Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Courvix-VPN.exe

Overview

General Information

Sample Name:Courvix-VPN.exe
Analysis ID:409121
MD5:d938d48d746b365778a1684e0aaabd95
SHA1:57e5903f3ce38e2537566966c0988a6f65766ffa
SHA256:40095fcee0c5d925f584aaa46158d1247dd5189b959775a84ad4b95920ff3e3c
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Courvix-VPN.exe (PID: 2164 cmdline: 'C:\Users\user\Desktop\Courvix-VPN.exe' MD5: D938D48D746B365778A1684E0AAABD95)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Courvix-VPN.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.230979360.00000000008C2000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.500229240.00000000008C2000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.505272232.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: Courvix-VPN.exe PID: 2164JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.Courvix-VPN.exe.8c0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.Courvix-VPN.exe.8c0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Machine Learning detection for sampleShow sources
                Source: Courvix-VPN.exeJoe Sandbox ML: detected
                Source: Courvix-VPN.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: unknownHTTPS traffic detected: 94.23.146.194:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: Courvix-VPN.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: Binary string: discordrpc.dll.compressed|1.0.0.0|DiscordRPC, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null|DiscordRPC.dll|AA20BF86B8B518DF9DD2518D60CCD20B4D2FE74A|81920 costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|707293CE5D58EF28915DB131EC6F93F4E89CFA65|26292 source: Courvix-VPN.exe
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmp
                Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: $l!costura.discordrpc.pdb.compressed source: Courvix-VPN.exe, 00000000.00000002.505272232.0000000002DD1000.00000004.00000001.sdmp
                Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|707293CE5D58EF28915DB131EC6F93F4E89CFA65|26292 source: Courvix-VPN.exe
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmp
                Source: Binary string: clrjit.pdb source: Courvix-VPN.exe, 00000000.00000002.511495175.0000000005F30000.00000004.00000001.sdmp
                Source: Binary string: D:\Projects\Guna.UI2\Build\Guna.UI2.WinForms\build\nuget\release\Guna.UI2.pdb source: Courvix-VPN.exe, 00000000.00000003.232011565.0000000001125000.00000004.00000001.sdmp
                Source: Binary string: discordrpcCcostura.discordrpc.dll.compressedCcostura.discordrpc.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: C:\Users\letha\Desktop\Courvix-VPN\Courvix-VPN\obj\Release\Courvix-VPN.pdb source: Courvix-VPN.exe
                Source: Binary string: C:\Users\letha\Desktop\Courvix-VPN\Courvix-VPN\obj\Release\Courvix-VPN.pdb<P source: Courvix-VPN.exe
                Source: Binary string: costura.costura.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: Courvix-VPN.exe
                Source: Binary string: costura.costura.dll.compressed|5.3.0.0|Costura, Version=5.3.0.0, Culture=neutral, PublicKeyToken=null|Costura.dll|790691B8E17BE618ABE2C596B93EB925FC4C1142|4608 costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 costura source: Courvix-VPN.exe
                Source: Binary string: costura.discordrpc.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.dr
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS traffic detected: queries for: courvix.com
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                Source: Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://s2.symcb.com0
                Source: Courvix-VPN.exe, 00000000.00000002.505397009.0000000002E42000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://sv.symcd.com0&
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Courvix-VPN.exe, 00000000.00000003.241162480.00000000064C2000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.241073959.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Courvix-VPN.exe, 00000000.00000003.241162480.00000000064C2000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlm
                Source: Courvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Courvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9b
                Source: Courvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: Courvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Courvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: Courvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commfet
                Source: Courvix-VPN.exe, 00000000.00000003.241956072.00000000064B3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiva
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/=
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/Z
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                Source: Courvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/a
                Source: Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                Source: Courvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Courvix-VPN.exe, 00000000.00000003.238214506.00000000064BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comE
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Courvix-VPN.exeString found in binary or memory: https://cdn.discordapp.com/attachments/827817935388803093/827918131896778782/openvpnfiles.zip
                Source: Courvix-VPN.exeString found in binary or memory: https://cdn.discordapp.com/attachments/827817935388803093/827918131896778782/openvpnfiles.zip7Extrac
                Source: Courvix-VPN.exeString found in binary or memory: https://courvix.com
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Chicago_NFO.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Falkenstein_1.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Helsinki_1.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Lux-EU.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/NewYork2_BuyVM.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/PublicLV_FranTech.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Seattle_NFO.ovpn
                Source: Courvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpString found in binary or memory: https://courvix.com/vpn/configs/Singapore_GSL.ovpn
                Source: Courvix-VPN.exeString found in binary or memory: https://courvix.com/vpn/server_list.json
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                Source: Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownHTTPS traffic detected: 94.23.146.194:443 -> 192.168.2.7:49702 version: TLS 1.2
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0131C9340_2_0131C934
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0131EF300_2_0131EF30
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0131EF220_2_0131EF22
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_052372580_2_05237258
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0523EE880_2_0523EE88
                Source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000003.232011565.0000000001125000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGuna.UI2.dllD vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000002.502489439.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000002.514451559.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000002.514426921.0000000007A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs Courvix-VPN.exe
                Source: Courvix-VPN.exe, 00000000.00000002.515231787.0000000008330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Courvix-VPN.exe
                Source: Courvix-VPN.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Courvix-VPN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal52.evad.winEXE@1/2@1/1
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile created: C:\Users\user\AppData\Roaming\CourvixJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile created: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7bJump to behavior
                Source: Courvix-VPN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Courvix-VPN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Courvix-VPN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Courvix-VPN.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Courvix-VPN.exeStatic file information: File size 1329152 > 1048576
                Source: Courvix-VPN.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x143200
                Source: Courvix-VPN.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: Courvix-VPN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: discordrpc.dll.compressed|1.0.0.0|DiscordRPC, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null|DiscordRPC.dll|AA20BF86B8B518DF9DD2518D60CCD20B4D2FE74A|81920 costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|707293CE5D58EF28915DB131EC6F93F4E89CFA65|26292 source: Courvix-VPN.exe
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmp
                Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: $l!costura.discordrpc.pdb.compressed source: Courvix-VPN.exe, 00000000.00000002.505272232.0000000002DD1000.00000004.00000001.sdmp
                Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|707293CE5D58EF28915DB131EC6F93F4E89CFA65|26292 source: Courvix-VPN.exe
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Courvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmp
                Source: Binary string: clrjit.pdb source: Courvix-VPN.exe, 00000000.00000002.511495175.0000000005F30000.00000004.00000001.sdmp
                Source: Binary string: D:\Projects\Guna.UI2\Build\Guna.UI2.WinForms\build\nuget\release\Guna.UI2.pdb source: Courvix-VPN.exe, 00000000.00000003.232011565.0000000001125000.00000004.00000001.sdmp
                Source: Binary string: discordrpcCcostura.discordrpc.dll.compressedCcostura.discordrpc.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: C:\Users\letha\Desktop\Courvix-VPN\Courvix-VPN\obj\Release\Courvix-VPN.pdb source: Courvix-VPN.exe
                Source: Binary string: C:\Users\letha\Desktop\Courvix-VPN\Courvix-VPN\obj\Release\Courvix-VPN.pdb<P source: Courvix-VPN.exe
                Source: Binary string: costura.costura.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: Courvix-VPN.exe
                Source: Binary string: costura.costura.dll.compressed|5.3.0.0|Costura, Version=5.3.0.0, Culture=neutral, PublicKeyToken=null|Costura.dll|790691B8E17BE618ABE2C596B93EB925FC4C1142|4608 costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 costura source: Courvix-VPN.exe
                Source: Binary string: costura.discordrpc.pdb.compressed source: Courvix-VPN.exe
                Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.dr

