db38c25
Opcode Fuzzy Hash: 345f99134737494993e9b607a0b7145cb7d727d02967e98820a42e582d3babb3
Instruction Fuzzy Hash: 06F030A2A06B0581EB549B6DE4943A822A4EB1CB58F644034DB0C87391EF7DD9D2C348

Function 00007FFBA9670E44 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFBA9671093
RaiseException.KERNEL32 ref: 00007FFBA96710A4

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b43bfac7ff84ecc63afdb2be0bf555b19925ba4bc27e2a28ef9c11fd3a4591d6
Instruction ID: 2bf0451fc17e7c1bafce9b56f5d637993cfa7d3258adb20c686aa04cbe075f9d
Opcode Fuzzy Hash: b43bfac7ff84ecc63afdb2be0bf555b19925ba4bc27e2a28ef9c11fd3a4591d6
Instruction Fuzzy Hash: 4CB149B3615B898AE716CF2DC88636C3BA0FB44B88F158922DE5DC77A8CB39D451D700

Function 00007FFBBAFAABF0 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAC30
CRYPTO_THREAD_unlock.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAC44

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: D_unlockD_write_lock
String ID:
API String ID: 1724170673-0
Opcode ID: 08e68c043ecf28fdac3dbec212fa440aa0356f5ae018d8dcad2c09755ee9fbdb
Instruction ID: ef874acd32cce8bea71f7c8f0dde8eef663e98f0c5ce6054df8ab357713b6b88
Opcode Fuzzy Hash: 08e68c043ecf28fdac3dbec212fa440aa0356f5ae018d8dcad2c09755ee9fbdb
Instruction Fuzzy Hash: 5C018462F1854282FB649B39E5401B962B8EF44BC4F184071FF9DC7B99DF29D891C704

Function 00007FFBA9603A10 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFBA9603E6A
+, xrefs: 00007FFBA9603E76

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: b15cd50844c69f810b6c0e1488f512281cadc3ea31063a2cf4d45e90b883c2e8
Instruction ID: 5063fa2503ed68b5d25fe62056a5f9a2eac76d48735ac9481cb06925460712a8
Opcode Fuzzy Hash: b15cd50844c69f810b6c0e1488f512281cadc3ea31063a2cf4d45e90b883c2e8
Instruction Fuzzy Hash: A8121452B1968299FB228E39DC807AD2761EF55798F049232EE4D97BC9DF3CD6819300

Function 00007FFBA96048F0 Relevance: 3.0, Strings: 2, Instructions: 491COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFBA9604D4A
+, xrefs: 00007FFBA9604D56

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 6dc846ff36886e2d0513bec817f384c3f9af80f5b5fc95dd7422e612778a52c4
Instruction ID: ae98ed3db15b684cf06f29d91f4c3e8237d8943ec85d48b8df74379ffe9800f2
Opcode Fuzzy Hash: 6dc846ff36886e2d0513bec817f384c3f9af80f5b5fc95dd7422e612778a52c4
Instruction Fuzzy Hash: 0E12F352B1969299FB228F7DD8803AD2761EF55798F049232EE4D97BD8EF3CD4819300

Function 00007FFBA9667578 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

am/pm, xrefs: 00007FFBA9667827
a/p, xrefs: 00007FFBA9667892

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: d9728740b84fb3956112ff6b3c51fcdaafd8718e585481cdc11c660a118054a7
Instruction ID: ee451e487ee518553bfe75b12b2ccdcaef5c6d059c2914d5b49adbdeb2152ed5
Opcode Fuzzy Hash: d9728740b84fb3956112ff6b3c51fcdaafd8718e585481cdc11c660a118054a7
Instruction Fuzzy Hash: FCE1A2A290A34381E76A8F3DD9546F926A2FF52784F556136EF0D87694DF3CEA40E300

Function 00007FFBA9661A78 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FFBA9661E28
, xrefs: 00007FFBA9661BE6

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: ee831537915ef0f8c5ed1027a94d395d73f6c6b2c35e0586f731b7f7eb3d3321
Instruction ID: 3fe38360ac2d8bcd11779f9826d399c1bde3f23b1b7d19f49ad0a3dfe41ff133
Opcode Fuzzy Hash: ee831537915ef0f8c5ed1027a94d395d73f6c6b2c35e0586f731b7f7eb3d3321
Instruction Fuzzy Hash: D3E182B290A64746DB6E8E3DC8D013D23A0EF46B48F166235DF4987694DF3DE851E340

Function 00007FFBA966D7F4 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FFBA966D901
gfff, xrefs: 00007FFBA966D97E

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 187e42d5f1bba94183d59eb05f6d4e2d34cacb00223480b45c3412e5d6ba8086
Instruction ID: b48f184890552d597b5570a9b9ca148f5a19bb425c7137327fed489ed7f17761
Opcode Fuzzy Hash: 187e42d5f1bba94183d59eb05f6d4e2d34cacb00223480b45c3412e5d6ba8086
Instruction Fuzzy Hash: EC5147A2B192C286E72A8E3DDC1476967D1EB46B94F08A235CF988BAD5CF3DD444D700

Function 00007FFBA96652A0 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FFBA96653E8

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: b9c22e51d3b51a2195e695cf4e212c810726a9a1efa4c4cf610fab2083ccd8a1
Instruction ID: 3d577b2101c083b11adf55ee66f5a8294fa0ac5573673bb972115329e128077f
Opcode Fuzzy Hash: b9c22e51d3b51a2195e695cf4e212c810726a9a1efa4c4cf610fab2083ccd8a1
Instruction Fuzzy Hash: AE12AD62A09BC686E756CF38D8053F977A4FB59748F05A239EF8C86652DF38E580D700

Function 00007FFBA96769EC Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4d3df031bbfc144c96543307f7715b194dac3cd32ec0316a6f11556197dff7
Instruction ID: 0bc927764d9630d0dad92f04fd55900e05b7a4230652ad146588805584f853e6
Opcode Fuzzy Hash: 1f4d3df031bbfc144c96543307f7715b194dac3cd32ec0316a6f11556197dff7
Instruction Fuzzy Hash: 37E16E72A09B8286EB21DF65E8406EE77A4FB94788F405631DF8D93B56EF38D245D300

Function 00007FFBA96745C4 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81098ba92a5ce56800bb2812667278f70315dc3c3ea89b427217d66c43c16284
Instruction ID: 3532b07359f23b63b531db8c2eebf7cbdaf82fe8d1c749629f741341b836b1a4
Opcode Fuzzy Hash: 81098ba92a5ce56800bb2812667278f70315dc3c3ea89b427217d66c43c16284
Instruction Fuzzy Hash: E7510362B0968295FB219F7AEC442AA7BA2FF417D4F145234EE5CA7A89DE3CD401D700

Function 00007FFBA9678804 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

Part of subcall function 00007FFBA9669F80: FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FC5

GetLocaleInfoW.KERNEL32 ref: 00007FFBA967886C

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: 311cf5c872d4faafd0348a2ecbd5393a3fdbb259c848d86310504ba951a8553c
Instruction ID: a47716ba2997dae645e28d23a393efbe887aa9dcf94cd3df466daf82cfbc6d46
Opcode Fuzzy Hash: 311cf5c872d4faafd0348a2ecbd5393a3fdbb259c848d86310504ba951a8553c
Instruction Fuzzy Hash: C5317571A0A68346EB698F39E8813BA73A1FF48784F489135DE5DC7699DF3CE8109700

Function 00007FFBA9678454 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

EnumSystemLocalesW.KERNEL32 ref: 00007FFBA96784F2

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 8378bd829e178c7957408ca27f153a43c5f22895a5bd8725d975f44b1e94d365
Instruction ID: 69f66a552849cfe625d77be170307748fb546ea7f0e7524f8fe75df5cc09dfa5
Opcode Fuzzy Hash: 8378bd829e178c7957408ca27f153a43c5f22895a5bd8725d975f44b1e94d365
Instruction Fuzzy Hash: E411E7A3E09646C6EB168F39D4802AD7BA0FB90BE0F585135CA59C73C8DA78D9D1D740

Function 00007FFBA9678A0C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

GetLocaleInfoW.KERNEL32 ref: 00007FFBA9678A43

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 1d42175a48ce18004b67c5f8d7306e314326c52b69f22775e85d19fafd4ab306
Instruction ID: bb941e8d4450fc159159da9a5e8ef14b42966c99f8a005c4c7d5de4c817cb228
Opcode Fuzzy Hash: 1d42175a48ce18004b67c5f8d7306e314326c52b69f22775e85d19fafd4ab306
Instruction Fuzzy Hash: 77112B72F1955343E7798E39E880A7A2251EF80754F185232DE2DDB6C8EE29DC419700

Function 00007FFBA9678524 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFBA9669F80: GetLastError.KERNEL32 ref: 00007FFBA9669F8F
Part of subcall function 00007FFBA9669F80: FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
Part of subcall function 00007FFBA9669F80: SetLastError.KERNEL32 ref: 00007FFBA966A02F

EnumSystemLocalesW.KERNEL32 ref: 00007FFBA96785A2

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 6e5f6dd7e458195d10b63c3c3cf97015b104bdbbf7faf66decb82ca4e2b44870
Instruction ID: df033a354cc9411049c3fadd764c33aea004a223027f944a5c1acaaa99e073be
Opcode Fuzzy Hash: 6e5f6dd7e458195d10b63c3c3cf97015b104bdbbf7faf66decb82ca4e2b44870
Instruction Fuzzy Hash: 4A019BA1A1918246F7555F39E88077976A1DF40794F4D9232DA68CB2C8DF789C809700

Function 00007FFBBAFEDBD0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAFED3F0: ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBAFEDC0C,?,00007FFBBAFCEDA9), ref: 00007FFBBAFED4E0
Part of subcall function 00007FFBBAFED3F0: ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBAFEDC0C,?,00007FFBBAFCEDA9), ref: 00007FFBBAFED4F8
Part of subcall function 00007FFBBAFED3F0: ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBAFEDC0C,?,00007FFBBAFCEDA9), ref: 00007FFBBAFED84F
Part of subcall function 00007FFBBAFED3F0: EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBAFEDC0C,?,00007FFBBAFCEDA9), ref: 00007FFBBAFED856
Part of subcall function 00007FFBBAFED3F0: EVP_CIPHER_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00007FFBBAFEDC0C,?,00007FFBBAFCEDA9), ref: 00007FFBBAFED85D

CRYPTO_memcmp.LIBCRYPTO-3-X64(?,00007FFBBAFCEDA9), ref: 00007FFBBAFEDC2A

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_memcmpR_freeR_newR_set_debugR_set_errorX_free
String ID:
API String ID: 3555451423-0
Opcode ID: 64b8251a64241b4f0d662e9ef06fee5b0e2d17004c0f8c24e3db273aec5e4e5b
Instruction ID: 053ba90c6aaeb54bf6ac15a7a657f377201594bf18a220ee46d0f5c86b6d42f9
Opcode Fuzzy Hash: 64b8251a64241b4f0d662e9ef06fee5b0e2d17004c0f8c24e3db273aec5e4e5b
Instruction Fuzzy Hash: 610171A2F19A4146FF58973CE4552BA2295BF8A794F800235FF5DC3AD6EE2CD5408608

Function 00007FFBA966E790 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 00007FFBA966E7DF

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 311d1e4350665856ecb258e72f16caa9821ef5f74c5284397a05afc2cca30d57
Instruction ID: c6716108ba70851e844f435eb0f06932d6f41ecfcd41101d3363e915c38dfdee
Opcode Fuzzy Hash: 311d1e4350665856ecb258e72f16caa9821ef5f74c5284397a05afc2cca30d57
Instruction Fuzzy Hash: 19F01DB5A09A4283EB05DF69E8905A923A1EF99BC0F54A035DF4DC3365DE3CD465E304

Function 00007FFBA966D360 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FFBA966D6A2

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 7b646c8bea982d8c378c3d26783094b4f6dc3329359d8b1c484772745c84a0eb
Instruction ID: d47468647c647cbdbbe177042893b12398d87d7c1294e5c1110c095ddfd67c86
Opcode Fuzzy Hash: 7b646c8bea982d8c378c3d26783094b4f6dc3329359d8b1c484772745c84a0eb
Instruction Fuzzy Hash: 83A137A2A0A7C646EB26CF39EC207A97BD1AF52788F04A131DF4D87785DA3DE401D701

Function 00007FFBA9660CE0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

, xrefs: 00007FFBA9660EBC

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2372a7cf60c3470b4743c25747f468edf4901a079f94f555dab43bbfcd6927d1
Instruction ID: 1989f9b07fe31a05f9579f361c6d79d891dc1ccb5391b9b97cdaf4abc65e39f6
Opcode Fuzzy Hash: 2372a7cf60c3470b4743c25747f468edf4901a079f94f555dab43bbfcd6927d1
Instruction Fuzzy Hash: FEB16FB290A79685E76A8F3EC89017C3BA0EB46B48F646135CF8D87395CF39E441E741

Function 00007FFBA967331C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFBA96733C1

Part of subcall function 00007FFBA966BDD4: HeapAlloc.KERNEL32 ref: 00007FFBA966BE29

Part of subcall function 00007FFBA966CC34: HeapFree.KERNEL32 ref: 00007FFBA966CC4A
Part of subcall function 00007FFBA966CC34: GetLastError.KERNEL32 ref: 00007FFBA966CC54

Part of subcall function 00007FFBA967BA70: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967BAA3

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: b233114a7062e9a634acbb64c8ebac748039a95d529c99becfd938c11555b1d1
Instruction ID: e2c0aec2a44d8a940a81f4ce18e4b4b9e677cc7886bbec9cfd3c82084b784c4a
Opcode Fuzzy Hash: b233114a7062e9a634acbb64c8ebac748039a95d529c99becfd938c11555b1d1
Instruction Fuzzy Hash: C941B5A2B0B64341FF279E3AFC51A7A6690AF85790F446135DE4DD778DEE3CE401A600

Function 00007FFBBAFEDC60 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 91e36480d29fab5a224ff033f09a65a7e98addcf7b728354c60745d2d2354667
Instruction ID: 9f62a86c52ede246cc22ad85724b17c49052e638a77d17b25dd88ba5ddfd9595
Opcode Fuzzy Hash: 91e36480d29fab5a224ff033f09a65a7e98addcf7b728354c60745d2d2354667
Instruction Fuzzy Hash: 4DE1BCB3A05A9596EB548F39E94026933A9FB01B84F058175CF5D87B95EF3CE4B4C308

Function 00007FFBA9661674 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed3a561e6f15b0dc8d51b02bcf54f2c21bc3a555287752192b2b82a5be5c401
Instruction ID: cdbe4e5f135fe43b0d65a0a96cd1773969364f66af726a74bea50319fcaed797
Opcode Fuzzy Hash: 1ed3a561e6f15b0dc8d51b02bcf54f2c21bc3a555287752192b2b82a5be5c401
Instruction Fuzzy Hash: 2ED1B5A6A0A64385EB6E8E3DC99027D27A0EF47B48F166235CF0DC7695CF39D841E740

Function 00007FFBA966A94C Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: f6e060cee868de89ecfd6e65a38dd133bf704dc9fad44840f22b03a22ca78f84
Instruction ID: 8f0745ac77343b0a6aef7bfc10ec3015d49b369f5dffde4809ea8b0f04a6a8d2
Opcode Fuzzy Hash: f6e060cee868de89ecfd6e65a38dd133bf704dc9fad44840f22b03a22ca78f84
Instruction Fuzzy Hash: D6C1D8A1A0968345EB699F79DD103BA27A1FF86788F406032DF4DC7685DE3CE541E700

Function 00007FFBA9677B68 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 3e4a6c9302e04ef510c14cffe3eb171fea011ffe0c5bc2dcbae0eafe8c829e00
Instruction ID: f3fb33a864da20ae1bbb8c4d4fb8e19421f2fd501c051d02e80885f6e922aa19
Opcode Fuzzy Hash: 3e4a6c9302e04ef510c14cffe3eb171fea011ffe0c5bc2dcbae0eafe8c829e00
Instruction Fuzzy Hash: 29B1E1A2A1A64782EB669F39D8116F933A1EF84B88F006131DE49C36CDDF3CE451E740

Function 00007FFBA9664D40 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cc3aba3e745d6a48830a645418db88c094d173c072236011805af4a4d3dcc6cf
Instruction ID: 25c8bd2b8f37857be5b414cd6ced4931f6812fb4943e77eb9b0e94174536506d
Opcode Fuzzy Hash: cc3aba3e745d6a48830a645418db88c094d173c072236011805af4a4d3dcc6cf
Instruction Fuzzy Hash: F981BFB2A06A5286EB69CF3DD8813792364FF85B98F445636EF5D87B88DF38D4419300

Function 00007FFBA966DE74 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64db44a498f02275e5f531fec2343ad4d033dbc9657a932505e982d2e3bec5da
Instruction ID: 7d48b7aad899dc2f525b0ba16e489385e0ffee0a09be38fc123172e83750e926
Opcode Fuzzy Hash: 64db44a498f02275e5f531fec2343ad4d033dbc9657a932505e982d2e3bec5da
Instruction Fuzzy Hash: A581F3B2A0978245E76ACF2DDC5036A6A90FF867D4F145235EF9D83B89CE3CD4109B00

Function 00007FFBA967AFB0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ea5c5c3c00029bc392feddf9836d97b515823bda33b6ca08a528ce145c60b2c6
Instruction ID: 1a04d530938b32d109d2271a17f11ab2b3bb28ba33f7236d0fa42c7bf2aeab2c
Opcode Fuzzy Hash: ea5c5c3c00029bc392feddf9836d97b515823bda33b6ca08a528ce145c60b2c6
Instruction Fuzzy Hash: 1561D4B2F1A28746FB668D3DDC5027D6781AF41360F142239EF2DC26D9DE6DE840A700

Function 00007FFBA9660234 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 09a3386d9b8eedf8f4e8187a59230b551464d0e4e98b681a1a6e8b5ababd5b58
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 235185B6A1965382E7698F3EC44423933A0EF46B58F246135CF4D97795CB3AEC42E780

Function 00007FFBA965FA14 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 320c34daf14bb74ac4e9b5ca5a11a751786b8cbea34ff2cc5428a869f6181933
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 625151B6A1A663C2E7258F3DC45432937A0EF49B58F24A132CE4D87794DF3AE842D740

Function 00007FFBA965FE24 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: f62c70b4aa96c2f10c886be12469b83e1388bcd76e34cbc4eb1f956184df2ef0
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 765194B2A1966282E7258F3DC44433833A0EF5DB58F24A131DE8D97795CB3AE843D740

Function 00007FFBA965FC20 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94732f3cefc08f3353ec1d41df61ecd9287c8128d91118fe05b88be5c63bb7a7
Instruction ID: 37f9c39ae6f4c05b41520728481cdc8b7f094f5e79f091f216c38ced3b0d9cd9
Opcode Fuzzy Hash: 94732f3cefc08f3353ec1d41df61ecd9287c8128d91118fe05b88be5c63bb7a7
Instruction Fuzzy Hash: 8B51A2B6A1A66286E7268F3DC44033937A0EF4DB58F246131CE4D97794CF3AE842D740

Function 00007FFBA9660030 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13152d3c0e899f1d8cddaeb5d170b213aa300ddb1a30ae017dd591a5b86a8be
Instruction ID: 2f37096ac3f944878e4bf2a394f201006a0ed37ed7fc9504d25e1a5fde43c44a
Opcode Fuzzy Hash: c13152d3c0e899f1d8cddaeb5d170b213aa300ddb1a30ae017dd591a5b86a8be
Instruction Fuzzy Hash: 7651B9B661A65286E7298F3EC44023D67A0EF46B58F246131CF4C97795DB3AEC42D740

Function 00007FFBA965F810 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12e7c255ce155637cc1c594d063d6d5db3739567eb3a2ecc9f2d19ad292e395
Instruction ID: 8534b2acb59f81328df52e0da11b2d3d43f80573a0c44af2f35985c9fb3ac544
Opcode Fuzzy Hash: e12e7c255ce155637cc1c594d063d6d5db3739567eb3a2ecc9f2d19ad292e395
Instruction Fuzzy Hash: F15169B6A1AA6285E7268F3DC54073927B0EF4DB58F246131CE4D97798CB3AE842D740

Function 00007FFBA9668A24 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 05367db707a061d726800f5c948201551e7b56debbc2d41eeb318f42d213519f
Instruction ID: 58c270d3885a93baf95933470377ff8fc8b5e7bc1132db7248a48d05dbd80ccc
Opcode Fuzzy Hash: 05367db707a061d726800f5c948201551e7b56debbc2d41eeb318f42d213519f
Instruction Fuzzy Hash: 6C41CDA2715A5682EF08CF3AD96416973A1BB58FC0B48A036EF4DD7B58DE3CC0429300

Function 00007FFBA9624D00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: 6c8518b0aa36c1c9fd5dc341d54f51b4fc9fb9bc492a4fc90080a47fb8737bef
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: EC418273B115458BE78CCF3ED8126AD33A2A798304F95C239EA0AC7385DA399906DB44

Function 00007FFBBAFBCAA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: Y_is_a
String ID:
API String ID: 923786835-0
Opcode ID: d369ddf9e08a91dfb4e91ee27849fe4af449a55078b4ac6bf7b810a546a754cb
Instruction ID: 443a970fb9170016406095ffe20a7b9fad81c264b46d448c6442f8f3b3108308
Opcode Fuzzy Hash: d369ddf9e08a91dfb4e91ee27849fe4af449a55078b4ac6bf7b810a546a754cb
Instruction Fuzzy Hash: 791154A2F141A206F3B4DA7FBE27F9B6955ABD53C8E94A131EF4942D868F3C81000D08

Function 00007FFBA967E130 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728586ba7c2db1965b014d67ea99c74997889a20b63d457d70d5520653044e51
Instruction ID: 522857044a1fa3835cac1b45a286607803daa0f6ad63e76758a4c6980b76ec2b
Opcode Fuzzy Hash: 728586ba7c2db1965b014d67ea99c74997889a20b63d457d70d5520653044e51
Instruction Fuzzy Hash: CBF068B17192A68ADB958F3DEC4262977D4EB0C380F509039D98DC3B15D63D90549F04