                Data Obfuscation:

                barindex
                Yara detected Costura Assembly LoaderShow sources
                Source: Yara matchFile source: Courvix-VPN.exe, type: SAMPLE
                Source: Yara matchFile source: 00000000.00000000.230979360.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.500229240.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.505272232.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Courvix-VPN.exe PID: 2164, type: MEMORY
                Source: Yara matchFile source: 0.0.Courvix-VPN.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Courvix-VPN.exe.8c0000.0.unpack, type: UNPACKEDPE
                Source: Courvix-VPN.exeStatic PE information: 0x9C597939 [Fri Feb 14 01:30:33 2053 UTC]
                Source: GunaUIDotNetRT.dll.0.drStatic PE information: section name: .didat
                Source: GunaUIDotNetRT.dll.0.drStatic PE information: section name: .00cfg
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_00A0193F push ss; iretd 0_2_00A01AD2
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0131207B push ebx; retf 0_2_0131207A
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_01312058 push ebx; retf 0_2_0131207A
                Source: C:\Users\user\Desktop\Courvix-VPN.exeCode function: 0_2_0131FF58 push es; ret 0_2_0131FF65
                Source: initial sampleStatic PE information: section name: .text entropy: 7.98178082478
                Source: C:\Users\user\Desktop\Courvix-VPN.exeFile created: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dllJump to dropped file
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Users\user\Desktop\Courvix-VPN.exeRDTSC instruction interceptor: First address: 000000006A2D1D36 second address: 000000006A2D2A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6A2E53C0h], eax 0x00000020 mov dword ptr [6A2E53C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF044F5B79Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF044F5B7D6h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeWindow / User API: threadDelayed 390Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeWindow / User API: threadDelayed 2082Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeWindow / User API: threadDelayed 2065Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeWindow / User API: threadDelayed 4331Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -99828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -99672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -99453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -99344s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -99156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -98797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -98610s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -98453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -97953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -97828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -97610s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exe TID: 3632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 99828Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 99344Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 99156Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 98797Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 98610Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 98453Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 97953Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 97828Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 97610Jump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Courvix-VPN.exe, 00000000.00000002.514451559.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Courvix-VPN.exe, 00000000.00000002.514451559.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Courvix-VPN.exe, 00000000.00000002.514451559.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Courvix-VPN.exe, 00000000.00000002.511978445.0000000006072000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
                Source: Courvix-VPN.exe, 00000000.00000002.514451559.0000000007AB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Courvix-VPN.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeMemory allocated: page read and write | page guardJump to behavior
                Source: Courvix-VPN.exe, 00000000.00000002.505155566.00000000018C0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                Source: Courvix-VPN.exe, 00000000.00000002.505155566.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Courvix-VPN.exe, 00000000.00000002.505155566.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Courvix-VPN.exe, 00000000.00000002.505155566.00000000018C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Users\user\Desktop\Courvix-VPN.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Courvix-VPN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Courvix-VPN.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll0%MetadefenderBrowse
                C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll2%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://courvix.com0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                https://courvix.com/vpn/configs/Falkenstein_1.ovpn0%Avira URL Cloudsafe
                http://www.tiro.comE0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                https://courvix.com/vpn/configs/Seattle_NFO.ovpn0%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/80%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/a0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                http://www.carterandcone.comR0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://courvix.com/vpn/configs/Helsinki_1.ovpn0%Avira URL Cloudsafe
                https://courvix.com/vpn/configs/PublicLV_FranTech.ovpn0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/Z0%Avira URL Cloudsafe
                https://courvix.com/vpn/configs/NewYork2_BuyVM.ovpn0%Avira URL Cloudsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://www.fontbureau.comsiva0%URL Reputationsafe
                http://www.fontbureau.comsiva0%URL Reputationsafe
                http://www.fontbureau.comsiva0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                https://courvix.com/vpn/configs/Singapore_GSL.ovpn0%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                http://www.fontbureau.commfet0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/vno0%Avira URL Cloudsafe
                http://ocsp.thawte.com00%URL Reputationsafe
                http://ocsp.thawte.com00%URL Reputationsafe
                http://ocsp.thawte.com00%URL Reputationsafe
                http://www.galapagosdesign.com/Z0%Avira URL Cloudsafe
                https://courvix.com/vpn/server_list.json0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/=0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                courvix.com
                		94.23.146.194
                		truefalse
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.sectigo.com0Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                        		high
                        https://courvix.comCourvix-VPN.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://www.newtonsoft.com/jsonCourvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comCourvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://courvix.com/vpn/configs/Falkenstein_1.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comECourvix-VPN.exe, 00000000.00000003.238214506.00000000064BB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://courvix.com/vpn/configs/Seattle_NFO.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://fontfabrik.comCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/8Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/aCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/6Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.thawte.com/ThawteTimestampingCA.crl0Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drfalse
                              		high
                              http://www.jiyu-kobo.co.jp//Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comRCourvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.ascendercorp.com/typedesigners.htmlCourvix-VPN.exe, 00000000.00000003.241162480.00000000064C2000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.241073959.00000000064C3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCourvix-VPN.exe, 00000000.00000002.505397009.0000000002E42000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://courvix.com/vpn/configs/Helsinki_1.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://courvix.com/vpn/configs/PublicLV_FranTech.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/ZCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://courvix.com/vpn/configs/NewYork2_BuyVM.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://github.com/JamesNK/Newtonsoft.JsonCourvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comsivaCourvix-VPN.exe, 00000000.00000003.241956072.00000000064B3000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/ZCourvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comCourvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://cdn.discordapp.com/attachments/827817935388803093/827918131896778782/openvpnfiles.zip7ExtracCourvix-VPN.exefalse
                                          		high
                                          https://courvix.com/vpn/configs/Singapore_GSL.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sectigo.com/CPS0Courvix-VPN.exe, 00000000.00000002.512241317.00000000060BB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/SCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.commfetCourvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/vnoCourvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ocsp.thawte.com0Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/ZCourvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://courvix.com/vpn/server_list.jsonCourvix-VPN.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/=Courvix-VPN.exe, 00000000.00000003.243658300.00000000064AE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/DCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.symauth.com/cps0(Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drfalse
                                            		high
                                            https://courvix.com/vpn/configs/Chicago_NFO.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://james.newtonking.com/projects/jsonCourvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/=Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlCourvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.symauth.com/rpa00Courvix-VPN.exe, 00000000.00000002.506313945.0000000003DD1000.00000004.00000001.sdmp, GunaUIDotNetRT.dll.0.drfalse
                                                  		high
                                                  http://www.ascendercorp.com/typedesigners.htmlmCourvix-VPN.exe, 00000000.00000003.241162480.00000000064C2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.commCourvix-VPN.exe, 00000000.00000003.248798496.00000000064B8000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Courvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000003.240669031.00000000064BC000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.newtonsoft.com/jsonschemaCourvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/kCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.com9bCourvix-VPN.exe, 00000000.00000003.240109087.000000000152C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8Courvix-VPN.exe, 00000000.00000002.513234551.0000000006590000.00000002.00000001.sdmpfalse
                                                      		high
                                                      https://www.nuget.org/packages/Newtonsoft.Json.BsonCourvix-VPN.exe, 00000000.00000002.508068060.0000000004039000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/fCourvix-VPN.exe, 00000000.00000003.240967437.00000000064C3000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://courvix.com/vpn/configs/Lux-EU.ovpnCourvix-VPN.exe, 00000000.00000002.505654949.0000000002EBE000.00000004.00000001.sdmp, Courvix-VPN.exe, 00000000.00000002.505507000.0000000002E95000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.discordapp.com/attachments/827817935388803093/827918131896778782/openvpnfiles.zipCourvix-VPN.exefalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          94.23.146.194
                                                          		courvix.comFrance
                                                          		16276OVHFRfalse