Function 00007FFBA970AB58 Relevance: .0, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7c0bf7981b4e6117261ab872638bbd4aae635f74708607c496e3d6933d3ed7
Instruction ID: 12cc56ba81ee8f0656d53f440ecea94f900e0cdd0d5b3f5682af49c17f2c2ecc
Opcode Fuzzy Hash: 3c7c0bf7981b4e6117261ab872638bbd4aae635f74708607c496e3d6933d3ed7
Instruction Fuzzy Hash: 38E086CBE0EAD21EF353C9BC682E15D2FD1A752697F4C906ADFC1525C3B58C24449215

Function 00007FFBA970AAC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718c53841f1db40f561f90b778fc81a11593878017de89d65bd93eb392e0058b
Instruction ID: 0fa2d0643419c319c1bdefbc86fade754e29c814df795a108dd857df8a152528
Opcode Fuzzy Hash: 718c53841f1db40f561f90b778fc81a11593878017de89d65bd93eb392e0058b
Instruction Fuzzy Hash: A9D0A787E4F3C216F3970D74987515E2FD16BA1843B5F8076D684A71C36D0D180A9161

Function 00007FFBA970A010 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7408cc0354dbe58e5710d38ee1d2d505bf013690eb692a8077eeddd4fa032327
Instruction ID: 448d67074342542a26a46f12ac65213d8e6cd30a17910e96bdd167d70fca174d
Opcode Fuzzy Hash: 7408cc0354dbe58e5710d38ee1d2d505bf013690eb692a8077eeddd4fa032327
Instruction Fuzzy Hash: F0C04CC790FACB15F2AB8935882A05C2D809B99685F598175CBCC453C3F64C98616131

Function 00007FFBA970B008 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04118f19c9b37a0ed2127ca1d9331dca3b0a4ea88fdc69cd376d889bee3f5d4a
Instruction ID: dbfe6b8387d6bff975ffbbfdd502bef26be1aeb5199071a966564dd5075bd3b9
Opcode Fuzzy Hash: 04118f19c9b37a0ed2127ca1d9331dca3b0a4ea88fdc69cd376d889bee3f5d4a
Instruction Fuzzy Hash: 04B012D360F7D20AE2234E603C2100D1F40D9C57557DD41A69AD18A09B510CA4C09251

Function 00007FFBBAFAAAD0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184abfd5ff6d954e496365c833b55255643bb449f304c0a53976f824b81c7c3e
Instruction ID: b4bbbe808aa62c3189c22d764a5946f2fe8bfbbac69b00167deabda82caaeb53
Opcode Fuzzy Hash: 184abfd5ff6d954e496365c833b55255643bb449f304c0a53976f824b81c7c3e
Instruction Fuzzy Hash: 49C09BC5E5D502C5F104177CD51913C61D07F61300F60C571F60D411619C1C51564519

Function 00007FFBA970AFF0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9531fd4ccccb56858de6414539155f6e034d1473b62fcc5f5a15562bb3b75360
Instruction ID: 2eabf530d9570760f403b495f4138088826568a84c84915bd78f60f37191467b
Opcode Fuzzy Hash: 9531fd4ccccb56858de6414539155f6e034d1473b62fcc5f5a15562bb3b75360
Instruction Fuzzy Hash: 6DB012C370F6E217E1528670395A41D5E60CEC5940BEC0199A7C1424934048F041A395

Function 00007FFBA970AF58 Relevance: .0, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 00007FFBA970AF60 Relevance: .0, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d6651aee64f03e14f2bc133940db4ae2d65b2322fd30231df270c6176abf77
Instruction ID: 52f60df3fc584bb2755b9902eca0ea292f076f9c021720799fa571c6a82a7638
Opcode Fuzzy Hash: d1d6651aee64f03e14f2bc133940db4ae2d65b2322fd30231df270c6176abf77
Instruction Fuzzy Hash:

Function 00007FFBA970B038 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
Instruction ID: 92bca372c73bf05736e5418606bf4d9f339bc1d6ec97d0400b5c022073cefb92
Opcode Fuzzy Hash: 14b270ea0598b5b9cae66e2d5e117f87c25acc53f166e4edd8216a18fe85d6d1
Instruction Fuzzy Hash:

Function 00007FFBBB00FAD0 Relevance: 65.0, APIs: 34, Strings: 3, Instructions: 278COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FC36
BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FC51
BN_bin2bn.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FC63
OSSL_PARAM_BLD_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FC8B
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FCAE
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FCC8
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FCE2
OSSL_PARAM_BLD_to_param.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FCF2
EVP_PKEY_CTX_new_from_name.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD14
ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD21
ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD39
EVP_PKEY_fromdata_init.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD4C
EVP_PKEY_fromdata.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD6D
EVP_PKEY_CTX_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD7D
EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FD94
EVP_PKEY_get_security_bits.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FDCF
ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FDF8
ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FE10
ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FEB4
ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FEC3
ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FEDB
OSSL_PARAM_BLD_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FEF9
OSSL_PARAM_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF01
EVP_PKEY_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF0E
EVP_PKEY_CTX_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF16
BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF23
BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF2B
BN_free.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF33
ERR_new.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF50
ERR_set_debug.LIBCRYPTO-3-X64(00000000,?,?,?,?,?,00000000,00007FFBBB00DFDF,?,?,?,?,?,?), ref: 00007FFBBB00FF68

Strings

pub, xrefs: 00007FFBBB00FCD8
ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00FD32, 00007FFBBB00FE09, 00007FFBBB00FE78, 00007FFBBB00FEA0, 00007FFBBB00FED4, 00007FFBBB00FF61
tls_process_ske_dhe, xrefs: 00007FFBBB00FD2B, 00007FFBBB00FDFD, 00007FFBBB00FE6C, 00007FFBBB00FE94, 00007FFBBB00FEC8, 00007FFBBB00FF55

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$D_push_N_bin2bnN_free$X_free$D_freeD_newD_to_paramM_freeX_new_from_nameX_new_from_pkeyY_freeY_fromdataY_fromdata_initY_get_security_bits
String ID: pub$ssl\statem\statem_clnt.c$tls_process_ske_dhe
API String ID: 1993445532-147979557
Opcode ID: 38c4661678a0ae7f8cbcc767900c5fd67292f438485ef4a5dd898bbb6d475dcd
Instruction ID: 95e030be4a3d6e166b8d6d192d0ec0d25983770c3b979c36b4f8888094374ab8
Opcode Fuzzy Hash: 38c4661678a0ae7f8cbcc767900c5fd67292f438485ef4a5dd898bbb6d475dcd
Instruction Fuzzy Hash: FFB1C1A2A1CAC645EA54A739E4556BE6350BF95784FC0C131EF8D176A6EF3CE081C708

Function 00007FFBBAFB1B90 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 208COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2894
ERR_clear_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB28D7
BIO_s_file.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB28EF
BIO_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB28F7
ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2904
ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB291C
BIO_ctrl.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB293A
ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2943
ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB295B
X509_new_ex.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2974
ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2983
ERR_new.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB29AA
ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB29C2
ERR_set_debug.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2AC4
ERR_set_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2AD5
X509_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2ADF
BIO_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2AE7
X509_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2B0D
X509_free.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2B1B
ERR_clear_error.LIBCRYPTO-3-X64(?,-0000001F,00000000,?), ref: 00007FFBBAFB2B48

Strings

use_certificate_chain_file, xrefs: 00007FFBBAFB2909, 00007FFBBAFB2948, 00007FFBBAFB29AF, 00007FFBBAFB2AB6
ssl\ssl_rsa.c, xrefs: 00007FFBBAFB2915, 00007FFBBAFB2954, 00007FFBBAFB29BB, 00007FFBBAFB2ABD

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_clear_errorX509_free$O_ctrlO_freeO_newO_s_fileR_set_errorX509_new_ex
String ID: ssl\ssl_rsa.c$use_certificate_chain_file
API String ID: 2790727340-2175753170
Opcode ID: a53f00850b1531de2570726849be251fc53473f5b1b54cc0155178b5c6ec9a07
Instruction ID: 769fc54b40b18f5138e4c7df956498a2df7448d2cbebb67004d28a27d0d19f37
Opcode Fuzzy Hash: a53f00850b1531de2570726849be251fc53473f5b1b54cc0155178b5c6ec9a07
Instruction Fuzzy Hash: DE8185E1F0864241FA24AB39D4112FD22A8BFA4B85FD48475EF4D877E6DE3CE4468708

Function 00007FFBA95F96D0 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 00007FFBA95F971E
GetObjectW.GDI32 ref: 00007FFBA95F9734
GetDC.USER32 ref: 00007FFBA95F9749
CreateCompatibleDC.GDI32 ref: 00007FFBA95F9755
CreateCompatibleBitmap.GDI32 ref: 00007FFBA95F9766
SelectObject.GDI32 ref: 00007FFBA95F9775
CreateCompatibleDC.GDI32 ref: 00007FFBA95F977E
CreateCompatibleDC.GDI32 ref: 00007FFBA95F9791
SelectObject.GDI32 ref: 00007FFBA95F97A8
SelectObject.GDI32 ref: 00007FFBA95F97BC
BitBlt.GDI32 ref: 00007FFBA95F97F9
BitBlt.GDI32 ref: 00007FFBA95F9838
GetDIBits.GDI32 ref: 00007FFBA95F992E
DeleteObject.GDI32 ref: 00007FFBA95F998C
DeleteDC.GDI32 ref: 00007FFBA95F9999
DeleteDC.GDI32 ref: 00007FFBA95F99A6
DeleteDC.GDI32 ref: 00007FFBA95F99AF
ReleaseDC.USER32 ref: 00007FFBA95F99BA

Strings

6, xrefs: 00007FFBA95F9893
(, xrefs: 00007FFBA95F983E
ios_base::eofbit set, xrefs: 00007FFBA95F9A52
ios_base::failbit set, xrefs: 00007FFBA95F9A4B
, xrefs: 00007FFBA95F980A
ios_base::badbit set, xrefs: 00007FFBA95F9A40

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Object$CompatibleCreateDelete$Select$BitmapBitsRelease
String ID: $($6$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2929339508-282752976
Opcode ID: 8d6e9ffcffdeb60caf28a8e37f5999ffc856ed95e4774f48816ca53244140bf2
Instruction ID: 20569e9a8dd49d7a894ad64e860ca726f7d3e0eb5bc3dfffebf2fc0dc203c942
Opcode Fuzzy Hash: 8d6e9ffcffdeb60caf28a8e37f5999ffc856ed95e4774f48816ca53244140bf2
Instruction Fuzzy Hash: 46B14D72705B429AEB15CF35E8943A977A0FB88B88F405136DE4E87B68DF38D549D700

Function 00007FFBBAFDFBE0 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 234COMMON

Download Yara Rule

APIs

EVP_MD_fetch.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFC4B
EVP_MD_get0_name.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFCA7
EVP_KDF_fetch.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFCC8
EVP_KDF_CTX_new.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFCDC
OSSL_PARAM_construct_int.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFCFF
OSSL_PARAM_construct_utf8_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFD32
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFD71
OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFDAE
OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFDD9
EVP_KDF_derive.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFE16
EVP_KDF_CTX_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFE2C
EVP_KDF_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFE34
EVP_MD_free.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFECD
EVP_MD_up_ref.LIBCRYPTO-3-X64(?,00000000,?,?,?,?,000C0103,00007FFBBAFD0EED,?,00007FFBBAFD892B,?,00007FFBBAFD3562), ref: 00007FFBBAFDFFB8

Strings

digest, xrefs: 00007FFBBAFDFD08
HKDF, xrefs: 00007FFBBAFDFCBE
client in, xrefs: 00007FFBBAFDFEAC
SHA256, xrefs: 00007FFBBAFDFC44
server in, xrefs: 00007FFBBAFDFF62
salt, xrefs: 00007FFBBAFDFD44
, xrefs: 00007FFBBAFDFFCF
key, xrefs: 00007FFBBAFDFD7A
, xrefs: 00007FFBBAFDFF38
mode, xrefs: 00007FFBBAFDFCF4

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: M_construct_octet_string$D_fetchD_freeD_get0_nameD_up_refF_deriveF_fetchF_freeM_construct_endM_construct_intM_construct_utf8_stringX_freeX_new
String ID: $ $HKDF$SHA256$client in$digest$key$mode$salt$server in
API String ID: 2228937716-352202359
Opcode ID: b3da57f89f33cbf212b3bfa10d3450a051eb288a08836f08ae95c69551cc5f35
Instruction ID: b0cff35436db26135986d937268fa11af799385f2ac1f2e0d30090a9ce009896
Opcode Fuzzy Hash: b3da57f89f33cbf212b3bfa10d3450a051eb288a08836f08ae95c69551cc5f35
Instruction Fuzzy Hash: 3DB16162A09BC589E762CF39E8007F967A4FB49788F444135EF8C47A55EF38E289C704

Function 00007FFBBAFBE9A0 Relevance: 42.2, APIs: 11, Strings: 13, Instructions: 224COMMON

Download Yara Rule

APIs

BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEAAC
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEAE8

Part of subcall function 00007FFBBAFC10A0: BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBAFC10CA
Part of subcall function 00007FFBBAFC10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBAFBECED), ref: 00007FFBBAFC10E4
Part of subcall function 00007FFBBAFC10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBAFBECED), ref: 00007FFBBAFC10FF

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEB1E
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEB5F
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEBC6
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFBEC10
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFBECF7

Strings

Illegal Alert Length, xrefs: 00007FFBBAFBEC69
epoch=%d, sequence_number=%04x%04x%04x, xrefs: 00007FFBBAFBEBA6
Level=%s(%d), description=%s(%d), xrefs: 00007FFBBAFBECA4
unknown value, xrefs: 00007FFBBAFBECD1
TLS RecordHeader: Version = %s (0x%x), xrefs: 00007FFBBAFBEB55
UNKNOWN, xrefs: 00007FFBBAFBEA92, 00007FFBBAFBEB30
too short message, xrefs: 00007FFBBAFBEAED
Message length parse error!, xrefs: 00007FFBBAFBEC4F
Content Type = %s (%d) Length = %d, xrefs: 00007FFBBAFBEBF4
change_cipher_spec (1), xrefs: 00007FFBBAFBECC0
Sent, xrefs: 00007FFBBAFBEADA, 00007FFBBAFBEB10
Inner Content Type = %s (%d), xrefs: 00007FFBBAFBEAA2
Received, xrefs: 00007FFBBAFBEABA

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printf$O_puts$O_indent
String ID: Illegal Alert Length$ Level=%s(%d), description=%s(%d)$ change_cipher_spec (1)$ Content Type = %s (%d) Length = %d$ Inner Content Type = %s (%d)$ epoch=%d, sequence_number=%04x%04x%04x$ TLS RecordHeader: Version = %s (0x%x)$ too short message$Message length parse error!$Received$Sent$UNKNOWN$unknown value
API String ID: 3510058808-1353787293
Opcode ID: d525476707c1f920b43ce9caab1d2c05701a6bc85ffe24a0ad2d03e39bc10cfd
Instruction ID: 74244f4dbe7f669b5b8618cf94e22536194d257bdb46c896155ac97ccc0cec8a
Opcode Fuzzy Hash: d525476707c1f920b43ce9caab1d2c05701a6bc85ffe24a0ad2d03e39bc10cfd
Instruction Fuzzy Hash: ED91B3E2E0869285E6648B3DE4501BD6BA6BB55785FC88175EFCE477A1DE3CE140C308

Function 00007FFBBAFBABB0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAC07
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAC1F

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

OSSL_STORE_INFO_get_type.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAD04
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAD53
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAD6B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFBADCB
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFBADE3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAE35
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAE62
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFBAE7A

Strings

ssl\t1_lib.c, xrefs: 00007FFBBAFBAC18, 00007FFBBAFBAD64, 00007FFBBAFBADDC, 00007FFBBAFBAE73, 00007FFBBAFBAF9D, 00007FFBBAFBAFE0
tls12_check_peer_sigalg, xrefs: 00007FFBBAFBAC0C, 00007FFBBAFBAD58, 00007FFBBAFBADD5, 00007FFBBAFBAE6C, 00007FFBBAFBAF91, 00007FFBBAFBAFD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$O_get_typeR_vset_error
String ID: ssl\t1_lib.c$tls12_check_peer_sigalg
API String ID: 812865484-3755023935
Opcode ID: b3c0d4f34d2e8c8f1e74b4fa63eda2bf46e79ec77a19b478794c8000292d5e18
Instruction ID: 89dd1f90dcd5153811da2caac6959d43b0c52da536d8c8a263646f33db7413b7
Opcode Fuzzy Hash: b3c0d4f34d2e8c8f1e74b4fa63eda2bf46e79ec77a19b478794c8000292d5e18
Instruction Fuzzy Hash: 8BC1AFE1E0D64243FA65AA3ED0402FD62A9BF60785FD08471EF4D876D2DF2CE8858749

Function 00007FFBBAF96C60 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF96CA0
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF96CB8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF96CD0

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAF96D21
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96D5C
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96D72
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96D8F
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96DAC
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAF96DC6
EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAF96DE4
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96DF6
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAF96E0C
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAF96E20
EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF96E45
OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBAF96E54

Strings

ssl\s3_enc.c, xrefs: 00007FFBBAF96CC9, 00007FFBBAF96E74
ssl3_generate_master_secret, xrefs: 00007FFBBAF96CBD, 00007FFBBAF96E68

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: Digest$Update$Final_exInit_ex$L_cleanseR_newR_set_debugR_vset_errorX_freeX_new
String ID: ssl3_generate_master_secret$ssl\s3_enc.c
API String ID: 170064413-120754557
Opcode ID: e840427d042f91aa383478c0a75ed118fc414cfd648198a6f8c56952143c44ef
Instruction ID: bad4583147856aa502adea69b4c4b7d160c617566374349df7500889f7c1313a
Opcode Fuzzy Hash: e840427d042f91aa383478c0a75ed118fc414cfd648198a6f8c56952143c44ef
Instruction Fuzzy Hash: 8A51D4A1E0864742E664AB3AE8517BEA294FF54BC4F809031FF4D87B66DE3CE0058708

Function 00007FFBBAFB1BB0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1BDB
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1BE3
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1BF0
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1C06
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1C24
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1C2D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1C45
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1D57
X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1D61
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB1D69

Strings

SSL_use_certificate_file, xrefs: 00007FFBBAFB1BF5, 00007FFBBAFB1C32, 00007FFBBAFB1C76, 00007FFBBAFB1D01, 00007FFBBAFB1D33
ssl\ssl_rsa.c, xrefs: 00007FFBBAFB1BFF, 00007FFBBAFB1C3E, 00007FFBBAFB1C82, 00007FFBBAFB1D0D, 00007FFBBAFB1D3F

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_errorX509_free
String ID: SSL_use_certificate_file$ssl\ssl_rsa.c
API String ID: 2680622528-2821204180
Opcode ID: d0b8fb939312130427aed05df8702e287d5e4e734cf82a59627edb3ab9c4d81e
Instruction ID: 395d98c8de1aecd2744ea8c9b497b76d7a5cf509325315be702131f33821a4dd
Opcode Fuzzy Hash: d0b8fb939312130427aed05df8702e287d5e4e734cf82a59627edb3ab9c4d81e
Instruction Fuzzy Hash: 3D4143E1E08A4241FA54AB7DD4512FD2765BFA4784FE08032EF4D476B6DE2CE84A870D

Function 00007FFBBAF9BC60 Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

OPENSSL_sk_set_cmp_func.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BC94
BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BC9C
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCA4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCB1
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCC9
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCD9
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCE3
X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCED
OPENSSL_sk_set_cmp_func.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BCF8
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD21
PEM_read_bio_X509.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD38
X509_get_subject_name.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD47
X509_NAME_dup.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD54
OPENSSL_sk_find.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD6B
X509_NAME_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD77
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD84
PEM_read_bio_X509.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BD9B
ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BDA5
X509_NAME_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF9BDB2

Strings

SSL_add_file_cert_subjects_to_stack, xrefs: 00007FFBBAF9BCB6
ssl\ssl_cert.c, xrefs: 00007FFBBAF9BCC2

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: X509_$E_freeL_sk_set_cmp_funcM_read_bio_X509$E_dupL_sk_findL_sk_pushO_ctrlO_freeO_newO_s_fileR_clear_errorR_newR_set_debugR_set_errorX509_freeX509_get_subject_name
String ID: SSL_add_file_cert_subjects_to_stack$ssl\ssl_cert.c
API String ID: 2223916698-1814255512
Opcode ID: 454d1a6612cd72e13770a035e2ab7f109885c298819a3b2d40ee806097bfae65
Instruction ID: 039373857b2e0d3065ccc103a36e5ae3cab2088f644462acba7e4f8f3ca2e32f
Opcode Fuzzy Hash: 454d1a6612cd72e13770a035e2ab7f109885c298819a3b2d40ee806097bfae65
Instruction Fuzzy Hash: 70319C91F0920242FA58AB7ED5656FD6254BF95BC0F848030FF4D8BBA6EE2CE4058608

Function 00007FFBBB007B40 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFBBB0084CD
SetLastError.KERNEL32 ref: 00007FFBBB0084D4
BUF_MEM_free.LIBCRYPTO-3-X64 ref: 00007FFBBB00870E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB0087D9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB0087F1
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00880B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB008823
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBB008834

Strings

ssl\statem\statem.c, xrefs: 00007FFBBB00860B, 00007FFBBB0086E3, 00007FFBBB0087EA, 00007FFBBB00881C
state_machine, xrefs: 00007FFBBB008604, 00007FFBBB0086D7, 00007FFBBB0087DE, 00007FFBBB008810

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$ErrorLastM_freeR_clear_errorR_set_error
String ID: ssl\statem\statem.c$state_machine
API String ID: 2605663294-1334640251
Opcode ID: abd2362dc976df5a4c68c298f9b0152bee83919c7ea65e1a7cb2b84d6ad50e48
Instruction ID: 055d225c2633850d2ee3682ff9d39afbe2749971f4ef7005eafbd9b778e26c1b
Opcode Fuzzy Hash: abd2362dc976df5a4c68c298f9b0152bee83919c7ea65e1a7cb2b84d6ad50e48
Instruction Fuzzy Hash: E2C16FB1A0C74A8AFF649A39C4653BD2294FF50B88FD8C535DB0D466A5EF3CE4408719

Function 00007FFBBAFCBC30 Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 239COMMON

Download Yara Rule

APIs

BUF_MEM_free.LIBCRYPTO-3-X64(?,02000100,?,00007FFBBAFD0F0C), ref: 00007FFBBAFCC0A8

Part of subcall function 00007FFBBAFECC90: memcpy.VCRUNTIME140(00000000,00007FFBBAFCBCBB,?,02000100,?,00007FFBBAFD0F0C), ref: 00007FFBBAFECD0A