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:409121
                                                          Start date:09.05.2021
                                                          Start time:12:06:26
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 7m 34s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:Courvix-VPN.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:12
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal52.evad.winEXE@1/2@1/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 0.4% (good quality ratio 0.2%)
                                                          • Quality average: 41.1%
                                                          • Quality standard deviation: 41.9%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 96
                                                          • Number of non-executed functions: 2
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 13.64.90.137, 23.218.208.56
                                                          • Excluded domains from analysis (whitelisted): skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtFsControlFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/409121/sample/Courvix-VPN.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          12:07:32API Interceptor18x Sleep call for process: Courvix-VPN.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          94.23.146.194VPN.exeGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            courvix.comVPN.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            OVHFRVPN.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            f41e9f9d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                            • 54.38.220.85
                                                            CpOFmSHBGH.exeGet hashmaliciousBrowse
                                                            • 217.182.77.10
                                                            75tzoUK1Jd.exeGet hashmaliciousBrowse
                                                            • 149.202.83.171
                                                            winlog.exeGet hashmaliciousBrowse
                                                            • 142.4.204.181
                                                            ORyN4cgpvvpr7xt.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            LinkMiner.exeGet hashmaliciousBrowse
                                                            • 51.89.77.2
                                                            notepad.exeGet hashmaliciousBrowse
                                                            • 142.44.242.100
                                                            taskhost.exeGet hashmaliciousBrowse
                                                            • 94.23.23.52
                                                            HOFcBrJ1WiSpxGb.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            TMXodV9oPtPfpUS.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            X5DMimD1ik.exeGet hashmaliciousBrowse
                                                            • 51.83.203.96
                                                            T2ruQyyCqQ.exeGet hashmaliciousBrowse
                                                            • 51.83.203.96
                                                            Tb2PuF1sdM.exeGet hashmaliciousBrowse
                                                            • 51.178.238.246
                                                            9e7d034c_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                            • 217.182.175.206
                                                            New Purchase Order.exeGet hashmaliciousBrowse
                                                            • 5.196.164.16
                                                            Proforma+Packing list.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            Quotation.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            LnUK7BSn4pKs4AT.exeGet hashmaliciousBrowse
                                                            • 66.70.204.222
                                                            Zlmwf.exeGet hashmaliciousBrowse
                                                            • 51.222.195.7