Part of subcall function 00007FFBBAFECD40: memcpy.VCRUNTIME140(00000000,00007FFBBAFCBCE3,?,02000100,?,00007FFBBAFD0F0C), ref: 00007FFBBAFECDC4

Strings

transport, xrefs: 00007FFBBAFCBED2
owner, xrefs: 00007FFBBAFCBEFA
active_connection_id_limit, xrefs: 00007FFBBAFCBFA9
max_idle_timeout, xrefs: 00007FFBBAFCBF7F
initial_max_stream_data_bidi_remote, xrefs: 00007FFBBAFCC009
initial_max_stream_data_uni, xrefs: 00007FFBBAFCC01F
initial_source_connection_id, xrefs: 00007FFBBAFCBF54, 00007FFBBAFCBF6C
max_ack_delay, xrefs: 00007FFBBAFCBFBF
initial_max_streams_uni, xrefs: 00007FFBBAFCC05B
initial_max_data, xrefs: 00007FFBBAFCBFDD
initial_max_streams_bidi, xrefs: 00007FFBBAFCC03D
transport:parameters_set, xrefs: 00007FFBBAFCBEC8
original_destination_connection_id, xrefs: 00007FFBBAFCBF39
initial_max_stream_data_bidi_local, xrefs: 00007FFBBAFCBFF3
max_udp_payload_size, xrefs: 00007FFBBAFCBF94
disable_active_migration, xrefs: 00007FFBBAFCBF0C
parameters_set, xrefs: 00007FFBBAFCBEC1
local, xrefs: 00007FFBBAFCBEF0

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: memcpy$M_free
String ID: active_connection_id_limit$disable_active_migration$initial_max_data$initial_max_stream_data_bidi_local$initial_max_stream_data_bidi_remote$initial_max_stream_data_uni$initial_max_streams_bidi$initial_max_streams_uni$initial_source_connection_id$local$max_ack_delay$max_idle_timeout$max_udp_payload_size$original_destination_connection_id$owner$parameters_set$transport$transport:parameters_set
API String ID: 1248561259-4172531249
Opcode ID: b32c0b8b04c25c4c87b0eef376af5ba9881d1595a53b63a95d6d00a72dd6e810
Instruction ID: d05d5a5af54d5b416fb98fefcffee1364a1240eb0073199c4f99fde7f11a8262
Opcode Fuzzy Hash: b32c0b8b04c25c4c87b0eef376af5ba9881d1595a53b63a95d6d00a72dd6e810
Instruction Fuzzy Hash: 7AB1BFA2E1C68291EB509B3AD5503FA2359FF84785F844072EF4DC7696EF6CE406C398

Function 00007FFBBAFC1C80 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFBBAFC1CA4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFC1CAD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFC1CC5

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFC1D6E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFC1D86

Strings

tls13_hkdf_expand, xrefs: 00007FFBBAFC1D73, 00007FFBBAFC1F87
key, xrefs: 00007FFBBAFC1F03
derive_secret_key_and_iv, xrefs: 00007FFBBAFC1CB2, 00007FFBBAFC1E3F, 00007FFBBAFC1E94
ssl\tls13_enc.c, xrefs: 00007FFBBAFC1CBE, 00007FFBBAFC1D7F, 00007FFBBAFC1E4B, 00007FFBBAFC1EA0, 00007FFBBAFC1F8E

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$D_get_sizeR_vset_error
String ID: derive_secret_key_and_iv$key$ssl\tls13_enc.c$tls13_hkdf_expand
API String ID: 773136946-1769045784
Opcode ID: 2753b581631ba8ac42c4b99f322f81c9f0d3889b698f25309be0f3996ca10f44
Instruction ID: 15cf1cd41c14d79f392cbaee405ac2282fda8b0b1fa70235db7183f077d2cd99
Opcode Fuzzy Hash: 2753b581631ba8ac42c4b99f322f81c9f0d3889b698f25309be0f3996ca10f44
Instruction Fuzzy Hash: C6916472A08B8285E7609B26E4547BE7364FB88B84F408135EF8D87765EF7CD155C708

Function 00007FFBBAFF4C90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4CC1
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4CD9
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4CEA
memcpy.VCRUNTIME140 ref: 00007FFBBAFF4D1B
EVP_CIPHER_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4D20
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4D34
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4D4A
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFF4D5A

Strings

tls13_set_crypto_state, xrefs: 00007FFBBAFF4CC6, 00007FFBBAFF4D39, 00007FFBBAFF4E09
ssl\record\methods\tls13_meth.c, xrefs: 00007FFBBAFF4CD2, 00007FFBBAFF4D43, 00007FFBBAFF4E15

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$X_newmemcpy
String ID: ssl\record\methods\tls13_meth.c$tls13_set_crypto_state
API String ID: 3455081293-161958930
Opcode ID: 59911735c1bf63221ab460f1ad22598d7872e3edb6753f793bda7f09df78ed16
Instruction ID: ff0cd75790e89572055875a583486f1e9beb5ef19a91099d0d9cf6b3309f5ed5
Opcode Fuzzy Hash: 59911735c1bf63221ab460f1ad22598d7872e3edb6753f793bda7f09df78ed16
Instruction Fuzzy Hash: F0416072A0864282E764DB79D5517BEB764FF94384F808131EF4D43AAADF3DE4458B08

Function 00007FFBBB005B20 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB005B6D
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB005B85
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB005C1E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB005C36
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB005C57
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB005C6F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB005E61
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB005E79

Strings

tls_parse_ctos_key_share, xrefs: 00007FFBBB005B72, 00007FFBBB005C23, 00007FFBBB005C61, 00007FFBBB005DF7, 00007FFBBB005E21, 00007FFBBB005E6B
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB005B7E, 00007FFBBB005C2F, 00007FFBBB005C68, 00007FFBBB005E03, 00007FFBBB005E2D, 00007FFBBB005E72

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_key_share
API String ID: 193678381-3868297702
Opcode ID: fb4d91c0eb90de5c8e0dee8a15127f94d13c557bafd97e4d07a47d8d45e6c236
Instruction ID: 4c18f2c50527d26490a49bd78fdfcce9e020bc14429851f3ea57711ec7cb77c5
Opcode Fuzzy Hash: fb4d91c0eb90de5c8e0dee8a15127f94d13c557bafd97e4d07a47d8d45e6c236
Instruction Fuzzy Hash: AB91E1E2A0C69649FA649B39D4682BE2790BF54784FD4C132EF8D076A6DF3CE541C318

Function 00007FFBBB00AAD0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AAFF
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB17

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB5D
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB75

Strings

set_client_ciphersuite, xrefs: 00007FFBBB00AB04, 00007FFBBB00AB62, 00007FFBBB00ABBD, 00007FFBBB00AC36, 00007FFBBB00AD0C, 00007FFBBB00AD5A, 00007FFBBB00AD90
ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00AB10, 00007FFBBB00AB6E, 00007FFBBB00ABC9, 00007FFBBB00AC42, 00007FFBBB00AD18, 00007FFBBB00AD66, 00007FFBBB00AD9C

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: set_client_ciphersuite$ssl\statem\statem_clnt.c
API String ID: 4275876640-3316213183
Opcode ID: 99865a8d09b14ab70775f84d18142be470505e1896f382c16f73d43a3a64e092
Instruction ID: ce5d5c53026d4e58206152674d714b404e80cfed89643b9bd7570acfddbb1deb
Opcode Fuzzy Hash: 99865a8d09b14ab70775f84d18142be470505e1896f382c16f73d43a3a64e092
Instruction Fuzzy Hash: 598193A2B085468AEB44EB39E4556FD2760FB58B84FD48132EF0D476B6DF2CE481C708

Function 00007FFBBAFCDB64 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 112COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Part of subcall function 00007FFBBAFEC400: memcpy.VCRUNTIME140(?,?,?,00007FFBBAFCDB99), ref: 00007FFBBAFEC57A

Strings

ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
PREFERRED_ADDR appears multiple times, xrefs: 00007FFBBAFCDE39
PREFERRED_ADDR provided for zero-length CID, xrefs: 00007FFBBAFCDE21
zero-length CID in PREFERRED_ADDR, xrefs: 00007FFBBAFCDE09
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
PREFERRED_ADDR is malformed, xrefs: 00007FFBBAFCDE15
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
PREFERRED_ADDR may not be sent by a client, xrefs: 00007FFBBAFCDE2D
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_errormemcpy
String ID: ORIG_DCID was not sent but is required$PREFERRED_ADDR appears multiple times$PREFERRED_ADDR is malformed$PREFERRED_ADDR may not be sent by a client$PREFERRED_ADDR provided for zero-length CID$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c$zero-length CID in PREFERRED_ADDR
API String ID: 3458080559-3658441780
Opcode ID: 3badd4ee351ba77d0d9d6e7dc33ab5dfc99e88349d47c0c1ee403375d7349cee
Instruction ID: edee76cb2b0e4f774345eb62b3d3e4cba6f51f5716b5c860b9236d61324a53c9
Opcode Fuzzy Hash: 3badd4ee351ba77d0d9d6e7dc33ab5dfc99e88349d47c0c1ee403375d7349cee
Instruction Fuzzy Hash: F95188A2E18B4285FB50CB7AE4043FD27A9BB04389F844175DF4D96AA5EFBCE541C708

Function 00007FFBBAFF9B10 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 297COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9B8C
EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9B9D
EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9BA5
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9BB4
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9BCC

Part of subcall function 00007FFBBAFF76D0: ERR_vset_error.LIBCRYPTO-3-X64(?,?,00007FFBBAFF34A0,?,00007FFBBAFF2DD6), ref: 00007FFBBAFF76FE

memset.VCRUNTIME140 ref: 00007FFBBAFF9C5F
COMP_compress_block.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9D2C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9D52
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9D6A
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9E4B
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9E63
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9EE6
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF9F4B

Strings

tls_write_records_default, xrefs: 00007FFBBAFF9BB9, 00007FFBBAFF9D57, 00007FFBBAFF9E50, 00007FFBBAFF9EEB, 00007FFBBAFF9F50
ssl\record\methods\tls_common.c, xrefs: 00007FFBBAFF9BC5, 00007FFBBAFF9D63, 00007FFBBAFF9E5C

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$X_get0_cipher$D_get_sizeP_compress_blockR_vset_errormemset
String ID: ssl\record\methods\tls_common.c$tls_write_records_default
API String ID: 909859927-3970931601
Opcode ID: 2c5d3674a1e9203d786d1dd31fbc26b6bf40172cf4228be24755d5b77a1522ac
Instruction ID: e8e75d992f64216ef2b17b9326f971af871e9e5e81ee7b125ee9bb40399d9967
Opcode Fuzzy Hash: 2c5d3674a1e9203d786d1dd31fbc26b6bf40172cf4228be24755d5b77a1522ac
Instruction Fuzzy Hash: 55D16FB2A09B8281EB24CF2AE4901ED67A8FB84BC4F544132DF4D93BA8DF39D145C714

Function 00007FFBBAFF7C40 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7CCF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7CE7
memcpy.VCRUNTIME140 ref: 00007FFBBAFF7D30
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7DE1
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7DF9
SetLastError.KERNEL32 ref: 00007FFBBAFF7E50
SetLastError.KERNEL32 ref: 00007FFBBAFF7E5C
BIO_read.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7E7F
BIO_test_flags.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7ED0
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7EE2
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7F03
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7F12
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFF7F2A

Strings

tls_default_read_n, xrefs: 00007FFBBAFF7CD4, 00007FFBBAFF7DE6, 00007FFBBAFF7F17
ssl\record\methods\tls_common.c, xrefs: 00007FFBBAFF7CE0, 00007FFBBAFF7DF2, 00007FFBBAFF7F23

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$ErrorLast$O_ctrlO_freeO_readO_test_flagsmemcpy
String ID: ssl\record\methods\tls_common.c$tls_default_read_n
API String ID: 122450645-158468358
Opcode ID: 5ca1844759f6b7795a847ff27d359e7cbbf1ad83207e0c50be098a6509cbfd06
Instruction ID: 9caec3536c910a172196bb33d70b8de98c877baf0b3ae03694543c9ed9364e89
Opcode Fuzzy Hash: 5ca1844759f6b7795a847ff27d359e7cbbf1ad83207e0c50be098a6509cbfd06
Instruction Fuzzy Hash: 8F91D1B2E0AA8286EB649F39D4406FDB259FF44B88F944172DF4D87B99DF2DD4418308

Function 00007FFBBAFCDAF5 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 117COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Part of subcall function 00007FFBBAFE2CF0: OPENSSL_LH_retrieve.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFCDB50), ref: 00007FFBBAFE2D3C
Part of subcall function 00007FFBBAFE2CF0: CRYPTO_zalloc.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFCDB50), ref: 00007FFBBAFE2D73
Part of subcall function 00007FFBBAFE2CF0: CRYPTO_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFCDB50), ref: 00007FFBBAFE2DB3

Strings

ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
STATELESS_RESET_TOKEN is malformed, xrefs: 00007FFBBAFCDDE5
STATELESS_RESET_TOKEN may not be sent by a client, xrefs: 00007FFBBAFCDDF1
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
STATELESS_RESET_TOKEN encountered internal error, xrefs: 00007FFBBAFCDDD9
STATELESS_RESET_TOKEN appears multiple times, xrefs: 00007FFBBAFCDDFD
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveH_retrieveO_freeO_zallocR_newR_set_error
String ID: ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$STATELESS_RESET_TOKEN appears multiple times$STATELESS_RESET_TOKEN encountered internal error$STATELESS_RESET_TOKEN is malformed$STATELESS_RESET_TOKEN may not be sent by a client$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 1846773780-3045332596
Opcode ID: c10783c2173d7a9d1a7ca153713bc9170e0ac0734e76a19f8ae34b1636d7f679
Instruction ID: a8a2094283f1c8a8c49d0e206083f5e64f384ae4abb0f465106ba3af1452fd75
Opcode Fuzzy Hash: c10783c2173d7a9d1a7ca153713bc9170e0ac0734e76a19f8ae34b1636d7f679
Instruction Fuzzy Hash: 99518AA2E18B4285FB50CB69E4443FD27A9BB08389F844175DF4D976A4EFBCE441C708

Function 00007FFBBAFD09E0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

OSSL_ERR_STATE_restore.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0A99
ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0ABC
ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0AD4
ERR_set_error.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0B4C
ERR_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0B53
ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0B6B
ERR_set_error.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0BA6
ERR_set_debug.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0BD7
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0BE8
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64(?,00000000,?,?,000C0103,?,00007FFBBAFCF53D,?,00007FFBBAFD0F50), ref: 00007FFBBAFD0BFC

Strings

ssl\quic\quic_channel.c, xrefs: 00007FFBBAFD0ACD, 00007FFBBAFD0B64
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFD0B78
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFD0AC1, 00007FFBBAFD0B58
QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s", xrefs: 00007FFBBAFD0AE8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$R_newR_set_error$E_newE_restoreE_save
String ID: QUIC error code: 0x%llx%s%s%s (triggered by frame type: 0x%llx%s%s%s), reason: "%s"$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 4176084029-936738589
Opcode ID: aa52d62a7a3aecb7fa2dca80785d2fa49dc7f5746cce2779be058948f90cd162
Instruction ID: a7b3b7b4a807269089af13982a19c5d8309c7afe14b51d01f1de7115b8054e4a
Opcode Fuzzy Hash: aa52d62a7a3aecb7fa2dca80785d2fa49dc7f5746cce2779be058948f90cd162
Instruction Fuzzy Hash: 19517FA2A0CBC685EA259B69F9443BA73A4FB84784F448135EFCD43B69DF3CD0458708

Function 00007FFBBB001AC0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB001B56
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB001B6E

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB001BAA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB001BC2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB001C74
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB001C8C

Strings

tls_parse_stoc_use_srtp, xrefs: 00007FFBBB001B5B, 00007FFBBB001BAF, 00007FFBBB001C22, 00007FFBBB001C79
ssl\statem\extensions_clnt.c, xrefs: 00007FFBBB001B67, 00007FFBBB001BBB, 00007FFBBB001C2E, 00007FFBBB001C85

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_use_srtp
API String ID: 4275876640-3691485550
Opcode ID: 3e8727127fe6c0fcfbea0dfb49094d3283f075d4d382af14314a0e9c7a0a92ad
Instruction ID: b55362553c1f34c52c3c9825fb85b105d3c15e44dc1612e7696f360586327417
Opcode Fuzzy Hash: 3e8727127fe6c0fcfbea0dfb49094d3283f075d4d382af14314a0e9c7a0a92ad
Instruction Fuzzy Hash: 3951C5A2A0CA8685EB54EB39E8555FD2750FB84B80FC49131EB4D43BA2CF6CD491C708

Function 00007FFBBAFCD9F1 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 117COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Strings

ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
MAX_IDLE_TIMEOUT appears multiple times, xrefs: 00007FFBBAFCDD9D
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
MAX_IDLE_TIMEOUT is malformed, xrefs: 00007FFBBAFCDD91
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: MAX_IDLE_TIMEOUT appears multiple times$MAX_IDLE_TIMEOUT is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-1069301341
Opcode ID: 7b32abd198ed567e7fd5aabd7cb2b134eb7d76673e50838616ca72e168881d86
Instruction ID: 9be5d29abb1f0ec4ddac4507eedcd21bc9f4f871cf94900ae36131b3737013ba
Opcode Fuzzy Hash: 7b32abd198ed567e7fd5aabd7cb2b134eb7d76673e50838616ca72e168881d86
Instruction Fuzzy Hash: 0C518CA2E18B5285FB50CB69E4443FD27A9BB48349F844075EF4D57AA1EF7CE441C708

Function 00007FFBBAFCD99F Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Strings

ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
INITIAL_MAX_STREAMS_UNI is malformed, xrefs: 00007FFBBAFCDD79
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
INITIAL_MAX_STREAMS_UNI appears multiple times, xrefs: 00007FFBBAFCDD85
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: INITIAL_MAX_STREAMS_UNI appears multiple times$INITIAL_MAX_STREAMS_UNI is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-1123866485
Opcode ID: 9c68093b83d02c027c0a7608d24363ca6ffddc5083156bcba53460a4b998f334
Instruction ID: f2c2ed15d723569055ddae48caeefbfd9ff7cb128ee0adafebce3ababab0ac8f
Opcode Fuzzy Hash: 9c68093b83d02c027c0a7608d24363ca6ffddc5083156bcba53460a4b998f334
Instruction Fuzzy Hash: 5A419CA2E18B4285FB50CB6AE4443FD27A9BB04385F844175EF8D476A5EF7CE445C708

Function 00007FFBBAFCDAAE Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 105COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Strings

ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
ACTIVE_CONN_ID_LIMIT is malformed, xrefs: 00007FFBBAFCDDC1
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
ACTIVE_CONN_ID_LIMIT appears multiple times, xrefs: 00007FFBBAFCDDCD
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: ACTIVE_CONN_ID_LIMIT appears multiple times$ACTIVE_CONN_ID_LIMIT is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-2406644886
Opcode ID: fd2a9ae23cacd3e8d521f75651d18f5edb11395d2091f90908ccc8905aa11cc0
Instruction ID: cb55aa5f2a0458667552df31fec6924d06be8e62150d8ea66a8c143f472a6062
Opcode Fuzzy Hash: fd2a9ae23cacd3e8d521f75651d18f5edb11395d2091f90908ccc8905aa11cc0
Instruction Fuzzy Hash: 67419CA2E18B5285FB50CB69E4443FD27A9BB48385F844035EF4D57AA1EF7CE442C708

Function 00007FFBBAFCDBB4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE2FC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE314
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE35F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE377
OSSL_ERR_STATE_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE388
OSSL_ERR_STATE_save.LIBCRYPTO-3-X64 ref: 00007FFBBAFCE39C

Strings

DISABLE_ACTIVE_MIGRATION appears multiple times, xrefs: 00007FFBBAFCDE51
ORIG_DCID was not sent but is required, xrefs: 00007FFBBAFCDC35
DISABLE_ACTIVE_MIGRATION is malformed, xrefs: 00007FFBBAFCDE45
ssl\quic\quic_channel.c, xrefs: 00007FFBBAFCE30D, 00007FFBBAFCE370
QUIC error code: 0x%llx%s%s%s, reason: "%s", xrefs: 00007FFBBAFCE328
ossl_quic_channel_raise_protocol_error_loc, xrefs: 00007FFBBAFCE301
ch_on_transport_params, xrefs: 00007FFBBAFCE364

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debug$E_newE_saveR_newR_set_error
String ID: DISABLE_ACTIVE_MIGRATION appears multiple times$DISABLE_ACTIVE_MIGRATION is malformed$ORIG_DCID was not sent but is required$QUIC error code: 0x%llx%s%s%s, reason: "%s"$ch_on_transport_params$ossl_quic_channel_raise_protocol_error_loc$ssl\quic\quic_channel.c
API String ID: 2363558997-1192419531
Opcode ID: 93ac85ec090bfbf13fd9644ec7d30fafabb9004c6e60aad5d18b68797216d0b2
Instruction ID: 77819774812369deb2ee9fb01a26d084ec3c72a166b993786f578e673437ff89
Opcode Fuzzy Hash: 93ac85ec090bfbf13fd9644ec7d30fafabb9004c6e60aad5d18b68797216d0b2
Instruction Fuzzy Hash: 7641ACA2E18B4285FB10CB79E4442FC27A9BB04385F844179DF4D57AA1EF7CE582C708

Function 00007FFBBAFB0B40 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3,?,-0000001F,00000000,?), ref: 00007FFBBAFB0B5E
ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3,?,-0000001F,00000000,?), ref: 00007FFBBAFB0B76
ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3,?,-0000001F,00000000,?), ref: 00007FFBBAFB0B86
ERR_new.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3), ref: 00007FFBBAFB0BBC
ERR_set_debug.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3), ref: 00007FFBBAFB0BD4
ERR_set_error.LIBCRYPTO-3-X64(00000000,00007FFBBAFB29E3), ref: 00007FFBBAFB0BE2

Strings

SSL_CTX_use_certificate, xrefs: 00007FFBBAFB0B63, 00007FFBBAFB0BC1
ssl\ssl_rsa.c, xrefs: 00007FFBBAFB0B6F, 00007FFBBAFB0BCD, 00007FFBBAFB2157
ssl_set_cert, xrefs: 00007FFBBAFB214B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_CTX_use_certificate$ssl\ssl_rsa.c$ssl_set_cert
API String ID: 1552677711-3127846650
Opcode ID: 7e539d0f6bb5de28bb08d6a1850c9782515defe0ff152b8728dfce46cf9d0e4c
Instruction ID: 5d283a8020651dfbb9bc756537d7ec3faa60d47d1cd37cd50ac77ef8d647558b
Opcode Fuzzy Hash: 7e539d0f6bb5de28bb08d6a1850c9782515defe0ff152b8728dfce46cf9d0e4c
Instruction Fuzzy Hash: 6C3185A1A18A4182E644D739E5452BE6264FFA47C4FD48431EF4C83BAADE2CD5558A08

Function 00007FFBBAFDDB50 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDB9F
ERR_set_debug.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDBB7
ERR_set_error.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDBC8
ERR_new.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDD31
ERR_set_debug.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDD49
ERR_set_error.LIBCRYPTO-3-X64(?,?,00007FFBBAFDCEE7,00000000,?,00000000,?,?,00000000,00000000,00007FFBBAFDC74E,?,?,00000000,?,00000000), ref: 00007FFBBAFDDD5A

Strings

ossl_qrl_enc_level_set_key_update, xrefs: 00007FFBBAFDDBA4, 00007FFBBAFDDD36
quic ku, xrefs: 00007FFBBAFDDC3E
ssl\quic\quic_record_shared.c, xrefs: 00007FFBBAFDDBB0, 00007FFBBAFDDD42

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ossl_qrl_enc_level_set_key_update$quic ku$ssl\quic\quic_record_shared.c
API String ID: 1552677711-2650046233
Opcode ID: 252feda6ae8caec3962ed241ea4716e1c42d0ae396c7feca57c49baa62213ccd
Instruction ID: 7f368c4233b7cdb2ee0b99981987fd803fac7f9c8ee4ea1bcb627c0c04734c55
Opcode Fuzzy Hash: 252feda6ae8caec3962ed241ea4716e1c42d0ae396c7feca57c49baa62213ccd
Instruction Fuzzy Hash: 2F519EB2A0968286FB659B38E4543FD6369FB44748F944136EF8D83A95DF3CE444C708

Function 00007FFBBAFAFBE0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

ASYNC_WAIT_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFC3A
ASYNC_WAIT_CTX_set_callback.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFC66
ASYNC_start_job.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFC9E
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFCBD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFCD5
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFAFCE6

Strings

(, xrefs: 00007FFBBAFAFC7F
ssl\ssl_lib.c, xrefs: 00007FFBBAFAFCCE, 00007FFBBAFAFD37
ssl_start_async_job, xrefs: 00007FFBBAFAFCC2, 00007FFBBAFAFD2B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: C_start_jobR_newR_set_debugR_set_errorX_newX_set_callback
String ID: ($ssl\ssl_lib.c$ssl_start_async_job
API String ID: 3907389051-658281695
Opcode ID: b34f5513e2c862d987de34e9546b3f77fbaffa3fb1b1e4afd8443d1a78f8fbd3
Instruction ID: 617734e611b19cccb93abf606789e1c90ecc8bad1db04125733a7bbf327f8a8c
Opcode Fuzzy Hash: b34f5513e2c862d987de34e9546b3f77fbaffa3fb1b1e4afd8443d1a78f8fbd3
Instruction Fuzzy Hash: 11417BB190CA4282F7619A38D4143F922A8FF01798F644275EF5C8A6E9CF3CE949C718

Function 00007FFBBAFB0C20 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

X509_new_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0C47
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0C56
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0C6E
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0C7F
d2i_X509.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0C9E
X509_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0CAD
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0CB2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0CCA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB0CDB

Strings

SSL_CTX_use_certificate_ASN1, xrefs: 00007FFBBAFB0C5B, 00007FFBBAFB0CB7
ssl\ssl_rsa.c, xrefs: 00007FFBBAFB0C67, 00007FFBBAFB0CC3

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$X509X509_freeX509_new_exd2i_
String ID: SSL_CTX_use_certificate_ASN1$ssl\ssl_rsa.c
API String ID: 4137050946-3637493151
Opcode ID: 27615af4d4d95ba972a3828194820f15e0ed87785cf5dc0d89814da72c5a6e3d
Instruction ID: 369dce16e321a4b80f95a40038b47cf8642139a0ea2f222642188634eefbaaaa
Opcode Fuzzy Hash: 27615af4d4d95ba972a3828194820f15e0ed87785cf5dc0d89814da72c5a6e3d
Instruction Fuzzy Hash: 5C2144A1B2894182EB84E73DF4916BD6350FF94784FD45032FB4D83AABDE2CD5458B09

Function 00007FFBBAFB9AE0 Relevance: 19.6, APIs: 13, Instructions: 115COMMON

Download Yara Rule

APIs

BN_get_rfc3526_prime_8192.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9B7C
EVP_PKEY_CTX_new_from_name.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9BCF
EVP_PKEY_fromdata_init.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9BDF
OSSL_PARAM_BLD_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9BE9
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C03
OSSL_PARAM_BLD_push_uint.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C1C
OSSL_PARAM_BLD_to_param.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C28
EVP_PKEY_fromdata.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C46
OSSL_PARAM_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C4E
OSSL_PARAM_BLD_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C56
EVP_PKEY_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C5E
BN_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB9C66

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: D_freeD_newD_push_D_push_uintD_to_paramM_freeN_freeN_get_rfc3526_prime_8192X_freeX_new_from_nameY_fromdataY_fromdata_init
String ID:
API String ID: 2253699700-0
Opcode ID: e256c5e7799392e76bf1dc25129f73f9e45a8b801259696df418aad3307062f8
Instruction ID: 989e2553152a98a2f92cbff408c392cf2d52cebbeaae768ed3aeb23ed28074bc
Opcode Fuzzy Hash: e256c5e7799392e76bf1dc25129f73f9e45a8b801259696df418aad3307062f8
Instruction Fuzzy Hash: A6419091E0D64381FA28963EC0D12BD62A4FF65B84F94C475EF4E873E6DF2DE5028208

Function 00007FFBBAFFBBF0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBC82
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBC91
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBCA9
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBCFF
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBD17
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBE33
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBE4B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBEB3
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBECB

Strings

final_key_share, xrefs: 00007FFBBAFFBC96, 00007FFBBAFFBD04, 00007FFBBAFFBE3D, 00007FFBBAFFBEB8
ssl\statem\extensions.c, xrefs: 00007FFBBAFFBCA2, 00007FFBBAFFBD10, 00007FFBBAFFBE44, 00007FFBBAFFBEC4

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: final_key_share$ssl\statem\extensions.c
API String ID: 476316267-2857491001
Opcode ID: 80d6ef5df19a6f218cf8f6e95bcae8ae4e12eb8759c6b88a2a1d2e88cde73c01
Instruction ID: b12838d6ab661550b52852483bd59a89e8d00f808c6f4bb01ceea2b6d1489349
Opcode Fuzzy Hash: 80d6ef5df19a6f218cf8f6e95bcae8ae4e12eb8759c6b88a2a1d2e88cde73c01
Instruction Fuzzy Hash: 6D71E2A2E0968289F7A09A39D4057FD2794FB607CAF584031DF4C865E9CF7EE480C719

Function 00007FFBBAFB2B50 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2B6E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2B84
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2B94
EVP_PKEY_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2BAB
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2BB8
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2BCE
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2BDE

Strings

ssl\ssl_rsa_legacy.c, xrefs: 00007FFBBAFB2B7D, 00007FFBBAFB2BC7
SSL_CTX_use_RSAPrivateKey, xrefs: 00007FFBBAFB2B73, 00007FFBBAFB2BBD

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$Y_new
String ID: SSL_CTX_use_RSAPrivateKey$ssl\ssl_rsa_legacy.c
API String ID: 2166683265-1409161961
Opcode ID: 57dc451503d5aae5d1e808679583b4c58ceb9d054cb09bdbd29d2727c373e632
Instruction ID: 60a6792f015414a2997b042b04112957f5c0afa7bfdb48da22c2fb6d8a17f05a
Opcode Fuzzy Hash: 57dc451503d5aae5d1e808679583b4c58ceb9d054cb09bdbd29d2727c373e632
Instruction Fuzzy Hash: 6D21B4A1E2854282EA48E739E5415FD6351FFA87C4FC89070FF0D47AA7DE2CE5468708

Function 00007FFBBAFE6C3F Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
Len: %llu, xrefs: 00007FFBBAFE6CD9
Len: <implicit length>, xrefs: 00007FFBBAFE6CEA

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Len: <implicit length>$ Offset: %llu$ Stream id: %llu
API String ID: 3964688267-1947365733
Opcode ID: 4d1f37fc0091069070ec5b678bee404d654eead110a06625f73f895e58ae2144
Instruction ID: e60a84ed54af23741e13b6f70240af1eab2ee039f441fefefb9258877bc07e5c
Opcode Fuzzy Hash: 4d1f37fc0091069070ec5b678bee404d654eead110a06625f73f895e58ae2144
Instruction Fuzzy Hash: 4D1137D2E0C74380FA54DB7DE8112FC2261BB45785F8490B2EF0E465A6EE6CE5868358

Function 00007FFBBAFD1C30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

BIO_ADDR_clear.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1CDA
ERR_set_mark.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D0B
BIO_recvmmsg.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D30
ERR_peek_last_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D39
BIO_err_is_non_fatal.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D40
ERR_pop_to_mark.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D49
ERR_clear_last_mark.LIBCRYPTO-3-X64 ref: 00007FFBBAFD1D98

Strings

, xrefs: 00007FFBBAFD1CFE

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_err_is_non_fatalO_recvmmsgR_clearR_clear_last_markR_peek_last_errorR_pop_to_markR_set_mark
String ID:
API String ID: 1430013108-3916222277
Opcode ID: f6f06973e9b30f7dbe2705f10a8c95b607cbc2453fd24866afb3a1f6e7e7d61e
Instruction ID: a29d15931e9f185f1db93af8ba299cdc33f01ae6678d594c1a8954415c250b13
Opcode Fuzzy Hash: f6f06973e9b30f7dbe2705f10a8c95b607cbc2453fd24866afb3a1f6e7e7d61e
Instruction Fuzzy Hash: 016182B2A09B8181EB259F39E4502BD73A8FB84B85F548136DF8D97795DF38D4A0C708

Function 00007FFBBAFB6B90 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6BDC
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6BF3
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6C23
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6C42
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6C70
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6C8C

Strings

Master-Key:, xrefs: 00007FFBBAFB6C38
RSA , xrefs: 00007FFBBAFB6BD5
%02X, xrefs: 00007FFBBAFB6C19, 00007FFBBAFB6C66
Session-ID:, xrefs: 00007FFBBAFB6BE9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_puts$O_printf
String ID: Master-Key:$%02X$RSA $Session-ID:
API String ID: 4098839300-1878088908
Opcode ID: 94c10f9fa99810933cf99afc9ba49c45b410cd3485a5502bd15f3f0ce384215d
Instruction ID: 63de14db12d845de4155dcca5ef117c498a3b737f348eccca5be02264cbd27c0
Opcode Fuzzy Hash: 94c10f9fa99810933cf99afc9ba49c45b410cd3485a5502bd15f3f0ce384215d
Instruction Fuzzy Hash: 90318DE1E08A4291E6959B39D9443BDB364FB64B82FC880B0EF4D826E5DF3CF151860C

Function 00007FFBBAFE6B96 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6BA0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6BC7
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6BDF
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6BEE
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C0B
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
<zero length token>, xrefs: 00007FFBBAFE6BD8
Token: , xrefs: 00007FFBBAFE6BBD
New token, xrefs: 00007FFBBAFE6B96

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_puts
String ID: <unexpected trailing frame data skipped>$ Token: $<zero length token>$New token
API String ID: 1322637139-1505068329
Opcode ID: f629072dc854f396e2766721875dc7bf0c5d92923e5eb6de51065a59695edfa0
Instruction ID: a1d7328ad56b43f5211a1553d6ed2b96e014d7a557440cb88a16c2ddcfad9cbe
Opcode Fuzzy Hash: f629072dc854f396e2766721875dc7bf0c5d92923e5eb6de51065a59695edfa0
Instruction Fuzzy Hash: D011E9D1E0874390FA19EB7DE8512F81315BF89791FD490B2DF0D466A6EE7CE6458208

Function 00007FFBBAFC59D0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

OSSL_PARAM_locate_const.LIBCRYPTO-3-X64 ref: 00007FFBBAFC59F8
OSSL_PARAM_locate_const.LIBCRYPTO-3-X64 ref: 00007FFBBAFC5A12
OSSL_PARAM_locate_const.LIBCRYPTO-3-X64 ref: 00007FFBBAFC5A2D
OSSL_PARAM_locate_const.LIBCRYPTO-3-X64 ref: 00007FFBBAFC5A48
OSSL_PARAM_locate_const.LIBCRYPTO-3-X64 ref: 00007FFBBAFC5A63

Strings

cur_cwnd_size, xrefs: 00007FFBBAFC5A08
cur_state, xrefs: 00007FFBBAFC5A59
max_dgram_payload_len, xrefs: 00007FFBBAFC59F1
bytes_in_flight, xrefs: 00007FFBBAFC5A3E
min_cwnd_size, xrefs: 00007FFBBAFC5A23

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: M_locate_const
String ID: bytes_in_flight$cur_cwnd_size$cur_state$max_dgram_payload_len$min_cwnd_size
API String ID: 907452466-1387113187
Opcode ID: 0eafc8edb4d05b4f8f6a6bb6a62aa2d77bfde9494fedf44fcdfff33ab2226a6a
Instruction ID: 81f7741c10b4239de1e5f7eff9794108dbc9c38ea8e763939d6f3c3858c48607
Opcode Fuzzy Hash: 0eafc8edb4d05b4f8f6a6bb6a62aa2d77bfde9494fedf44fcdfff33ab2226a6a
Instruction Fuzzy Hash: F41142A1A0975180FA589B3AE5812BD2255FF98BC0FC88075FE4C467A9DFBCE442C308

Function 00007FFBBAFE6C48 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
(Fin), xrefs: 00007FFBBAFE6C48
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Fin)
API String ID: 3964688267-4176003718
Opcode ID: 1d0255ae5694ebb7fefd3947088e5538734a5d05914d500ef8c1d1efe3d62715
Instruction ID: 4960ce75e4311d70690fb4f8b3cc33f4308c02b9392e1cf4eb6e687863a4de8d
Opcode Fuzzy Hash: 1d0255ae5694ebb7fefd3947088e5538734a5d05914d500ef8c1d1efe3d62715
Instruction Fuzzy Hash: AF114CD2E0C74380FA54DB79E8113FC2321BB45789F8490B2EF0E465A6EE7CE5818358

Function 00007FFBBAFE6C5A Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
(Len, Fin), xrefs: 00007FFBBAFE6C5A
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Len, Fin)
API String ID: 3964688267-755667354
Opcode ID: 16f367ae4240672a98a7767e96b65c10421c0f51fc6e25ba0124f9bf0e2256de
Instruction ID: 7a25b13d1af8a0e26aaa2ba72cdc2f6eedc13619b1beb396b599adb1eee28c67
Opcode Fuzzy Hash: 16f367ae4240672a98a7767e96b65c10421c0f51fc6e25ba0124f9bf0e2256de
Instruction Fuzzy Hash: 60114CD2E0C74380FA54DB79E8113FC2321BB45789F8490B2EF0E565A6EE7CE5818358

Function 00007FFBBAFE6C51 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

(Len), xrefs: 00007FFBBAFE6C51
Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Len)
API String ID: 3964688267-4170081695
Opcode ID: 3e5d25003a41a1a08332bc41648cc5491869bf3d0df454954bbc796e0a13d07d
Instruction ID: a20b58a1dfde4100e7df2e1bec9bb64314b4346115b27fc25935f4b0b412644f
Opcode Fuzzy Hash: 3e5d25003a41a1a08332bc41648cc5491869bf3d0df454954bbc796e0a13d07d
Instruction Fuzzy Hash: 69114CD2E0C74380FA14DB79E8113FC2321BB45789F8490B2EF0E465A6EE7CE5818358

Function 00007FFBBAFE6C63 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
(Off), xrefs: 00007FFBBAFE6C63
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off)
API String ID: 3964688267-2743656729
Opcode ID: fc1ecabf71f8efac3d7d06e3fcbc10635bf91dff0d3aa26663b7f0b43a33f7da
Instruction ID: 3f4faad350e455504e10eceba1de5184a4854dff81b023d2a0d4674c22c31e68
Opcode Fuzzy Hash: fc1ecabf71f8efac3d7d06e3fcbc10635bf91dff0d3aa26663b7f0b43a33f7da
Instruction Fuzzy Hash: EB114CD2E0C74380FA54DB79E8113FC2321BB45789F8490B2EF0E465A6EE7CE5818358

Function 00007FFBBAFE6C75 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
(Off, Len), xrefs: 00007FFBBAFE6C75
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Len)
API String ID: 3964688267-741583600
Opcode ID: 39460471fefb9bfff53518c31bbd2de831574e91a9b0d0b91c4677c2e442af46
Instruction ID: d9b4abb839aa6651ae192aa4cee252766e20c4ee4d216bb75c78741bc07663c9
Opcode Fuzzy Hash: 39460471fefb9bfff53518c31bbd2de831574e91a9b0d0b91c4677c2e442af46
Instruction Fuzzy Hash: C0114CD2E0C74380FA14DB79E8113FC2321BB45789F8490B2EF0E465A6EE7CE5818358

Function 00007FFBBAFE6C6C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
(Off, Fin), xrefs: 00007FFBBAFE6C6C
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Fin)
API String ID: 3964688267-743771625
Opcode ID: caf7e5fee4717f8ab89a7dfe5713e7152aefe660eaf53023dd7a75dc91576464
Instruction ID: 8c8727e0fc704fe575b788aabd1a860eaef29feb2463feb4c9c13da90d88b3c1
Opcode Fuzzy Hash: caf7e5fee4717f8ab89a7dfe5713e7152aefe660eaf53023dd7a75dc91576464
Instruction Fuzzy Hash: B8114CD2E0C74380FA14DB79E8113FC2321BB45789F8490B2EF0E465A6EE7CE5818358

Function 00007FFBBAFE6C7E Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6C88
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CB4
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CC7
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CE0
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6CF1
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

(Off, Len, Fin), xrefs: 00007FFBBAFE6C7E
Stream id: %llu, xrefs: 00007FFBBAFE6CAA
Offset: %llu, xrefs: 00007FFBBAFE6CBD
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
Len: %llu, xrefs: 00007FFBBAFE6CD9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$ Stream id: %llu$ (Off, Len, Fin)
API String ID: 3964688267-815063566
Opcode ID: 6c77a1279eeafa0140710d5f0e3d2048da4a8ca5a3994186b9b30239429524b5
Instruction ID: a2afa4a3dc86833284f6ce8b1e4b1333a462f2bdd1be391b1eaeb7871d8a7bda
Opcode Fuzzy Hash: 6c77a1279eeafa0140710d5f0e3d2048da4a8ca5a3994186b9b30239429524b5
Instruction Fuzzy Hash: BB115ED2E0C74380FA14DB79E8113FD2321BB45789F8490B2EF0E066A6EE3CE5858318

Function 00007FFBA96001D0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9600282
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA96002AA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA96002D7
std::_Facet_Register.LIBCPMT ref: 00007FFBA9600350
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960036A

Strings

ios_base::eofbit set, xrefs: 00007FFBA960048E
ios_base::failbit set, xrefs: 00007FFBA9600487
ios_base::badbit set, xrefs: 00007FFBA960047B

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 459529453-1866435925
Opcode ID: 5b17f25813b56badf022bf9bf4f52f7f1f9a87f1acb6ee2b2d5b60855c0f0b48
Instruction ID: 701882177c5756985128473ab2f6b5a94000a81fdf5c2fed8433acc40d602d0f
Opcode Fuzzy Hash: 5b17f25813b56badf022bf9bf4f52f7f1f9a87f1acb6ee2b2d5b60855c0f0b48
Instruction Fuzzy Hash: 00916EA2A0AA4792EB16CF29D8803B967A1FF84B84F159132DE5D83765DF3CD445E300

Function 00007FFBBAFBB9F8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBB6
OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBC5
OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBE1
EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBD03
OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBD9D

Strings

RSA, xrefs: 00007FFBBAFBBCF9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_sk_num$L_sk_valueY_is_a
String ID: RSA
API String ID: 205993254-3431517
Opcode ID: 717d86520b9bdeb9a77892f14711cd35d792b643f31ec7205563042f6de224f9
Instruction ID: f596dcc2a02bbc5ffa61d6bc0efa885f58ea0398b9c5c79589688e0f71428961
Opcode Fuzzy Hash: 717d86520b9bdeb9a77892f14711cd35d792b643f31ec7205563042f6de224f9
Instruction Fuzzy Hash: 0F7181A1E0C24285EA648A3EC6502FD52ADBF64BC6FD440B1DF0EDB7D5DE3CE8418608

Function 00007FFBBAFBFAA0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 182COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBAFBFAEC
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFBFB00

Part of subcall function 00007FFBBAFC10A0: BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBAFC10CA
Part of subcall function 00007FFBBAFC10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBAFBECED), ref: 00007FFBBAFC10E4
Part of subcall function 00007FFBBAFC10A0: BIO_printf.LIBCRYPTO-3-X64(?,00007FFBBAFBECED), ref: 00007FFBBAFC10FF

Strings

psk_identity, xrefs: 00007FFBBAFBFB51
dh_Yc, xrefs: 00007FFBBAFBFCE3
KeyExchangeAlgorithm=%s, xrefs: 00007FFBBAFBFAF6
EncryptedPreMasterSecret, xrefs: 00007FFBBAFBFBF4, 00007FFBBAFBFC46
ecdh_Yc, xrefs: 00007FFBBAFBFD22
GOST-wrapped PreMasterSecret, xrefs: 00007FFBBAFBFC92
GostKeyTransportBlob, xrefs: 00007FFBBAFBFBA6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printf$O_indent
String ID: EncryptedPreMasterSecret$GOST-wrapped PreMasterSecret$GostKeyTransportBlob$KeyExchangeAlgorithm=%s$dh_Yc$ecdh_Yc$psk_identity
API String ID: 1715996925-113291103
Opcode ID: e1d373ff8444aa670017d42d00470ec7122ba3e86ccfd9a924da0431a144429c
Instruction ID: eb9fda5dc9386b8eeca711e0de88129aabc17bed44a6cee852a798cf514f36ff
Opcode Fuzzy Hash: e1d373ff8444aa670017d42d00470ec7122ba3e86ccfd9a924da0431a144429c
Instruction Fuzzy Hash: B861E9A2F0968652EA248B39E4541FD7269BF58391F894272DF9D8B7D5DF3CE108C308