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eVPN.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            d15d3eb0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            SecuriteInfo.com.BackDoor.SpyBotNET.25.16973.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            rVNGql21DZ.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            X5DMimD1ik.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            Polti Delivery Note 0110010597.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            UEKKQ1SDB2.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            rh5XSSSxSH.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            RunIcon.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            business.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            business agreement.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            mazx_3.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            IMG_INVOICE_6628862572.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            Spare Parts (KITO).exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            221121,pdf.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            20210504_20210405.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            Sample Order.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            d.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            d.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194
                                                            d.exeGet hashmaliciousBrowse
                                                            • 94.23.146.194

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dllVPN.exeGet hashmaliciousBrowse
                                                              PAYMENT.exeGet hashmaliciousBrowse
                                                                ORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.BackDoor.SpyBotNET.25.5189.exeGet hashmaliciousBrowse
                                                                    UVZxk61Vdc.exeGet hashmaliciousBrowse
                                                                      niMONOdcTZ.exeGet hashmaliciousBrowse
                                                                        XiCfDFLACR.exeGet hashmaliciousBrowse
                                                                          Q7kSO3iJN3.exeGet hashmaliciousBrowse
                                                                            GDs-#0890#U00e2#U20ac#U00aeSLX.exeGet hashmaliciousBrowse
                                                                              purchase_order.exeGet hashmaliciousBrowse
                                                                                BL, Invoices.exeGet hashmaliciousBrowse
                                                                                  purchaseOrder-2020R.exeGet hashmaliciousBrowse
                                                                                    crypt.exeGet hashmaliciousBrowse
                                                                                      gVrKAqVUIw.exeGet hashmaliciousBrowse
                                                                                        OBJEDNAT- SII40513967MM793333.PDF.exeGet hashmaliciousBrowse
                                                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                                                            IEcYhddAMD.exeGet hashmaliciousBrowse
                                                                                              Lff0xG1Nlb.exeGet hashmaliciousBrowse
                                                                                                FRI5A2QZI7.exeGet hashmaliciousBrowse
                                                                                                  kM16L0Vybr.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll
                                                                                                    Process:C:\Users\user\Desktop\Courvix-VPN.exe
                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):96664
                                                                                                    Entropy (8bit):5.567444078679915
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JKQ7ZLTFq31bfnHSukoY1IPtan1sBrGxEm5g:JKc/FM1bfnyNNdkrGxJg
                                                                                                    MD5:14FF402962AD21B78AE0B4C43CD1F194
                                                                                                    SHA1:F8A510EB26666E875A5BDD1CADAD40602763AD72
                                                                                                    SHA-256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
                                                                                                    SHA-512:DAA7A08BF3709119A944BCE28F6EBDD24E54A22B18CD9F86A87873E958DF121A3881DCDD5E162F6B4E543238C7AEF20F657C9830DF01D4C79290F7C9A4FCC54B
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: VPN.exe, Detection: malicious, Browse
                                                                                                    • Filename: PAYMENT.exe, Detection: malicious, Browse
                                                                                                    • Filename: ORDER FORM DENK.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.BackDoor.SpyBotNET.25.5189.exe, Detection: malicious, Browse
                                                                                                    • Filename: UVZxk61Vdc.exe, Detection: malicious, Browse
                                                                                                    • Filename: niMONOdcTZ.exe, Detection: malicious, Browse
                                                                                                    • Filename: XiCfDFLACR.exe, Detection: malicious, Browse
                                                                                                    • Filename: Q7kSO3iJN3.exe, Detection: malicious, Browse
                                                                                                    • Filename: GDs-#0890#U00e2#U20ac#U00aeSLX.exe, Detection: malicious, Browse
                                                                                                    • Filename: purchase_order.exe, Detection: malicious, Browse
                                                                                                    • Filename: BL, Invoices.exe, Detection: malicious, Browse
                                                                                                    • Filename: purchaseOrder-2020R.exe, Detection: malicious, Browse
                                                                                                    • Filename: crypt.exe, Detection: malicious, Browse
                                                                                                    • Filename: gVrKAqVUIw.exe, Detection: malicious, Browse
                                                                                                    • Filename: OBJEDNAT- SII40513967MM793333.PDF.exe, Detection: malicious, Browse
                                                                                                    • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                                                    • Filename: IEcYhddAMD.exe, Detection: malicious, Browse
                                                                                                    • Filename: Lff0xG1Nlb.exe, Detection: malicious, Browse
                                                                                                    • Filename: FRI5A2QZI7.exe, Detection: malicious, Browse
                                                                                                    • Filename: kM16L0Vybr.exe, Detection: malicious, Browse
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........jr..jr..jr..8...ir......kr......cr..jr..9r..8...kr......sr......kr....x.kr..jr..kr......kr..Richjr..................PE..L...5 .\...........!.........F...............0......................................Z.....@..........................C......0b..d....................b..........4...`A..8...........................x7..@............`..0....p..`....................text...h........................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....idata.......`.......<..............@..@.didat..a....p.......J..............@....00cfg...............N..............@..@.rsrc................P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................
                                                                                                    C:\Users\user\AppData\Roaming\Courvix\settings.json
                                                                                                    Process:C:\Users\user\Desktop\Courvix-VPN.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):52
                                                                                                    Entropy (8bit):4.209867121904035
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:3Ha8Tqev2Ha8TqevY:3Ha8Tca8T8
                                                                                                    MD5:4E0E19EFC4A1080E589DB781D0E9999E
                                                                                                    SHA1:38730EF74B9431AC02E048F4C10D321D2FC92E56
                                                                                                    SHA-256:19695EF914040585BB1C1B07D0A642E0D585A7BB52A55323625D0EF4FE293DF2
                                                                                                    SHA-512:B5BEB52984CBD335168FC77D62EB09719776CD14C7B243DCE5AE2B10070B935B3355C364606F47254F7317F95FEA157CFD8621EC1E2B2D6F2712261E3B7F27DD
                                                                                                    Malicious:false
                                                                                                    Reputation:low
                                                                                                    Preview: {.. "DiscordRPC": true..}{.. "DiscordRPC": true..}