Function 00007FFBBAFAAAF0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB11
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB29
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB3A
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB66
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB73
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB8B
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFAAB9B

Strings

SSL_set_fd, xrefs: 00007FFBBAFAAB16, 00007FFBBAFAAB78
ssl\ssl_lib.c, xrefs: 00007FFBBAFAAB22, 00007FFBBAFAAB84

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$O_new
String ID: SSL_set_fd$ssl\ssl_lib.c
API String ID: 1854182563-2027645073
Opcode ID: 3bf4d22b594411760d0cf080eda92fcbbef96b9ee5f432d2a843eeba7922970c
Instruction ID: ad52545d9b6e9168301bd898847fb95ced5d62d88450e969f27b57fb01be0338
Opcode Fuzzy Hash: 3bf4d22b594411760d0cf080eda92fcbbef96b9ee5f432d2a843eeba7922970c
Instruction Fuzzy Hash: 3F21B0A2E2855182F694A739E4155FD6250BF98784FD09071FF0D43AAADE2CE8498B08

Function 00007FFBBAFA39A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFA39BB
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFA39D3
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFA39E4
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFA3A16
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFA3A2E
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFA3A3F

Strings

ssl\ssl_lib.c, xrefs: 00007FFBBAFA39CC, 00007FFBBAFA3A27
SSL_CTX_set_ct_validation_callback, xrefs: 00007FFBBAFA3A1B
SSL_CTX_enable_ct, xrefs: 00007FFBBAFA39C0

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: SSL_CTX_enable_ct$SSL_CTX_set_ct_validation_callback$ssl\ssl_lib.c
API String ID: 1552677711-1919550876
Opcode ID: f8b0ad7b6c9594f56b14bf841d5992cd98a40ee443a96b7ad4c4afdc8ab1cd4b
Instruction ID: 7cb5599aee6f81cbd56db8c626076dd1648fed2d59d3f4f45e08d23d491d0545
Opcode Fuzzy Hash: f8b0ad7b6c9594f56b14bf841d5992cd98a40ee443a96b7ad4c4afdc8ab1cd4b
Instruction Fuzzy Hash: FA11B6A5E1890242F794A778D4423F92269BF94301FD48171EF0CC26F6EF3CE989C219

Function 00007FFBBAFC3B70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3B95
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3BAD
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3BBE
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3BDD
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3BF5
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3C06
ENGINE_finish.LIBCRYPTO-3-X64 ref: 00007FFBBAFC3C0E

Strings

ssl\tls_depr.c, xrefs: 00007FFBBAFC3BA6, 00007FFBBAFC3BEE
SSL_CTX_set_client_cert_engine, xrefs: 00007FFBBAFC3B9A, 00007FFBBAFC3BE2

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$E_finish
String ID: SSL_CTX_set_client_cert_engine$ssl\tls_depr.c
API String ID: 1317562915-507132928
Opcode ID: b0ddad6b2bc8f66e70613e907a26b3073a1a944dbe9535fbe2a09b4fac1cdcb7
Instruction ID: 6873e1c6ee92ea205ed5cac2641f487973e67896e07acce3c791e8fd04bf6622
Opcode Fuzzy Hash: b0ddad6b2bc8f66e70613e907a26b3073a1a944dbe9535fbe2a09b4fac1cdcb7
Instruction Fuzzy Hash: 23119EA1B1C64242E688E739E9566FD1290BFA8784FD49031FB0D826B7DE2CE4814A08

Function 00007FFBBAFB6AE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6AFE
BIO_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B06
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B13
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B29
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B39
BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B5D
BIO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6B72

Strings

ssl\ssl_txt.c, xrefs: 00007FFBBAFB6B22
SSL_SESSION_print_fp, xrefs: 00007FFBBAFB6B18

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_newR_set_debugR_set_error
String ID: SSL_SESSION_print_fp$ssl\ssl_txt.c
API String ID: 1031916422-4183950648
Opcode ID: ecb04d8e07290a75cb03d5c9985cd22a311452324e3c8a4c3d3adef4364be37a
Instruction ID: 1a36d82d7ca7e5a141416e09f49f22b7703994504fff87e643e9a7b46bf203ca
Opcode Fuzzy Hash: ecb04d8e07290a75cb03d5c9985cd22a311452324e3c8a4c3d3adef4364be37a
Instruction Fuzzy Hash: 7A0182A1F1865242EA44E77AE5555BD5260BF687C0FC48431FF0D47BABDE3CE4458B08

Function 00007FFBA965F098 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA965F0D8
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA965F4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA965F73F

Strings

p, xrefs: 00007FFBA965F17D
f, xrefs: 00007FFBA965F1DA
f, xrefs: 00007FFBA965F170
p, xrefs: 00007FFBA965F1E2
f, xrefs: 00007FFBA965F325

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47833bed55cd5f9ce051d42473c1711052dc742df4958170f231bc47a6a14847
Instruction ID: 590a5de9c6067df213789180de2bace5305bda1e5a2d9c5e2742548c0158b25f
Opcode Fuzzy Hash: 47833bed55cd5f9ce051d42473c1711052dc742df4958170f231bc47a6a14847
Instruction Fuzzy Hash: 6412B5B6E0E16386FB215E79E91437A7291FF44754FC45035DAD9865D8DF3CE880AB00

Function 00007FFBA9614690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA96146F8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA9614740
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA961487D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9614896
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA96148A9

Strings

true, xrefs: 00007FFBA96147E5
false, xrefs: 00007FFBA96147B3
bad locale name, xrefs: 00007FFBA961489C

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Concurrency::cancel_current_taskLockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 461674175-1062449267
Opcode ID: 2e55ecab2469c7785d41e6ac0d17113250ab93c263ee54653aa34b7f29350d5f
Instruction ID: e2d4eb933d24d8cd98a9e90e8b9f39144b8d208ff59f25d7ece87c468b8712c4
Opcode Fuzzy Hash: 2e55ecab2469c7785d41e6ac0d17113250ab93c263ee54653aa34b7f29350d5f
Instruction Fuzzy Hash: 645190A2B0B74299FB06DFB8D8503BC33B0AF40748F141436DE0DA7A99DE38A516E350

Function 00007FFBBAFC29B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFC29FB
EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2A30
EVP_DigestUpdate.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2A56
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2A73
EVP_DigestInit_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2A89
EVP_DigestFinal_ex.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2AA3

Part of subcall function 00007FFBBAFC3530: EVP_MD_get0_name.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC35B0
Part of subcall function 00007FFBBAFC3530: EVP_KDF_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC35C8
Part of subcall function 00007FFBBAFC3530: ERR_new.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC35E4
Part of subcall function 00007FFBBAFC3530: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC35FC
Part of subcall function 00007FFBBAFC3530: ERR_set_error.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC360D
Part of subcall function 00007FFBBAFC3530: EVP_KDF_CTX_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC3615

Part of subcall function 00007FFBBAFC3530: EVP_KDF_CTX_free.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC3651
Part of subcall function 00007FFBBAFC3530: ERR_new.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC365F
Part of subcall function 00007FFBBAFC3530: ERR_set_debug.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC3677
Part of subcall function 00007FFBBAFC3530: ERR_set_error.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC3688
Part of subcall function 00007FFBBAFC3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC373C
Part of subcall function 00007FFBBAFC3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC376E
Part of subcall function 00007FFBBAFC3530: OSSL_PARAM_construct_octet_string.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC37A7
Part of subcall function 00007FFBBAFC3530: OSSL_PARAM_construct_end.LIBCRYPTO-3-X64(00000000,00000001,00000000,00000000,?,00000000,00000000,00000000,00007FFBBAFDE16B,?,?,?,?,?,00000000,?), ref: 00007FFBBAFC37CE

EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFC2B78

Strings

exporter, xrefs: 00007FFBBAFC2B55

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: Digest$M_construct_octet_stringX_free$Final_exInit_exR_newR_set_debugR_set_error$D_get0_nameF_freeM_construct_endUpdateX_new
String ID: exporter
API String ID: 4114161048-111224270
Opcode ID: 312edda8fc2ab446362c746ef5930450896386ba04ed175f41cf3f51961baa99
Instruction ID: 622a4a89c984b62fddbff28351ac237b551724ab693289ce8936ec0198fff9d3
Opcode Fuzzy Hash: 312edda8fc2ab446362c746ef5930450896386ba04ed175f41cf3f51961baa99
Instruction Fuzzy Hash: A4415772618B8655DA649F2AE5402EAB3A4FB89BC4F404035FF8C47B65EF3CD0418744

Function 00007FFBBB0199B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB0199DA
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB0199F2

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB019A50
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB019A68

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFBBB0199EB, 00007FFBBB019A61, 00007FFBBB019AB4
tls_construct_server_certificate, xrefs: 00007FFBBB0199DF, 00007FFBBB019A55, 00007FFBBB019AA8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: ssl\statem\statem_srvr.c$tls_construct_server_certificate
API String ID: 4275876640-3519723934
Opcode ID: 5cfa0e92c3f7beec7cbdf2390d41e24ddaea7d5e5689eef370432dbd7b18577c
Instruction ID: 37786de4e46d6f8b5a558bb5a1c8e67bc1f92928c2f4cbb926c2c89b9c29b3c7
Opcode Fuzzy Hash: 5cfa0e92c3f7beec7cbdf2390d41e24ddaea7d5e5689eef370432dbd7b18577c
Instruction Fuzzy Hash: AC4195A2B1868241EB54D73AE4556BD6750FB44BC4FC89032FF0D87BAADE2CD5858708

Function 00007FFBBAFE59E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5A38
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5A58
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5A70
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5A81
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5ABE

Strings

P, xrefs: 00007FFBBAFE5A51
ssl\quic\quic_tls.c, xrefs: 00007FFBBAFE5A69
quic_read_record, xrefs: 00007FFBBAFE5A5D

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flagsR_newR_set_debugR_set_error
String ID: P$quic_read_record$ssl\quic\quic_tls.c
API String ID: 3317891849-273162510
Opcode ID: 5102e852573367bdd73e41e4551ebffe2e5e95fe4a8afb0ad7a7b26e73f9f9d2
Instruction ID: 9c5a9ecd08e709bdc84bd782418883aa77abf1f217106c491db5f59e6d66b2f2
Opcode Fuzzy Hash: 5102e852573367bdd73e41e4551ebffe2e5e95fe4a8afb0ad7a7b26e73f9f9d2
Instruction Fuzzy Hash: 9341A1A2608B8186E754CF29E4503AE77A5FB98B88F508035EF8D837A9DF3CD595C704

Function 00007FFBBAFFFB40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFFB76
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFFB8E

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFBBAFFFB87, 00007FFBBAFFFC76
tls_construct_ctos_supported_versions, xrefs: 00007FFBBAFFFB7B, 00007FFBBAFFFC6F

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\extensions_clnt.c$tls_construct_ctos_supported_versions
API String ID: 1390262125-1702352982
Opcode ID: 928fef23d7497f89953d9ca9cd67dd739b978b09f51a2bb39a747053c925bbe6
Instruction ID: ca362ef27de6eb20a4ec5151e394b883d7889deaa3f24681b18a9b31902a149e
Opcode Fuzzy Hash: 928fef23d7497f89953d9ca9cd67dd739b978b09f51a2bb39a747053c925bbe6
Instruction Fuzzy Hash: F131A0A1F0C15341F760A739E5952FE1268BF84BC4F944071EF8C87A96DE2EE646C709

Function 00007FFBBAF9EBD0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFBBAF9EC08
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFBBAF9EC2D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF9EC36
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF9EC4E
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF9EC5F

Strings

ciphersuite_cb, xrefs: 00007FFBBAF9EC3B
P, xrefs: 00007FFBBAF9EC0D
ssl\ssl_ciph.c, xrefs: 00007FFBBAF9EC47, 00007FFBBAF9ECB3

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_sk_pushR_newR_set_debugR_set_errormemcpy
String ID: P$ciphersuite_cb$ssl\ssl_ciph.c
API String ID: 69574139-1019853614
Opcode ID: 8de701af3bd75debb2c76ece76973293a78a9b8b4573dc1533d62060c179c514
Instruction ID: 7abee8155690f25100d2e721bc8ea48026149cda825e3c2215d9ff36c7d750fe
Opcode Fuzzy Hash: 8de701af3bd75debb2c76ece76973293a78a9b8b4573dc1533d62060c179c514
Instruction Fuzzy Hash: 7711A591F0C64256FA54A73CD8953FE5251BF98784FD08031FF8C826A6EE1CE5058709

Function 00007FFBBB0069E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006A36
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006A4E
memcmp.VCRUNTIME140 ref: 00007FFBBB006A7B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006A84
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006AA5
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006ABD

Strings

tls_parse_ctos_renegotiate, xrefs: 00007FFBBB006A40, 00007FFBBB006AAA
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB006A47, 00007FFBBB006AB6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug$memcmp
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_renegotiate
API String ID: 4071200903-75546675
Opcode ID: bb85a8421b4fead51e7594099f54c8f221dcd85dcb336fa1356f195709cf5093
Instruction ID: 11f3509eea65b4ff0585022037add3993d17bc5d0ab167285920aade91583cf0
Opcode Fuzzy Hash: bb85a8421b4fead51e7594099f54c8f221dcd85dcb336fa1356f195709cf5093
Instruction Fuzzy Hash: 0F21BEE2B0868245EB45AB78D8652BC1351FB84B44FD4C432EB0D477A2DF6CE991C308

Function 00007FFBBAF9C9E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA2F
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA47
ERR_set_error.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA55
OPENSSL_sk_new_null.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA75
OPENSSL_sk_push.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA89
X509_up_ref.LIBCRYPTO-3-X64(?,?,?,?,00007FFBBAF97E06), ref: 00007FFBBAF9CA95

Strings

ssl_cert_add0_chain_cert, xrefs: 00007FFBBAF9CA34
ssl\ssl_cert.c, xrefs: 00007FFBBAF9CA40

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pushR_newR_set_debugR_set_errorX509_up_ref
String ID: ssl\ssl_cert.c$ssl_cert_add0_chain_cert
API String ID: 3689422639-2634322016
Opcode ID: 1e7a881c92af8f3abde9f7b5f072c161cd90d143ed16886d35a2f35a9e589d46
Instruction ID: a4df01683be6a8abec0b6aa02a4070ed8f736e39472c246c431fd3a3eea0e988
Opcode Fuzzy Hash: 1e7a881c92af8f3abde9f7b5f072c161cd90d143ed16886d35a2f35a9e589d46
Instruction Fuzzy Hash: 2411D5A1F0864246EA84DB39E4602FD62A4FF55BC5F984431EF4C837A6DF3CE9428608

Function 00007FFBBAF97AE1 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97AE6
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97AFE

Part of subcall function 00007FFBBAFA9E50: EVP_PKEY_get_security_bits.LIBCRYPTO-3-X64(?,00007FFBBAF97B6E), ref: 00007FFBBAFA9E85
Part of subcall function 00007FFBBAFA9E50: ERR_new.LIBCRYPTO-3-X64(?,00007FFBBAF97B6E), ref: 00007FFBBAFA9EA6
Part of subcall function 00007FFBBAFA9E50: ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBAF97B6E), ref: 00007FFBBAFA9EBE
Part of subcall function 00007FFBBAFA9E50: ERR_set_error.LIBCRYPTO-3-X64(?,00007FFBBAF97B6E), ref: 00007FFBBAFA9ECF

ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B0F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B3F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B57
EVP_PKEY_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B75

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF97AF7, 00007FFBBAF97B50
ssl3_ctrl, xrefs: 00007FFBBAF97AEB, 00007FFBBAF97B44

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_set_error$Y_freeY_get_security_bits
String ID: ssl3_ctrl$ssl\s3_lib.c
API String ID: 3247900180-3530330221
Opcode ID: 45c353e25d21d6f4c8c3fd7b4375d0a254dcf3d7912affc0b395e4f61d9e8e64
Instruction ID: c9455bc3a16afb4c1f3572f0c864bbaff11e806a5ed0d228e7b33238b23b04cc
Opcode Fuzzy Hash: 45c353e25d21d6f4c8c3fd7b4375d0a254dcf3d7912affc0b395e4f61d9e8e64
Instruction Fuzzy Hash: 0301C4A0E0CA0242FE59EB38D4512FD1255BF54745FD08472EF0D836EBDE6CE846860C

Function 00007FFBBAFE6B43 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6B4D
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6B79
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6B8C
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Offset: %llu, xrefs: 00007FFBBAFE6B6F
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
Crypto, xrefs: 00007FFBBAFE6B43
Len: %llu, xrefs: 00007FFBBAFE6B82

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ Len: %llu$ Offset: %llu$Crypto
API String ID: 3964688267-430340682
Opcode ID: 8a63c5f8c401c0dfba093aa743dfda9597321817ddcaaddea12e6c6481f277cc
Instruction ID: 88b7e83299a9cf16161f49cb43ec703e0701696aff080a5f8b7e84ce1c44f057
Opcode Fuzzy Hash: 8a63c5f8c401c0dfba093aa743dfda9597321817ddcaaddea12e6c6481f277cc
Instruction Fuzzy Hash: F4011AD2E0C74384FA14DB79E4113FD1361BB89795F9490B2DF0E466A6EE7CE5868308

Function 00007FFBBAFE6AF5 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6AFF
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6B26
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFE6B39
BIO_puts.LIBCRYPTO-3-X64 ref: 00007FFBBAFE7119

Strings

Stream id: %llu, xrefs: 00007FFBBAFE6B1C
Stop sending, xrefs: 00007FFBBAFE6AF5
<unexpected trailing frame data skipped>, xrefs: 00007FFBBAFE710F
App Protocol Error Code: %llu, xrefs: 00007FFBBAFE6B2F

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_printfO_puts
String ID: <unexpected trailing frame data skipped>$ App Protocol Error Code: %llu$ Stream id: %llu$Stop sending
API String ID: 3964688267-1785104151
Opcode ID: 9f1cd5c1f00599a0fdb8453dddf303157e9adee7d9a09485c25566836dd8f4cf
Instruction ID: a7fb3a59fb05149657b9689dfb5637356fab8fcce25bdc50ab4e3550f568e67c
Opcode Fuzzy Hash: 9f1cd5c1f00599a0fdb8453dddf303157e9adee7d9a09485c25566836dd8f4cf
Instruction Fuzzy Hash: 08011AD2E0C74384FA14DB7DE4513FD1361BB49795F8490B2EF0E466A6EE6CE1818308

Function 00007FFBA965ABD4 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFBA965AC31

Part of subcall function 00007FFBA965CF94: __GetUnwindTryBlock.LIBCMT ref: 00007FFBA965CFD7
Part of subcall function 00007FFBA965CF94: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFBA965CFFC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFBA965AD09
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFBA965AF57
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFBA965B064

Strings

csm, xrefs: 00007FFBA965ACB2
csm, xrefs: 00007FFBA965AC4B
csm, xrefs: 00007FFBA965AD2C

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0831bc3e3a03b5664b04802692f68384919d34909ae40a0da6ddf8e94206bac3
Instruction ID: 3e1284370238e87f30b0cb3476e7f8dad59ee03e568e5c479d48cba038e8d179
Opcode Fuzzy Hash: 0831bc3e3a03b5664b04802692f68384919d34909ae40a0da6ddf8e94206bac3
Instruction Fuzzy Hash: 15D16BB2A0964286EB229F79D8403AD77A0FF45798F102235EE8D97B95DF38E091D700

Function 00007FFBA966E80C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFBA966E988
GetProcAddress.KERNEL32 ref: 00007FFBA966E994

Strings

ext-ms-, xrefs: 00007FFBA966E8E5
api-ms-, xrefs: 00007FFBA966E8D2

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 8641cdc6ad1ab41776ad62f776316b063e2d6c7135986c454cd652b613e20c1f
Instruction ID: bd08adc3d8b299fc808f05252d67c41820ed2ffbc14bb1eefc6bd62aeb06a1d2
Opcode Fuzzy Hash: 8641cdc6ad1ab41776ad62f776316b063e2d6c7135986c454cd652b613e20c1f
Instruction Fuzzy Hash: 4641C3A1B1A60391FB5BCF3ADC041792291BF46BD0F486239EE0DC7784EE3CE415A240

Function 00007FFBBB006AE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB006B64
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB006BDC

Strings

tls_parse_ctos_server_cert_type, xrefs: 00007FFBBB006BA5, 00007FFBBB006BCE
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB006BB1, 00007FFBBB006BD5

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_parse_ctos_server_cert_type
API String ID: 193678381-2874584118
Opcode ID: 6d8631077a1984b73a53912ccfce7917677c6bb252745496a2f40c71b3a5a292
Instruction ID: 70c7b814f36e829677779f8208324b8a292d3774b403af50884304f63f4bb859
Opcode Fuzzy Hash: 6d8631077a1984b73a53912ccfce7917677c6bb252745496a2f40c71b3a5a292
Instruction Fuzzy Hash: 65218EE1A1D68645EE00DB78D4242B92391FF54788FC4D431EB8D466A6EF6CD686C309

Function 00007FFBBB018AAF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB018ADC
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB018AF4

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFBBB018AED
ossl_statem_server_read_transition, xrefs: 00007FFBBB018AE1
, xrefs: 00007FFBBB018B44

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flagsR_newR_set_debugR_vset_error
String ID: $ossl_statem_server_read_transition$ssl\statem\statem_srvr.c
API String ID: 3455785776-558299289
Opcode ID: 8cf5daad4b3786bdbf230bd70d87b9ae8d226cc96fe09fbd800354ea9b8bf0ac
Instruction ID: 66c5b30027fa39941f616b5832d96df7aea2d57274d6a891fa309aa90c61cf27
Opcode Fuzzy Hash: 8cf5daad4b3786bdbf230bd70d87b9ae8d226cc96fe09fbd800354ea9b8bf0ac
Instruction Fuzzy Hash: 2721A2A1F0924246FB999B79D0953BD1390FB44744F88D031EB0C4A6D6CF7C99D58719

Function 00007FFBBB000C10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB000C53
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB000C6B
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB000CA6
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB000CB2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB000CCA