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.980113288617703
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    File name:Courvix-VPN.exe
                                                                                                    File size:1329152
                                                                                                    MD5:d938d48d746b365778a1684e0aaabd95
                                                                                                    SHA1:57e5903f3ce38e2537566966c0988a6f65766ffa
                                                                                                    SHA256:40095fcee0c5d925f584aaa46158d1247dd5189b959775a84ad4b95920ff3e3c
                                                                                                    SHA512:041950c2a645769e2423275cc3774e7f120b01d8f2a344309a05b51078e3dd56acab1ede2a8df058526728bcebeb3c0a0fc49ab7ce3feaf405ecc2d68e1881a6
                                                                                                    SSDEEP:24576:e/ayvrZzUeQmu1+sbkGsN9zZ4uQMWsUbMjCqfw+Jwz/S/6h:eywrFQmuXuFdHWjIjCgw+W7SC
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9yY...............0..2..........nP... ........@.. ....................................`................................

                                                                                                    File Icon

                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x54506e
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                    Time Stamp:0x9C597939 [Fri Feb 14 01:30:33 2053 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1450140x57.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1460000x103c.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1480000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x144f780x38.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x1430740x143200False0.982498942215data7.98178082478IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x1460000x103c0x1200False0.357204861111data4.79305455505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x1480000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_VERSION0x1460900x334data
                                                                                                    RT_MANIFEST0x1463d40xc61XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyrightCopyright 2021
                                                                                                    Assembly Version1.0.0.0
                                                                                                    InternalNameCourvix-VPN.exe
                                                                                                    FileVersion1.0.0.0
                                                                                                    CompanyName
                                                                                                    LegalTrademarks
                                                                                                    Comments
                                                                                                    ProductNameMainForm-VPN
                                                                                                    ProductVersion1.0.0.0
                                                                                                    FileDescriptionMainForm-VPN
                                                                                                    OriginalFilenameCourvix-VPN.exe