Strings

ssl\statem\extensions_clnt.c, xrefs: 00007FFBBB000C64, 00007FFBBB000CC3
tls_parse_stoc_maxfragmentlen, xrefs: 00007FFBBB000C5D, 00007FFBBB000CB7

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: ssl\statem\extensions_clnt.c$tls_parse_stoc_maxfragmentlen
API String ID: 476316267-3788999166
Opcode ID: 65d4d03e7a566a0d90403e4520b0f16ec32eeb22bf4ef4904a962091549d036e
Instruction ID: 5d265b2891be99dbef127747d8637d786d9f4cd71b79c986a36d04edbf09ad2f
Opcode Fuzzy Hash: 65d4d03e7a566a0d90403e4520b0f16ec32eeb22bf4ef4904a962091549d036e
Instruction Fuzzy Hash: 7E11BEE2A0868A85FB41A778D8656FD2750FF54780FD4C432DB4C477A2EE2CA5D2C718

Function 00007FFBBAFE5B70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5BBC
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5BE2
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5BFA
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5C0B

Strings

P, xrefs: 00007FFBBAFE5BDB
ssl\quic\quic_tls.c, xrefs: 00007FFBBAFE5BF3
quic_release_record, xrefs: 00007FFBBAFE5BEC

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debugR_set_error
String ID: P$quic_release_record$ssl\quic\quic_tls.c
API String ID: 1911843320-2784669786
Opcode ID: 61e25446c6bd95800c753039f2c538c45abd5ab38b71fce05297fe64c514133b
Instruction ID: c4d908373d844dd07a08e29f771827bda6a20f2bf6158ec67d0a9df3d924bae7
Opcode Fuzzy Hash: 61e25446c6bd95800c753039f2c538c45abd5ab38b71fce05297fe64c514133b
Instruction Fuzzy Hash: CF1191E2E0960582FB589B38C4843BD2254FF54B49FA44071DB0D877A5EF7CD885C709

Function 00007FFBA9669050 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9669093
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9669480
_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA966971C

Strings

p, xrefs: 00007FFBA96691BD
p, xrefs: 00007FFBA9669145
f, xrefs: 00007FFBA96691B5

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 03d55e367ab389e9976e01b60564d7a503353a681fb22da65b418983acbbbbfb
Instruction ID: 74454c1546f564925ff0a4851959490f836debb036a40cf02ff5f4aae9ab3f0a
Opcode Fuzzy Hash: 03d55e367ab389e9976e01b60564d7a503353a681fb22da65b418983acbbbbfb
Instruction Fuzzy Hash: E812A4B2A0E24386FB295F39E9442797651FF82750F845136DF9AC76C8DB3DE480AB10

Function 00007FFBA9671A6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9671E99

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 015eee4517863c79a2ef9e054bf83f17705a2ec9c82f912e0f37472ab7b542cd
Instruction ID: 726f6c5dcda968105fe4d5d09427d6ea62fb63e2fd664ebf16c96367823579f4
Opcode Fuzzy Hash: 015eee4517863c79a2ef9e054bf83f17705a2ec9c82f912e0f37472ab7b542cd
Instruction Fuzzy Hash: 88C1C4A2A0A68751E7668F7DD8802BD3B60EF81B80F566132DE4DC3395EF7CE445A700

Function 00007FFBBB019B80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB019C8C
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB019DB9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB019DDD

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFBBB019DD6
tls_construct_server_hello, xrefs: 00007FFBBB019DCF

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$R_set_debug
String ID: ssl\statem\statem_srvr.c$tls_construct_server_hello
API String ID: 476316267-2897734461
Opcode ID: fcccec5a388e96a64d1970221dcf536f6059a48408583103926adf335c035ff8
Instruction ID: fc47b1acda7075cc6f10ccdeffe06ffc8229362575f9023d9a2fc39e6db875a0
Opcode Fuzzy Hash: fcccec5a388e96a64d1970221dcf536f6059a48408583103926adf335c035ff8
Instruction Fuzzy Hash: 7E6163B2A0868681FB689A39D4447B93794FB40BC8F94C036EF4D876A5DF7CD542C358

Function 00007FFBBAFBBA04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBB6
OPENSSL_sk_value.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBC5
OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBBE1
EVP_PKEY_is_a.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBD03
OPENSSL_sk_num.LIBCRYPTO-3-X64(00000000,?,00000000,?,?,?,00000001,00007FFBBAFBCAC7,?,00007FFBBAF97658), ref: 00007FFBBAFBBD9D

Strings

RSA, xrefs: 00007FFBBAFBBCF9

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_sk_num$L_sk_valueY_is_a
String ID: RSA
API String ID: 205993254-3431517
Opcode ID: 0ca79a7e7ef14ec7464fa19e28766dec987ff94601dcf16621220e8d7278537b
Instruction ID: 0f22172ad7b0ca437b1fdbe7bcea3a57915c6457162bf7438930ccd08883301e
Opcode Fuzzy Hash: 0ca79a7e7ef14ec7464fa19e28766dec987ff94601dcf16621220e8d7278537b
Instruction Fuzzy Hash: D15193A2E0C24285EA648A3AC7502FD52BDBF65BC6F9440B1DF0EDB6D5DE3CE4418208

Function 00007FFBA95F2460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA95F24CB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA95F2513
_Getctype.LIBCPMT ref: 00007FFBA95F252B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA95F25E3
_Getwctype.LIBCPMT ref: 00007FFBA95F2631

Strings

bad locale name, xrefs: 00007FFBA95F2606

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: e83a971e1f96b0c3963afa7e28b2e882f9c4ff90e6728a80313ee92ed1d42185
Instruction ID: 7cf19a0c5ac182478721cd5ed9b5ef635cf19cc58f7aa3dae0acbe28fcb114f9
Opcode Fuzzy Hash: e83a971e1f96b0c3963afa7e28b2e882f9c4ff90e6728a80313ee92ed1d42185
Instruction Fuzzy Hash: BF519AA2B0AB828AFB16DFB4D8512BD3370AF44748F045138DF4DA6A56CF38E556E350

Function 00007FFBA965D4FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFBA965D581
GetLastError.KERNEL32 ref: 00007FFBA965D58F
LoadLibraryExW.KERNEL32 ref: 00007FFBA965D5B9
FreeLibrary.KERNEL32 ref: 00007FFBA965D627
GetProcAddress.KERNEL32 ref: 00007FFBA965D633

Strings

api-ms-, xrefs: 00007FFBA965D5A1

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 76b39e863004a22348038b9426165de70dc15e0bc0b8fcc8358453bb12594b00
Instruction ID: 0c1aae55f2f87ac14ebe4cfac891ff69b03ee277aad920b5f0a55e91474f2316
Opcode Fuzzy Hash: 76b39e863004a22348038b9426165de70dc15e0bc0b8fcc8358453bb12594b00
Instruction Fuzzy Hash: 0C31BCA1A1BA4391EB1BDF2AEC1013923D4FF04BA8F895935DD1D8A780EF7CE445A700

Function 00007FFBBAFF8BF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAF91740: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF920F6
Part of subcall function 00007FFBBAF91740: CRYPTO_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF92138

ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBAFF5844), ref: 00007FFBBAFF8CD4
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBAFF5844), ref: 00007FFBBAFF8CEC
ERR_new.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBAFF5844), ref: 00007FFBBAFF8D0A
ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FFBBAFF5844), ref: 00007FFBBAFF8D22

Strings

tls_initialise_write_packets_default, xrefs: 00007FFBBAFF8CD9, 00007FFBBAFF8D0F
ssl\record\methods\tls_common.c, xrefs: 00007FFBBAFF8CE5, 00007FFBBAFF8D1B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_zalloc
String ID: ssl\record\methods\tls_common.c$tls_initialise_write_packets_default
API String ID: 2822291608-433091719
Opcode ID: 76aa22a4aaccd3730c27be6f5947fc2801cdc8750fdd7d2ce1e19ca69cc863dd
Instruction ID: d2de55dba6efa4687fffbee1ac7967d803954cbae70b5c3513e19daad9680e2b
Opcode Fuzzy Hash: 76aa22a4aaccd3730c27be6f5947fc2801cdc8750fdd7d2ce1e19ca69cc863dd
Instruction Fuzzy Hash: 5531D2A3F0968282E7409B3AE8456FA6754FB947C4F448032EF4D83BA6DF7DE1418748

Function 00007FFBBAFB79B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBAF96310: BIO_ctrl.LIBCRYPTO-3-X64 ref: 00007FFBBAF96352
Part of subcall function 00007FFBBAF96310: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF9635E
Part of subcall function 00007FFBBAF96310: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF96376

Part of subcall function 00007FFBBAFAF140: EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF17D
Part of subcall function 00007FFBBAFAF140: EVP_MD_get_size.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF185
Part of subcall function 00007FFBBAFAF140: EVP_MD_CTX_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF198
Part of subcall function 00007FFBBAFAF140: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF1A5
Part of subcall function 00007FFBBAFAF140: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF200
Part of subcall function 00007FFBBAFAF140: EVP_MD_CTX_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFAF21D

Part of subcall function 00007FFBBAFB6CC0: ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6D85
Part of subcall function 00007FFBBAFB6CC0: ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB6DA3

OPENSSL_cleanse.LIBCRYPTO-3-X64 ref: 00007FFBBAFB7AB6

Strings

0, xrefs: 00007FFBBAFB7AF4
master secret, xrefs: 00007FFBBAFB7B3B
, xrefs: 00007FFBBAFB7B23
, xrefs: 00007FFBBAFB7B42
extended master secret, xrefs: 00007FFBBAFB7A8D

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$D_get_sizeL_cleanseO_ctrlX_freeX_get0_cipherX_new
String ID: $ $0$extended master secret$master secret
API String ID: 1082017977-741269486
Opcode ID: b144277d6bbb0e303d512a80b9faeac888aa8dabcaa9d5c2572c66ea408fa9e0
Instruction ID: 1f5341a002d7193d7b135ed0fa94ee665e4d3008fc53be688be0f8dd27edd84a
Opcode Fuzzy Hash: b144277d6bbb0e303d512a80b9faeac888aa8dabcaa9d5c2572c66ea408fa9e0
Instruction Fuzzy Hash: C3410AB2908B8185E765CB25F44039AB7A8FB88784F948135EF8C83BA9DF7CD155CB04

Function 00007FFBA9669F80 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFBA9669F8F
FlsGetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FA4
FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FC5
FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA9669FF2
FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA966A003
FlsSetValue.KERNEL32(?,?,00000000,00007FFBA9665965), ref: 00007FFBA966A014
SetLastError.KERNEL32 ref: 00007FFBA966A02F

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 06b34947dc6c3753413accfa103ba2896aa396b4cd56c573f3b78565dde85132
Instruction ID: d128e05af35463d0dcbc71b3daaaf6a1669e6c2f19ba5bc559dae9a89394bdd7
Opcode Fuzzy Hash: 06b34947dc6c3753413accfa103ba2896aa396b4cd56c573f3b78565dde85132
Instruction Fuzzy Hash: FD217AA0A0E64342FB2FAF39DD5513922915F467F4F046634EE3E866D6DE3DA8006240

Function 00007FFBBAFABAA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFABAD1
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFABAE9
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFABAFA
ERR_clear_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFABB13

Strings

ssl\ssl_lib.c, xrefs: 00007FFBBAFABAE2
SSL_clear, xrefs: 00007FFBBAFABAD6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_clear_errorR_newR_set_debugR_set_error
String ID: SSL_clear$ssl\ssl_lib.c
API String ID: 316169390-283065258
Opcode ID: b720089eeedaff3196e5f058fa76cc12c6884403f6b9091f27a65491424013f6
Instruction ID: 8fed0d41e77b768835babeb4f689618e73691870be2469984ae25164ccfb542c
Opcode Fuzzy Hash: b720089eeedaff3196e5f058fa76cc12c6884403f6b9091f27a65491424013f6
Instruction Fuzzy Hash: 6021D472F1854286FB949B3DE0463F82264FF54795F984270EF1D826E6DE2CD884C708

Function 00007FFBBAFFBB10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBB34
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBB4C

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBB96
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBBAE

Strings

ssl\statem\extensions.c, xrefs: 00007FFBBAFFBB45, 00007FFBBAFFBBA7
final_ems, xrefs: 00007FFBBAFFBB39, 00007FFBBAFFBB9B

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: final_ems$ssl\statem\extensions.c
API String ID: 4275876640-224909566
Opcode ID: 0da9a07e1feb414013fdeba588f310a082dc6ae0b632e0890db4051c38c98f88
Instruction ID: 3f60df7487c54c61eac073eb69122e57f214b2747850b089b47b408a4f2014d2
Opcode Fuzzy Hash: 0da9a07e1feb414013fdeba588f310a082dc6ae0b632e0890db4051c38c98f88
Instruction Fuzzy Hash: B61193F2E0514287F784D739C44A7F82355FF98754F948071E70C426B5DE6DA586C60D

Function 00007FFBA967CDF4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFBA967CE25
GetLastError.KERNEL32 ref: 00007FFBA967CE31
CloseHandle.KERNEL32 ref: 00007FFBA967CE49
CreateFileW.KERNEL32 ref: 00007FFBA967CE74
WriteConsoleW.KERNEL32 ref: 00007FFBA967CE93

Strings

CONOUT$, xrefs: 00007FFBA967CE55

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5efcbc88d83fcdf4f44c9a03810c15d55047eb5be8823b17ea1a73f079ff057b
Instruction ID: ee220f8278d81ad2eeaa8953c6ea2b0602cb14d1a055fa11e3b57098af6d160c
Opcode Fuzzy Hash: 5efcbc88d83fcdf4f44c9a03810c15d55047eb5be8823b17ea1a73f079ff057b
Instruction Fuzzy Hash: 0911BEA2A19A4282E7528F6AEC4832977A0FB98FE0F044234EE5DC37A4CF7CD4008700

Function 00007FFBBAF959F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-3-X64 ref: 00007FFBBAF95A4D
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF95A5A
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF95A71
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF95A82
strchr.VCRUNTIME140 ref: 00007FFBBAF95AB8
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFBBAF95B30
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF95B51
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF95B66
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF95B74
OPENSSL_sk_free.LIBCRYPTO-3-X64 ref: 00007FFBBAF95B7C

Strings

ssl_ctx_make_profiles, xrefs: 00007FFBBAF95A5F
ssl\d1_srtp.c, xrefs: 00007FFBBAF95A6A

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$L_sk_freeL_sk_new_nullstrchrstrncmp
String ID: ssl\d1_srtp.c$ssl_ctx_make_profiles
API String ID: 4085728402-797804856
Opcode ID: 8847f4933e00ffb02b96382a3c5e0800a52636921573a3eae90287bfdbb066db
Instruction ID: 7fc24bb4363a7fafaf8f5719c448500acda524cd35b3b3bf5e97e560993ca961
Opcode Fuzzy Hash: 8847f4933e00ffb02b96382a3c5e0800a52636921573a3eae90287bfdbb066db
Instruction Fuzzy Hash: F00196E2E0A61245FA59E779D8957FD2255BF54384FD4C030EE0C82795ED3CD5474708

Function 00007FFBBAF929E0 Relevance: 10.5, APIs: 7, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFBBAF929F6
EnterCriticalSection.KERNEL32 ref: 00007FFBBAF92A0C
EnterCriticalSection.KERNEL32 ref: 00007FFBBAF92A1F
LeaveCriticalSection.KERNEL32 ref: 00007FFBBAF92A31
LeaveCriticalSection.KERNEL32 ref: 00007FFBBAF92A44
ReleaseSemaphore.KERNEL32 ref: 00007FFBBAF92A55
LeaveCriticalSection.KERNEL32 ref: 00007FFBBAF92A5F

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$CurrentReleaseSemaphoreThread
String ID:
API String ID: 4252005047-0
Opcode ID: 028c4c0836ae4cabca33a3449e1248e774a890a0f4de7988a47adc37785eea0e
Instruction ID: 18061a4aa8294f3914604cea47a67b873b5b701b47b2dc658c98dba984466701
Opcode Fuzzy Hash: 028c4c0836ae4cabca33a3449e1248e774a890a0f4de7988a47adc37785eea0e
Instruction Fuzzy Hash: E611E8B6A14B01D7E7589F75E9945283370FB48B45F948431CF0E83B24EF38E4A88704

Function 00007FFBBAFB2C60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2C8F
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2CA7
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2CB7
RSA_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFB2CD9

Strings

SSL_CTX_use_RSAPrivateKey_ASN1, xrefs: 00007FFBBAFB2C94
ssl\ssl_rsa_legacy.c, xrefs: 00007FFBBAFB2CA0

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: A_freeR_newR_set_debugR_set_error
String ID: SSL_CTX_use_RSAPrivateKey_ASN1$ssl\ssl_rsa_legacy.c
API String ID: 4284916926-3527806555
Opcode ID: dcf2d47ae0eac96585e7b31662573dda4dd776a59a605c140b5ae1f888b9e1df
Instruction ID: 116240776fd326a69184187fb9f752dd81d0398cc9960ab204a270377fe4ad4f
Opcode Fuzzy Hash: dcf2d47ae0eac96585e7b31662573dda4dd776a59a605c140b5ae1f888b9e1df
Instruction Fuzzy Hash: BF018BE1B1864181EA48A77DE5512BD5250BF687C0FC49431FB4D47BABDD2CE4554604

Function 00007FFBA9657834 Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFBA96578A4
MultiByteToWideChar.KERNEL32 ref: 00007FFBA9657942
LCMapStringEx.KERNEL32 ref: 00007FFBA96579AB
LCMapStringEx.KERNEL32 ref: 00007FFBA96579FD
LCMapStringEx.KERNEL32 ref: 00007FFBA9657AA2
WideCharToMultiByte.KERNEL32 ref: 00007FFBA9657AFC

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3559cd5ac31900c5de25c09fb74e64bce848a02125ac3323b5fe389174ec6fba
Instruction ID: dac6e8a5070cf9336af5fe36cc4e3bd34df63ed57d96fcc3d4b58c6aa999b958
Opcode Fuzzy Hash: 3559cd5ac31900c5de25c09fb74e64bce848a02125ac3323b5fe389174ec6fba
Instruction Fuzzy Hash: BC8191B2A0A74386EB258F39E9402A972A6FF447E4F141635EE5D87BD8DF3CD5009710

Function 00007FFBBAFA7B30 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7BB8
OPENSSL_sk_value.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7BC6
OPENSSL_sk_new_null.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7BEB
OPENSSL_sk_push.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7BFE
OPENSSL_sk_num.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7C0C
OPENSSL_sk_free.LIBCRYPTO-3-X64 ref: 00007FFBBAFA7C1D

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: L_sk_num$L_sk_freeL_sk_new_nullL_sk_pushL_sk_value
String ID:
API String ID: 1173513325-0
Opcode ID: 6b500d0c9a1a1803aee1c5ada926352a13d2bbd8437f3adec64672f62db75574
Instruction ID: d5ecedba5608d03e50eca9acf8bba3907bc9c965669e418146931bc45ae914f2
Opcode Fuzzy Hash: 6b500d0c9a1a1803aee1c5ada926352a13d2bbd8437f3adec64672f62db75574
Instruction Fuzzy Hash: 11214191F0965242FE65AA3AE4405F952A8BF50FC1F488474EF8DD7B95EE3CE842830C

Function 00007FFBA960CD20 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960CD35
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960CD5A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960CD84
std::_Facet_Register.LIBCPMT ref: 00007FFBA960CDFB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960CE15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA960CE28

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a839f18189c311368e1d70b69ed062b455ccc9cfc6948ef61b0e577f2a943fd8
Instruction ID: 5d7e27046cb6d9b8d7976c450e94288ea53a7fd91b407d06a1b4bdd49d7da15a
Opcode Fuzzy Hash: a839f18189c311368e1d70b69ed062b455ccc9cfc6948ef61b0e577f2a943fd8
Instruction Fuzzy Hash: 2B317CA2A0AA4391FB669F39EC801B97761EF54BA0F486132DE0D832D5DE3CE445E310

Function 00007FFBA9607A50 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9607A65
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9607A8A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA9607AB4
std::_Facet_Register.LIBCPMT ref: 00007FFBA9607B2B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA9607B45
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9607B58

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: cdb3a4067d2b3f7359d6d050f224bec92e2cea8e49e8b64b3f1b6459bf4d05d2
Instruction ID: ecfe8cb940b7f41bb3139b673d8ef8e54d9f99b53758d3b859551530e89d3001
Opcode Fuzzy Hash: cdb3a4067d2b3f7359d6d050f224bec92e2cea8e49e8b64b3f1b6459bf4d05d2
Instruction Fuzzy Hash: AF317CA2A0AA4391FB169F39EC902B96361EF54BA1F486132DE1D87295DF7CE445E300

Function 00007FFBA960D8F0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960D905
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960D92A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960D954
std::_Facet_Register.LIBCPMT ref: 00007FFBA960D9CB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960D9E5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA960D9F8

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 3df7aebe532bdd19fc4c1422cc0143be42b08bf05584b801fa98cd4bbc5870da
Instruction ID: 8998779f94ace981679cd8c1df50522f5bb99e729e2f0196878e93fbfcf1ca21
Opcode Fuzzy Hash: 3df7aebe532bdd19fc4c1422cc0143be42b08bf05584b801fa98cd4bbc5870da
Instruction Fuzzy Hash: 52316BA2A0AA4391FB169F39E89017D63A1BF94BA0F486231DE5D83295DE7CE445D300

Function 00007FFBA960E070 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960E085
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA960E0AA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960E0D4
std::_Facet_Register.LIBCPMT ref: 00007FFBA960E14B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA960E165
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA960E178

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 5d33bdc3e3ef1b980de2aceecf19f46871841d5928fd1ee5957cc2898ce891af
Instruction ID: 608710a0821f3444ead5da79fc63263f0ca1ffd0de2e38748cc54294b893a81e
Opcode Fuzzy Hash: 5d33bdc3e3ef1b980de2aceecf19f46871841d5928fd1ee5957cc2898ce891af
Instruction Fuzzy Hash: 71318EB2A0AA0395FB179F39EC801796361EF54BA0F486131DE1D87295DF3CE445E300

Function 00007FFBA965B0A4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFBA965B242
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFBA965B56B

Strings

csm, xrefs: 00007FFBA965B1EB
csm, xrefs: 00007FFBA965B269
csm, xrefs: 00007FFBA965B189

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: acc46c23ddce47162b010fa1bd59e9d93fbd3706b307eaacc92db52a1727eed4
Instruction ID: 1ffb0c9a883843fbcf7dd3c201d580710baaeec9fe5988dabc08f863bb6e5bd5
Opcode Fuzzy Hash: acc46c23ddce47162b010fa1bd59e9d93fbd3706b307eaacc92db52a1727eed4
Instruction Fuzzy Hash: AEE1A1B29097838AE7229F79D8812BD3BA0FF45748F142135DE8D97696CF38E481E740

Function 00007FFBA966A0F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFBA966A107
FlsSetValue.KERNEL32(?,?,0000598BCE9B0F0A,00007FFBA9664C05,?,?,?,?,00007FFBA9673EFA,?,?,00000000,00007FFBA9675E0F,?,?,?), ref: 00007FFBA966A13D
FlsSetValue.KERNEL32(?,?,0000598BCE9B0F0A,00007FFBA9664C05,?,?,?,?,00007FFBA9673EFA,?,?,00000000,00007FFBA9675E0F,?,?,?), ref: 00007FFBA966A16A
FlsSetValue.KERNEL32(?,?,0000598BCE9B0F0A,00007FFBA9664C05,?,?,?,?,00007FFBA9673EFA,?,?,00000000,00007FFBA9675E0F,?,?,?), ref: 00007FFBA966A17B
FlsSetValue.KERNEL32(?,?,0000598BCE9B0F0A,00007FFBA9664C05,?,?,?,?,00007FFBA9673EFA,?,?,00000000,00007FFBA9675E0F,?,?,?), ref: 00007FFBA966A18C
SetLastError.KERNEL32 ref: 00007FFBA966A1A7

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: dc37bebaa8a628858bddee845942cc315ae14bff33d022213f9704b7f6f5adad
Instruction ID: 015b75727c112fa85cb18815cd0fef1313fb8a82f449846996f1a0bc4475439e
Opcode Fuzzy Hash: dc37bebaa8a628858bddee845942cc315ae14bff33d022213f9704b7f6f5adad
Instruction Fuzzy Hash: B9114CA0B0F64342FB2F9F39DD5503962A25F467B0F046634EE3E866D6DE3DA401B200

Function 00007FFBA95F2150 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA95F21BB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA95F2203
_Getctype.LIBCPMT ref: 00007FFBA95F221B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA95F22AB

Strings

bad locale name, xrefs: 00007FFBA95F22CE

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: eb001091504ac8081e0ba0df1594f63ea6353e7162750497844c0b97a3a0933c
Instruction ID: a3553c0eec1a987a517241350642973d9a41a704ae79f9e70e359624bfc379d8
Opcode Fuzzy Hash: eb001091504ac8081e0ba0df1594f63ea6353e7162750497844c0b97a3a0933c
Instruction Fuzzy Hash: 2F417AA2B0BB4299FB16DFB4D8512BD2370AF40748F045439DE4DA6A9ACF38D51AE340

Function 00007FFBBB0049B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB004A42

Part of subcall function 00007FFBBAF91C50: CRYPTO_zalloc.LIBCRYPTO-3-X64 ref: 00007FFBBAF91C95

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB004A4E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB004A66

Strings

tls_construct_stoc_supported_versions, xrefs: 00007FFBBB004A58
ssl\statem\extensions_srvr.c, xrefs: 00007FFBBB004A5F

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_new$O_zallocR_set_debug
String ID: ssl\statem\extensions_srvr.c$tls_construct_stoc_supported_versions
API String ID: 3661993454-4203788918
Opcode ID: 5361361cb8ef8a2e52ad03665cacb31d5d65c32ae060ee2d0db4cbebd068e1a9
Instruction ID: 51ee394bd7f3d6be9e49512630433fd5320a29e7e13400e7bc5d8287d8538ed5
Opcode Fuzzy Hash: 5361361cb8ef8a2e52ad03665cacb31d5d65c32ae060ee2d0db4cbebd068e1a9
Instruction Fuzzy Hash: 9C21AEA2B0814646FB54963AE9A47BD1361BFC57C4F948071EF0C876E7EE6DE881930C

Function 00007FFBBAFC0B6F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3-X64 ref: 00007FFBBAFC0B93
BIO_printf.LIBCRYPTO-3-X64 ref: 00007FFBBAFC0BD0

Strings

%s=0x%x (%s), xrefs: 00007FFBBAFC0BC9
server_version, xrefs: 00007FFBBAFC0BBF
cookie, xrefs: 00007FFBBAFC0C01

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_indentO_printf
String ID: %s=0x%x (%s)$cookie$server_version
API String ID: 1860387303-2821402668
Opcode ID: a940f3b7a24d50b7e4e351222ed599abd1bb65f0fdbb4cd931de438e67b08520
Instruction ID: 58a30d4cf50315b3effc7df2fafed7a0efee81ef72e49bc19bfede823ed859cd
Opcode Fuzzy Hash: a940f3b7a24d50b7e4e351222ed599abd1bb65f0fdbb4cd931de438e67b08520
Instruction Fuzzy Hash: 3F1108A2F0829155EA10CB79E4141FD3258FB84765F858272DF6C876E6EE7CD182C30C

Function 00007FFBBAFE5C30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5C56
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5C6E
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAFE5C7F

Strings

quic_set_protocol_version, xrefs: 00007FFBBAFE5C5B
ssl\quic\quic_tls.c, xrefs: 00007FFBBAFE5C67

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: quic_set_protocol_version$ssl\quic\quic_tls.c
API String ID: 1552677711-978048924
Opcode ID: 4e968e8428bb09aff2c4d3c7654aab038859941f1975555b1a579969c78df0fe
Instruction ID: acf1808114930463b84a754f9115f9ef079c846947683164c570adae0264c8fe
Opcode Fuzzy Hash: 4e968e8428bb09aff2c4d3c7654aab038859941f1975555b1a579969c78df0fe
Instruction Fuzzy Hash: A0F090E2F0920147FB98977CC5997FC1284BF54305FA88470EF4C826B6DF2C99868609

Function 00007FFBA9668090 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFBA96680B5
GetProcAddress.KERNEL32 ref: 00007FFBA96680CB
FreeLibrary.KERNEL32 ref: 00007FFBA96680F2

Strings

mscoree.dll, xrefs: 00007FFBA96680AC
CorExitProcess, xrefs: 00007FFBA96680C4

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 30f2bdb525de3166ff0d6503a759e96adb1dc2267672f307e9d18188c54f08e5
Instruction ID: 0a74de98d9911108126813faf9c70e9a51a8aea00954501d0cdc4cfc8aae6b1f
Opcode Fuzzy Hash: 30f2bdb525de3166ff0d6503a759e96adb1dc2267672f307e9d18188c54f08e5
Instruction Fuzzy Hash: 91F062A1A1A60391FB1A8F74E8493396360EF89BE5F581639DE6DCA1E4DF3CD044E310

Function 00007FFBBAF97BB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97AFE
ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B0F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97BBD

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF97AF7
ssl3_ctrl, xrefs: 00007FFBBAF97BC2

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ssl3_ctrl$ssl\s3_lib.c
API String ID: 1552677711-3530330221
Opcode ID: 40067164864a4a7e23fcf65eba692f3328a1f9b77b06b008942a7021cdaa2fe3
Instruction ID: bf91bf45c435d76a9cff5eff605a8aef933abc89dccb4876a8e71cd7706b2e7d
Opcode Fuzzy Hash: 40067164864a4a7e23fcf65eba692f3328a1f9b77b06b008942a7021cdaa2fe3
Instruction Fuzzy Hash: 72F024A2F0CA4182EA44EB38E4401FD6311FF84744FC08032DF4C83AAADE6CE846C709

Function 00007FFBBAF97B7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ERR_set_error.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B0F
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B7C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAF97B94

Strings

ssl\s3_lib.c, xrefs: 00007FFBBAF97B8D
ssl3_ctrl, xrefs: 00007FFBBAF97B81

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ssl3_ctrl$ssl\s3_lib.c
API String ID: 1552677711-3530330221
Opcode ID: 020e8f8e706ceab002d3951e0eb20ee59482c098b6842db8e2a32c2a221e1dd0
Instruction ID: da649be794f2e4396c5aebcd6d8b0a69bcd086627e6bd96a2edca382c53f3ed5
Opcode Fuzzy Hash: 020e8f8e706ceab002d3951e0eb20ee59482c098b6842db8e2a32c2a221e1dd0
Instruction Fuzzy Hash: ECE09262B0C90182E645E728E4510BE6311FB84354FD08432EF4D436AADE7DE5868B08

Function 00007FFBA965A4A4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFBA965A5C7
__AdjustPointer.LIBCMT ref: 00007FFBA965A612

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 4fc56e5430fca43548514caf0c30e7dbfba768a95f162d7ea9833b9f41cf1bc7
Instruction ID: 1828724f503430cda70b207ee98a3e0c33cccdeac5ee56d6bd1f260e8a50223f
Opcode Fuzzy Hash: 4fc56e5430fca43548514caf0c30e7dbfba768a95f162d7ea9833b9f41cf1bc7
Instruction Fuzzy Hash: 48B1A0E1A0B64381EB67DF39D94063967A0AF54B94F49A836DE4D87789DF2CE441E300

Function 00007FFBA9670B28 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFBA9670B67
_set_statfp.LIBCMT ref: 00007FFBA9670B85
_set_statfp.LIBCMT ref: 00007FFBA9670BAE
_set_statfp.LIBCMT ref: 00007FFBA9670DEA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 0d8286d09157b6f9836448fc4a9ee9a03488a2376ce8f8fb6af6fd99cc663f2b
Instruction ID: c78367380eb59275a8ff22dd7781afcecdb8ce71e55734a9c5f4dbab93073d04
Opcode Fuzzy Hash: 0d8286d09157b6f9836448fc4a9ee9a03488a2376ce8f8fb6af6fd99cc663f2b
Instruction Fuzzy Hash: 7A8104A290AB4785F3638F3CEC5037A6650AF55398F146332ED4EE65A8DF3CB481A610

Function 00007FFBA967DF1C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFBA967DF44
_set_statfp.LIBCMT ref: 00007FFBA967DF5F
_set_statfp.LIBCMT ref: 00007FFBA967DF7B
_set_statfp.LIBCMT ref: 00007FFBA967DFB7

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction ID: eda77399b80335b0d29b05b64fc7d7dc430f07a31895b303ab3280c906f69bb3
Opcode Fuzzy Hash: e65ba792651367d839098e214d5891407b2dde01c0b567b7a4e043ebbfca8b6f
Instruction Fuzzy Hash: 271151A2E1AA0305F7662D3CDD7637911816F963B5F092E35ED6ECB7DE9E1CA8406100

Function 00007FFBA966A1C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFBA966464F,?,?,00000000,00007FFBA96648EA,?,?,?,?,?,00007FFBA9664876), ref: 00007FFBA966A1DF
FlsSetValue.KERNEL32(?,?,?,00007FFBA966464F,?,?,00000000,00007FFBA96648EA,?,?,?,?,?,00007FFBA9664876), ref: 00007FFBA966A1FE
FlsSetValue.KERNEL32(?,?,?,00007FFBA966464F,?,?,00000000,00007FFBA96648EA,?,?,?,?,?,00007FFBA9664876), ref: 00007FFBA966A226
FlsSetValue.KERNEL32(?,?,?,00007FFBA966464F,?,?,00000000,00007FFBA96648EA,?,?,?,?,?,00007FFBA9664876), ref: 00007FFBA966A237
FlsSetValue.KERNEL32(?,?,?,00007FFBA966464F,?,?,00000000,00007FFBA96648EA,?,?,?,?,?,00007FFBA9664876), ref: 00007FFBA966A248

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 1aa78005b84c01cf1747bc7e8abec4c41e15ce9df7a61435fc8403327d5c4993
Instruction ID: 46fd03b4ab1a553b6018ab0d98e5b6ddd3587197d04b5ec0809b3723a13fed67
Opcode Fuzzy Hash: 1aa78005b84c01cf1747bc7e8abec4c41e15ce9df7a61435fc8403327d5c4993
Instruction Fuzzy Hash: 69116DA0B0F64302FB5E9F39EE5113922956F427B0F086234EE3E866D6DD3EA441B200

Function 00007FFBA966A054 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBA9665965), ref: 00007FFBA966A065
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBA9665965), ref: 00007FFBA966A084
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBA9665965), ref: 00007FFBA966A0AC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBA9665965), ref: 00007FFBA966A0BD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FFBA9665965), ref: 00007FFBA966A0CE

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: eaec2ba1fb8bbf4bab101c48105cedb823c84e05158127de9f18fb750ec9a500
Instruction ID: 54f5f5d3d87d55cadd07c033d449647d2db8afbf75f1b6844289aa8a5248ad22
Opcode Fuzzy Hash: eaec2ba1fb8bbf4bab101c48105cedb823c84e05158127de9f18fb750ec9a500
Instruction Fuzzy Hash: EC111990A0F20702FB6F6E39DC2517912911F523B4F146738EE3E892D2DD3EB441B640

Function 00007FFBA9672D64 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9673043

Part of subcall function 00007FFBA967AB40: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967AB5D

Strings

ccs, xrefs: 00007FFBA9672F7E
UTF-8, xrefs: 00007FFBA9672FC2
UTF-16LEUNICODE, xrefs: 00007FFBA9672FE1

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 24e9e1913b6a53d2c61e990fa69d2673df549cedb92ac2ea1bce10705863bd82
Instruction ID: 6db13f741de82dcba105c382a69b99a9e5d85433104bf480dd0b402908c1efa2
Opcode Fuzzy Hash: 24e9e1913b6a53d2c61e990fa69d2673df549cedb92ac2ea1bce10705863bd82
Instruction Fuzzy Hash: DC81CFF2E0A24385F7678E3DC95023C26A0AF11B84F95A435DE09D7A9DCF2DE941B702

Function 00007FFBA95F3340 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FFBA95F3390

Part of subcall function 00007FFBA9656BC4: AreFileApisANSI.KERNEL32 ref: 00007FFBA9656BD6

__std_exception_destroy.LIBVCRUNTIME ref: 00007FFBA95F3638

Strings

: ", xrefs: 00007FFBA95F34B6
", ", xrefs: 00007FFBA95F34E9

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ApisFile__std_exception_destroy__std_fs_code_page
String ID: ", "$: "
API String ID: 376971205-747220369
Opcode ID: 01fe7e18ae12268d94d510202bbed1b92f3e1c40e231ede73bcb5caf57e44b60
Instruction ID: 64ec3018be84c3b74ca4ac04ea14b7a1a4c0658f616f203ff3ff905a825197c3
Opcode Fuzzy Hash: 01fe7e18ae12268d94d510202bbed1b92f3e1c40e231ede73bcb5caf57e44b60
Instruction Fuzzy Hash: 8191ABA2B06B4285FF069F79D8453AC2362AF44BE4F509131DE5D9BB8ADF78D4859300

Function 00007FFBA9672AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9672D49

Part of subcall function 00007FFBA967AD28: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA967AD45

Strings

UTF-8, xrefs: 00007FFBA9672CCC
ccs, xrefs: 00007FFBA9672C95
UTF-16LEUNICODE, xrefs: 00007FFBA9672CED

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: db01216495541d4e2ae3ff39a9cb5f1e0aa5f32745c17d526c4ec486e6305a80
Instruction ID: ffc6e042db1a344184a9deaad1673b51bca6e7c3048f6c0a939c15c130546d71
Opcode Fuzzy Hash: db01216495541d4e2ae3ff39a9cb5f1e0aa5f32745c17d526c4ec486e6305a80
Instruction Fuzzy Hash: 658181F1D0E24385F7BB4E3CCA543792A909F25748F557435CE0ED6AADDA2DA841B301

Function 00007FFBA96159B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9615C3E

Part of subcall function 00007FFBA9656300: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFBA9656309

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFBA9615C44

Strings

true, xrefs: 00007FFBA9615AEA
false, xrefs: 00007FFBA9615A3D

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID: false$true
API String ID: 1173176844-2658103896
Opcode ID: 83289655b65924124c8257a440167aad3b066541278d9c9b9e428431768537e2
Instruction ID: 8f18124d5981a84d086df733f8ff7a58917e952664d2cddab1e3e89085039157
Opcode Fuzzy Hash: 83289655b65924124c8257a440167aad3b066541278d9c9b9e428431768537e2
Instruction Fuzzy Hash: 04818A76A1AB4689E7128F39D8402ED73A8FF58788F542136EE4C87799EF38E545D300

Function 00007FFBA965B818 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFBA965B888
_CallSETranslator.LIBVCRUNTIME ref: 00007FFBA965B8D3

Strings

RCC, xrefs: 00007FFBA965B8A4
MOC, xrefs: 00007FFBA965B89C

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: b8d12fa1b332b0482087f9a08762cb7aa97ccf1729f6a083b4460cc0dce15fc1
Instruction ID: d2b89565d84113e569132555659afef441db16e89515d5695d3836e7e9b78f23
Opcode Fuzzy Hash: b8d12fa1b332b0482087f9a08762cb7aa97ccf1729f6a083b4460cc0dce15fc1
Instruction Fuzzy Hash: 9891D3B3A09B828AE712CF78E8802AD7BA0FB45788F105136EE8D97755DF38D195D700

Function 00007FFBA9659E10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFBA9659E3B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFBA9659ED2
RtlUnwindEx.KERNEL32 ref: 00007FFBA9659F2C

Strings

csm, xrefs: 00007FFBA9659EB9

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 7420ef1ecec3ed2cd3c5cf51e563bae70c7a7acf615e7d58c62a7dfb986f9e87
Instruction ID: 3297aaca8807cb314fd46e5d2ec3f37996e833fd834bf8e0d78eb3c83a8e2aad
Opcode Fuzzy Hash: 7420ef1ecec3ed2cd3c5cf51e563bae70c7a7acf615e7d58c62a7dfb986f9e87
Instruction Fuzzy Hash: 6851AF72B1AA038AEB15CF29E844A797791EF44B88F949135EE4D83788DF7DE841D700

Function 00007FFBA965BD98 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFBA965BDC0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFBA965BEA8

Strings

csm, xrefs: 00007FFBA965BDE2
csm, xrefs: 00007FFBA965BEFA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: aead5aa5ea264c4ad42287de9c127c37e45081ec839da194e957328f10051fae
Instruction ID: a176e5094afb6f80f443d61f0f43df46b209ceac4c3f13be82ebf487046a5da8
Opcode Fuzzy Hash: aead5aa5ea264c4ad42287de9c127c37e45081ec839da194e957328f10051fae
Instruction Fuzzy Hash: D6517DB29093838AEB668F39D84426877A0EF54B94F58A135DF5C87B95CF3CE490DB01

Function 00007FFBA965B5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFBA965B607
_CallSETranslator.LIBVCRUNTIME ref: 00007FFBA965B653

Strings

RCC, xrefs: 00007FFBA965B623
MOC, xrefs: 00007FFBA965B61B

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 4d148d6393fc9382f8e9bdf3d19d24fc6eb7784fa3bb414efd4a89e98671328d
Instruction ID: 8e5fe65df2e9e1f4ff96b36f6258a03df2df4b6f2f9494fb94ce099c1491032c
Opcode Fuzzy Hash: 4d148d6393fc9382f8e9bdf3d19d24fc6eb7784fa3bb414efd4a89e98671328d
Instruction Fuzzy Hash: 3E617172909BC686D7219F39E8407AAB7A0FB85794F045225EF9C87BA5DF7CD190CB00

Function 00007FFBA9614A30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9614A9B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA9614AE3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA9614B73

Strings

bad locale name, xrefs: 00007FFBA961489C, 00007FFBA9614B96

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: aeba93cf15914d8f4253dc0784bb78b05bbec2975a07946c0ad78538c8f42844
Instruction ID: 36dfac8e5e1a39fc954fa269b54b637a36f2a7b9705a708fcd3ece5d35e7cb6c
Opcode Fuzzy Hash: aeba93cf15914d8f4253dc0784bb78b05bbec2975a07946c0ad78538c8f42844
Instruction Fuzzy Hash: B1417962B0BA4299EB16DF78D8903FC33A4EF44748F081435EE4DA7A59CE38D511E354

Function 00007FFBA96148B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA961491B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA9614963
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA96149F3

Strings

bad locale name, xrefs: 00007FFBA9614A16

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: dcc724c6278d9eb99e94b03f66bcdb1bcab94ed259dd2b92684c6e87af21d86c
Instruction ID: 49358e1d544f6c9c0b27088daf3ded5d7e9e97115b2b2ef12877209ffbce4fdc
Opcode Fuzzy Hash: dcc724c6278d9eb99e94b03f66bcdb1bcab94ed259dd2b92684c6e87af21d86c
Instruction Fuzzy Hash: E9419A72B0BA4299EB16DF79D8903EC33B4AF44708F081439EE4DA7A59CE38D521E354

Function 00007FFBA9614BB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA9614C1B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA9614C63
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA9614CF3

Strings

bad locale name, xrefs: 00007FFBA9614D16

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: d2ba78c56d2a067def720497d7a798f8263936e8c950f14e124c0e8c668d7b80
Instruction ID: bc786410deb5e326e0a070303e636ef896f0a035888be0f8647529e1af08144b
Opcode Fuzzy Hash: d2ba78c56d2a067def720497d7a798f8263936e8c950f14e124c0e8c668d7b80
Instruction Fuzzy Hash: EC417862B0BA4299FB16DF78D8902EC33B4AF44748F181439EE4DA7A59CE38D521A354

Function 00007FFBA9614500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFBA961456F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFBA96145B7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFBA961465E

Strings

bad locale name, xrefs: 00007FFBA9614681

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: a7865621f4e3d1b24822ff88c051a1f6bd2fa5c5bd8a3476bb1aacd91828a438
Instruction ID: b1647f7f14217896f34a1856e36b7ec087e066c9044de009f84130b1de84b8b0
Opcode Fuzzy Hash: a7865621f4e3d1b24822ff88c051a1f6bd2fa5c5bd8a3476bb1aacd91828a438
Instruction Fuzzy Hash: 51417862B0BA8299EB16DF78D8902EC33A4EF44748F041435EE4DA7A99CF38D511E354

Function 00007FFBBB018C50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

ssl\statem\statem_srvr.c, xrefs: 00007FFBBB018FB4
ossl_statem_server_write_transition, xrefs: 00007FFBBB018FA8