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 9, 2021 12:07:34.171471119 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:34.221019030 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:34.221158028 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:34.786742926 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:34.836190939 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:34.837078094 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:34.837105036 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:34.837122917 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:34.837203026 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:34.916300058 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:34.967655897 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:35.057673931 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:35.122797966 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:07:35.182267904 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:07:35.370119095 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:08:05.184663057 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:08:05.184696913 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:08:05.185324907 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:08:05.374049902 CEST4434970294.23.146.194192.168.2.7
                                                                                                    May 9, 2021 12:08:05.375158072 CEST49702443192.168.2.794.23.146.194
                                                                                                    May 9, 2021 12:09:15.221421003 CEST49702443192.168.2.794.23.146.194

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 9, 2021 12:07:12.223232031 CEST5621753192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:12.275325060 CEST53562178.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:13.123382092 CEST6335453192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:13.174860001 CEST53633548.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:14.084655046 CEST5312953192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:14.136173964 CEST53531298.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:15.333380938 CEST6245253192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:15.390547991 CEST53624528.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:16.499627113 CEST5782053192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:16.551455975 CEST53578208.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:17.578618050 CEST5084853192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:17.627552032 CEST53508488.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:18.599824905 CEST6124253192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:18.651618004 CEST53612428.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:19.595069885 CEST5856253192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:19.644244909 CEST53585628.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:22.505783081 CEST5659053192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:22.554631948 CEST53565908.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:23.646598101 CEST6050153192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:23.698174953 CEST53605018.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:24.857631922 CEST5377553192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:24.917534113 CEST53537758.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:25.888262033 CEST5183753192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:25.939831972 CEST53518378.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:27.255863905 CEST5541153192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:27.304574013 CEST53554118.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:28.510989904 CEST6366853192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:28.560147047 CEST53636688.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:29.746977091 CEST5464053192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:29.796770096 CEST53546408.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:30.866350889 CEST5873953192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:30.918068886 CEST53587398.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:31.816020012 CEST6033853192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:31.864865065 CEST53603388.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:33.544480085 CEST5871753192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:33.593265057 CEST53587178.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:33.735898972 CEST5976253192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:33.813170910 CEST53597628.8.8.8192.168.2.7
                                                                                                    May 9, 2021 12:07:35.442025900 CEST5432953192.168.2.78.8.8.8
                                                                                                    May 9, 2021 12:07:35.499192953 CEST53543298.8.8.8192.168.2.7

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                    May 9, 2021 12:07:33.735898972 CEST192.168.2.78.8.8.80xc18Standard query (0)courvix.comA (IP address)IN (0x0001)

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                    May 9, 2021 12:07:33.813170910 CEST8.8.8.8192.168.2.70xc18No error (0)courvix.com94.23.146.194A (IP address)IN (0x0001)

                                                                                                    HTTPS Packets

                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                    May 9, 2021 12:07:34.837122917 CEST94.23.146.194443192.168.2.749702CN=courvix.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USSun Mar 28 01:00:00 CET 2021 Fri Nov 02 01:00:00 CET 2018Tue Mar 29 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2031771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                    CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    System Behavior

                                                                                                    Analysis Process: Courvix-VPN.exe PID: 2164 Parent PID: 5664

                                                                                                    General

                                                                                                    Start time:12:07:18
                                                                                                    Start date:09/05/2021
                                                                                                    Path:C:\Users\user\Desktop\Courvix-VPN.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\Courvix-VPN.exe'
                                                                                                    Imagebase:0x8c0000
                                                                                                    File size:1329152 bytes
                                                                                                    MD5 hash:D938D48D746B365778A1684E0AAABD95
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.230979360.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.500229240.00000000008C2000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.505272232.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    Chronological Activities

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >

                                                                                                      Analysis Process: Courvix-VPN.exe PID: 2164 Parent PID: 5664 Courvix-VPN.exeCOMMON

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:13.1%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:151
                                                                                                      Total number of Limit Nodes:8

                                                                                                      Graph

                                                                                                