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID:
String ID: ossl_statem_server_write_transition$ssl\statem\statem_srvr.c
API String ID: 0-156501081
Opcode ID: 6b90e2bd732a7681113251406979414f34a959441fe0ee47379ff1f6580afdcb
Instruction ID: 5e76e5b2c3a29d933b38bbb454c4c7c5281f2534e0bd367d682bc30433736610
Opcode Fuzzy Hash: 6b90e2bd732a7681113251406979414f34a959441fe0ee47379ff1f6580afdcb
Instruction Fuzzy Hash: D831A3A3A0D2C187D307CB78D8A967D3F61EB95B50BC98076DB8887393CA2CA445C716

Function 00007FFBA95F2B00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFBA95F2BB8

Part of subcall function 00007FFBA9659D40: RtlPcToFileHeader.KERNEL32 ref: 00007FFBA9659D90
Part of subcall function 00007FFBA9659D40: RaiseException.KERNEL32 ref: 00007FFBA9659DD1

Strings

ios_base::eofbit set, xrefs: 00007FFBA95F2B42
ios_base::failbit set, xrefs: 00007FFBA95F2A40, 00007FFBA95F2B3B
ios_base::badbit set, xrefs: 00007FFBA95F2B2F

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise__std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3973727643-1866435925
Opcode ID: 56d552fbef00a8a93129bacf95ad1cee3644a79cd9eb491129d2fd351fd65cde
Instruction ID: a2a88aab80f31770c29cf145320367a63be80b00f678ec8316dbd6a514f3c59d
Opcode Fuzzy Hash: 56d552fbef00a8a93129bacf95ad1cee3644a79cd9eb491129d2fd351fd65cde
Instruction Fuzzy Hash: 7321F7A2E1AB4791EB028F31E8821E97321FF54380F949132DE4C46665EF3CE595D340

Function 00007FFBBB011BD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB011C1C
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB011C34

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

dtls_construct_change_cipher_spec, xrefs: 00007FFBBB011C21
ssl\statem\statem_dtls.c, xrefs: 00007FFBBB011C2D

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: dtls_construct_change_cipher_spec$ssl\statem\statem_dtls.c
API String ID: 1390262125-552485801
Opcode ID: 33fc52ca146c8aa9b2b28eaef0248a497ac2538005c4976f17a1c9f91cdd72df
Instruction ID: f5605ea2f584f2e4fc29dc5146b900dffa7d1c2fe5ec43a5d38b0d7ed4db85e6
Opcode Fuzzy Hash: 33fc52ca146c8aa9b2b28eaef0248a497ac2538005c4976f17a1c9f91cdd72df
Instruction Fuzzy Hash: A201A4E2F1914282EB54977AD4457F81650FF64BC8F948131EF0C477A2EF6CD582820C

Function 00007FFBBB0099E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB00A0D9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB00A0F1

Strings

ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00A0EA
ossl_statem_client_process_message, xrefs: 00007FFBBB00A0DE

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ossl_statem_client_process_message$ssl\statem\statem_clnt.c
API String ID: 193678381-934574601
Opcode ID: 5800bdd5140233e93d4bc069794586a3b69b53f256ff028688403d7198a4993c
Instruction ID: 0b4076533013a05560c2c0aa959b2c399a1601d56a70ad60fcdfa4719e392830
Opcode Fuzzy Hash: 5800bdd5140233e93d4bc069794586a3b69b53f256ff028688403d7198a4993c
Instruction Fuzzy Hash: E301A7A2F0858086E7009B29E8456BD6750BF997C4FD48231EB4C47BB6CF2CD552C708

Function 00007FFBBAFFB9C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFBBB012CA0: OPENSSL_sk_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFFB9DE), ref: 00007FFBBB012CCC
Part of subcall function 00007FFBBB012CA0: ERR_new.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFFB9DE), ref: 00007FFBBB012CDB
Part of subcall function 00007FFBBB012CA0: ERR_set_debug.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFFB9DE), ref: 00007FFBBB012CF3
Part of subcall function 00007FFBBB012CA0: OPENSSL_sk_pop_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFFB9DE), ref: 00007FFBBB012EBA
Part of subcall function 00007FFBBB012CA0: X509_NAME_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FFBBAFFB9DE), ref: 00007FFBBB012EC2

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBAFFB9E9
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBAFFBA01

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

tls_parse_certificate_authorities, xrefs: 00007FFBBAFFB9EE
ssl\statem\extensions.c, xrefs: 00007FFBBAFFB9FA

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$E_freeL_sk_newL_sk_pop_freeR_vset_errorX509_
String ID: ssl\statem\extensions.c$tls_parse_certificate_authorities
API String ID: 2305212849-3887711058
Opcode ID: 8864dffe7eeda9412dc0b4195dad0871c92933ccdb30e70dffed77abfe629ccb
Instruction ID: 4d034d376d4c2b6e0d03dc177d53fe74cb14b0219aaadef8301ddcfd75ab3ee7
Opcode Fuzzy Hash: 8864dffe7eeda9412dc0b4195dad0871c92933ccdb30e70dffed77abfe629ccb
Instruction Fuzzy Hash: 13F062A2F1854246EB949779E9457FD1254FF583C4FD49031FF0C836A6EE6CD881C608

Function 00007FFBBB014C60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB014C8E
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB014CA6

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

ssl\statem\statem_lib.c, xrefs: 00007FFBBB014C9F
tls_construct_key_update, xrefs: 00007FFBBB014C93

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debugR_vset_error
String ID: ssl\statem\statem_lib.c$tls_construct_key_update
API String ID: 1390262125-2630406174
Opcode ID: e526b1e2e25e20ad7f4215d3e6e8a22949e66ab2aaf1245ce59b27d8cc5b99b1
Instruction ID: b5f33d5f92e0c63c687c86de536c116512976ed69f36d8477188bbe982de7d69
Opcode Fuzzy Hash: e526b1e2e25e20ad7f4215d3e6e8a22949e66ab2aaf1245ce59b27d8cc5b99b1
Instruction Fuzzy Hash: BFF0F0E2F0820242EB54A7BEC9557F81200AF493A4F848031EE0C867E2EEAC91818608

Function 00007FFBBB00AACE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AAFF
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB17

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

ERR_new.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB5D
ERR_set_debug.LIBCRYPTO-3-X64(?,00007FFBBB00F83B), ref: 00007FFBBB00AB75

Strings

set_client_ciphersuite, xrefs: 00007FFBBB00AB04
ssl\statem\statem_clnt.c, xrefs: 00007FFBBB00AB10

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_newR_set_debug$R_vset_error
String ID: set_client_ciphersuite$ssl\statem\statem_clnt.c
API String ID: 4275876640-3316213183
Opcode ID: 41334e634ceab13c68610188addce95adeab93b03f885ed48fb2e42abb38404c
Instruction ID: d6c8f310ecd137ba1b5da4fbd7dd92c019aca1ad316778e54a5a146bb7237ea8
Opcode Fuzzy Hash: 41334e634ceab13c68610188addce95adeab93b03f885ed48fb2e42abb38404c
Instruction Fuzzy Hash: F3F0F0A2B19A4248E640A739E4466FE5760FF5D784FD48031FF0C47BA3DE2CE4418B08

Function 00007FFBA966BF6C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFBA966BFEB
WriteFile.KERNEL32 ref: 00007FFBA966C2B3
WriteFile.KERNEL32 ref: 00007FFBA966C2F9
GetLastError.KERNEL32 ref: 00007FFBA966C3AF

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: df9d58eab7f7fc9e33dab9b1329dac5bc2f80a14b9f217f17adf9d28e513ca67
Instruction ID: 09885ff258a079b06254b2dea2abb0006757993df2b0791e7378ffe7da7ef7f5
Opcode Fuzzy Hash: df9d58eab7f7fc9e33dab9b1329dac5bc2f80a14b9f217f17adf9d28e513ca67
Instruction Fuzzy Hash: A7D104B2B0AA8289E716CF79D8401AC37B1FB55B98B045236CF5D97B99DE3CD406D340

Function 00007FFBA966C92C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00007FFBA966CA48
GetLastError.KERNEL32 ref: 00007FFBA966CAD3

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 52c5e5b51c421f21b688aceaa9e4c66e644f8afb7f033f9e49bdebcb643d9a35
Instruction ID: 48224e86c63c600bb092d4c99cf1bb13bbae86f4a88b0ad2005a77c45b804c60
Opcode Fuzzy Hash: 52c5e5b51c421f21b688aceaa9e4c66e644f8afb7f033f9e49bdebcb643d9a35
Instruction Fuzzy Hash: 6891A4A2F19A5385F75A9F7DD84027D3BA0AF46B88F14613ADF4E97684CE3CD441A700

Function 00007FFBA9656BEC Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FFBA9656C35
GetLastError.KERNEL32 ref: 00007FFBA9656C43
WideCharToMultiByte.KERNEL32 ref: 00007FFBA9656C78
GetLastError.KERNEL32 ref: 00007FFBA9656C86

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 58f1f43474eb1975558400fa1b11e655cf2ded433939df4f09f9cda9d295aeed
Instruction ID: 33899f4c331561488e95af49618e8b14a1526e55e5b904170d4b4f2512d74fa6
Opcode Fuzzy Hash: 58f1f43474eb1975558400fa1b11e655cf2ded433939df4f09f9cda9d295aeed
Instruction Fuzzy Hash: 1D2130B6A19B8687E7248F25E84431EB6B4FB88B85F145134DF8997B54DF3DE4018B00

Function 00007FFBA9658964 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBA9658990
GetCurrentThreadId.KERNEL32 ref: 00007FFBA965899E
GetCurrentProcessId.KERNEL32 ref: 00007FFBA96589AA
QueryPerformanceCounter.KERNEL32 ref: 00007FFBA96589BA

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e607439c967f95c694bd89fab9a60de4dd862719215e515af7f868501d640ae6
Instruction ID: e43f36003dd910e18cd85cc315f3439d011c48bfa9863c9fa92055a671300a12
Opcode Fuzzy Hash: e607439c967f95c694bd89fab9a60de4dd862719215e515af7f868501d640ae6
Instruction Fuzzy Hash: 1E111C66B15B028AEB018F74E8542A933A4FB19B98F441A31DF6D867A4DF78D1548340

Function 00007FFBA9DCBB48 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFBA9DCBB74
GetCurrentThreadId.KERNEL32 ref: 00007FFBA9DCBB82
GetCurrentProcessId.KERNEL32 ref: 00007FFBA9DCBB8E
QueryPerformanceCounter.KERNEL32 ref: 00007FFBA9DCBB9E

Memory Dump Source

Source File: 00000008.00000002.1865237561.00007FFBA9BA8000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFBA9A80000, based on PE: true

Associated: 00000008.00000002.1865208030.00007FFBA9A80000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.1865237561.00007FFBA9A81000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.1867271138.00007FFBA9DCC000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.1867738924.00007FFBA9EC7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.1867838797.00007FFBA9ECB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.1867903344.00007FFBA9ECF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba9a80000_openvpn.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
Instruction ID: 67a2ea8720d01cbaf3a439fd9607b62f1094312e54768307291401f3c1590d04
Opcode Fuzzy Hash: 4ef1cab20f78ea6c52b11cebdc3c40b12c583e0e13e73d9d3fbe16b2e642a04c
Instruction Fuzzy Hash: F7111C62B15B0689EB008F71E8542B833A4FB19B58F440E35DEBD867A4DF78D1998380

Function 00007FFBA965BFD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFBA965BFFA

Strings

csm, xrefs: 00007FFBA965C18E
csm, xrefs: 00007FFBA965C01F

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: d700a2739ee1c15e33707b881fa94c2ee1a5e8135b6378fb7a0e0b75207b5462
Instruction ID: 08ab526d1cea95ca953c0cef7be5860cf738d248abec17aee072f1c41a9148d8
Opcode Fuzzy Hash: d700a2739ee1c15e33707b881fa94c2ee1a5e8135b6378fb7a0e0b75207b5462
Instruction Fuzzy Hash: 4771D4B290A68286DB628F79D85077D7BA1EF41F84F14A135DE8C87A89CF3CD491E740

Function 00007FFBA9670298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFBA9664A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFBA9664A5F

_get_daylight.LIBCMT ref: 00007FFBA96703B0
_get_daylight.LIBCMT ref: 00007FFBA96703C1

Strings

?, xrefs: 00007FFBA9670341

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: ea2d44796a2f97e0110d86fa9988e90d82a0fb90d680e555f8f1fe1f6d8afab8
Instruction ID: e37364b9ba31fb2dd6219275ae6047040d499e9fcc1fab9619a6a1c425f4581f
Opcode Fuzzy Hash: ea2d44796a2f97e0110d86fa9988e90d82a0fb90d680e555f8f1fe1f6d8afab8
Instruction Fuzzy Hash: CB415762A1A68386FB268F3DEC0037A5650EF81BA4F145235EF5CC6AD9EF3CD4419700

Function 00007FFBA965C668 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFBA965C712
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFBA965C73B

Strings

csm, xrefs: 00007FFBA965C83B

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 2bd7622d1a7e6ee03116e26596d76d31f47a16954b3441da8cf43035ad454164
Instruction ID: 1581d39e93a3e203b50c334f7408e253f3375760575fb4460b913c35c0a35ed0
Opcode Fuzzy Hash: 2bd7622d1a7e6ee03116e26596d76d31f47a16954b3441da8cf43035ad454164
Instruction Fuzzy Hash: 325121B661A74287D7219F2AE84026D7BA4FB89B90F142135DF8D87B55CF3CE4A0DB00

Function 00007FFBA966C604 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFBA966C71B
GetLastError.KERNEL32 ref: 00007FFBA966C73D

Strings

U, xrefs: 00007FFBA966C6C7

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 8c8bd25efb5cb0f7405087ac90fad2d0e3f5d3a031a56a87dd55883411ef4f24
Instruction ID: ec17fb50d99e8f848c74e78e00e56515b8111afe8c5f53828ff148b32082b87f
Opcode Fuzzy Hash: 8c8bd25efb5cb0f7405087ac90fad2d0e3f5d3a031a56a87dd55883411ef4f24
Instruction Fuzzy Hash: 9641B2B2A19A8282EB218F29E8443A97BA1FB99784F445031EF4DC7798DF3CD441D740

Function 00007FFBA9659D40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFBA9659D90
RaiseException.KERNEL32 ref: 00007FFBA9659DD1

Strings

csm, xrefs: 00007FFBA9659DBE

Memory Dump Source

Source File: 00000008.00000002.1864545082.00007FFBA95F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFBA95F0000, based on PE: true

Associated: 00000008.00000002.1864183579.00007FFBA95F0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864792981.00007FFBA9682000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1864831465.00007FFBA9683000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865094950.00007FFBA96FD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.1865122932.00007FFBA9703000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffba95f0000_openvpn.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: f36a290481a0ed67094454f9b4f861f0915a1be8560ad8a2bbc877d5558565d7
Instruction ID: 4000424d91b2debbbb6b3de561972a4f21db1d9e1e51ab5915b14fe02b9227ec
Opcode Fuzzy Hash: f36a290481a0ed67094454f9b4f861f0915a1be8560ad8a2bbc877d5558565d7
Instruction Fuzzy Hash: 23116D72619F4282EB628F29F800269B7E5FB88B94F584230DF8D47B58DF3DD5518B00

Function 00007FFBBB018B59 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFBBB018BFF

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7d61655720d5b3a9f4bdf40f64c4ee573691099f3114abfc23b8a0f9f70256f5
Instruction ID: 1a9ad847f7c18a3919d8bbaa0b9778237866c64bfd2bac39f43c47075cf1a0ad
Opcode Fuzzy Hash: 7d61655720d5b3a9f4bdf40f64c4ee573691099f3114abfc23b8a0f9f70256f5
Instruction Fuzzy Hash: D61121E1E0D34286FBA98A69D0983BC2291FB54708F48D175EB4C0A6D5DFBC95C4C719

Function 00007FFBBB0189AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2
ERR_new.LIBCRYPTO-3-X64 ref: 00007FFBBB018C14
ERR_set_debug.LIBCRYPTO-3-X64 ref: 00007FFBBB018C2C

Strings

$, xrefs: 00007FFBBB0189F6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flagsR_newR_set_debug
String ID: $
API String ID: 4119164335-3993045852
Opcode ID: 45315a51009b6ea3b8f327a946f5396e08bfac6f47d5ad81c7bd9488ec58002a
Instruction ID: 0e2e15341b982b394897db313bbdb9201205e73a028a95c8b90595d7921155ab
Opcode Fuzzy Hash: 45315a51009b6ea3b8f327a946f5396e08bfac6f47d5ad81c7bd9488ec58002a
Instruction Fuzzy Hash: 0F0156A2E0D24185FB698F79D0483BD16D0FB50704F4C8075D70C4A6D5DF7C95C48319

Function 00007FFBBB008C17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

ERR_set_debug.LIBCRYPTO-3-X64(?,?,00000000,-00000031,00007FFBBB008862), ref: 00007FFBBB008CEC

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

write_state_machine, xrefs: 00007FFBBB008CDE
ssl\statem\statem.c, xrefs: 00007FFBBB008CE5

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debugR_vset_error
String ID: ssl\statem\statem.c$write_state_machine
API String ID: 3681713388-3145639028
Opcode ID: 53f9587544ee152073a3c384fd0aba8bb824b028562e89c6c633afdb516e0797
Instruction ID: 49e37e05798da47caae0e2cb239fdcc3675f359e6198ca3f9ce4eb67548afa5e
Opcode Fuzzy Hash: 53f9587544ee152073a3c384fd0aba8bb824b028562e89c6c633afdb516e0797
Instruction Fuzzy Hash: 97F090736087828BE742DB39E8656FC3721F755794F898533CF48036A2EA38D456C305

Function 00007FFBBB018BD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2

Strings

$, xrefs: 00007FFBBB018BDE

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: $
API String ID: 3946675294-3993045852
Opcode ID: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
Instruction ID: 5ad3ba0579c0197bd6f1da60876c7f74e183ed433df8c3bf420f33cfba879e0b
Opcode Fuzzy Hash: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
Instruction Fuzzy Hash: 55F0A7A1F0924246FB599A79D0943BD1281AB94B44F488074EB4C0B7D6DFBD84C4C319

Function 00007FFBBB018BF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2

Strings

#, xrefs: 00007FFBBB018BFF

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: #
API String ID: 3946675294-1885708031
Opcode ID: 1d88ec13c16be52937f73777048aedb863c1fa7d75dce3262a3ecc1ba3ce0d9b
Instruction ID: ab281b6d4ad9889b11fde7a5b5cf5b54dd529ddb5b2b96ac773b1662379a8fdc
Opcode Fuzzy Hash: 1d88ec13c16be52937f73777048aedb863c1fa7d75dce3262a3ecc1ba3ce0d9b
Instruction Fuzzy Hash: D1F0A0A1F0924246FB999A79D0A83FD1281EB94B44F488074EB4C0B7D6DFFD89C48319

Function 00007FFBBB008C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ERR_set_debug.LIBCRYPTO-3-X64(?,?,00000000,-00000031,00007FFBBB008862), ref: 00007FFBBB008CEC

Part of subcall function 00007FFBBB007DE0: ERR_vset_error.LIBCRYPTO-3-X64(00000000,00000000,?,00007FFBBAFF23E4), ref: 00007FFBBB007E0F

Strings

write_state_machine, xrefs: 00007FFBBB008CDE
ssl\statem\statem.c, xrefs: 00007FFBBB008CE5

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: R_set_debugR_vset_error
String ID: ssl\statem\statem.c$write_state_machine
API String ID: 3681713388-3145639028
Opcode ID: a031b6a3655688636e3abd0483b9f56cc66997ac321083640bf76cf2e73233fb
Instruction ID: 6a3fc2dd27532eb194a4962ab51b67fb775dbf2d229cd13e6fbe073687cdf2f0
Opcode Fuzzy Hash: a031b6a3655688636e3abd0483b9f56cc66997ac321083640bf76cf2e73233fb
Instruction Fuzzy Hash: 21F0F06360C7868AE742DB39E4157EC2720F705394F888433CF4803593EA38D442C304

Function 00007FFBBB018B3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2

Strings

, xrefs: 00007FFBBB018B44

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID:
API String ID: 3946675294-3916222277
Opcode ID: b8cc9c79ce2812fc6d945ae83f4e4255f90c926594a368cdfc60e93b94ab9c01
Instruction ID: 0220dc4bc2d09ab46ea1504e83683eecd6ecdd7a2f12ff2b381978769d848647
Opcode Fuzzy Hash: b8cc9c79ce2812fc6d945ae83f4e4255f90c926594a368cdfc60e93b94ab9c01
Instruction Fuzzy Hash: 0CF0A0A1F0924246FB999A79D0A83BD1281EB94B44F888074EB4C0B7D6DFBC88C48319

Function 00007FFBBB0189ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB018995
BIO_set_flags.LIBCRYPTO-3-X64 ref: 00007FFBBB0189A2

Strings

$, xrefs: 00007FFBBB0189F6

Memory Dump Source

Source File: 00000008.00000002.1868299976.00007FFBBAF91000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFBBAF90000, based on PE: true

Associated: 00000008.00000002.1868179011.00007FFBBAF90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868546215.00007FFBBB020000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868679021.00007FFBBB04D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868808157.00007FFBBB050000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.1868846640.00007FFBBB051000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffbbaf90000_openvpn.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: $
API String ID: 3946675294-3993045852
Opcode ID: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
Instruction ID: 5ad3ba0579c0197bd6f1da60876c7f74e183ed433df8c3bf420f33cfba879e0b
Opcode Fuzzy Hash: 83acd1ae84ffaf04614906ea8f0b98c830614e8c8794d5800f37ed7fcd2afc75
Instruction Fuzzy Hash: 55F0A7A1F0924246FB599A79D0943BD1281AB94B44F488074EB4C0B7D6DFBD84C4C319

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report m9u08f2pMF.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4659c6.rbs

C:\ProgramData\vlc.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nbpbjem.oa0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vu5y4yf.wuo.ps1

C:\Users\user\AppData\Local\Temp\msi90E1.txt

C:\Users\user\AppData\Local\Temp\pss90F4.ps1

C:\Users\user\AppData\Local\Temp\scr90E2.ps1

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\SecureProp.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\UnRar.exe

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\VCRUNTIME140.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-processthreads-l1-1-1.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-profile-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-rtlsupport-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-string-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-synch-l1-2-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-sysinfo-l1-1-0.dll

C:\Users\user\AppData\Roaming\Grovi Tend\Ifid Apps\api-ms-win-core-timezone-l1-1-0.dll

Windows Analysis Report
m9u08f2pMF.msi

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre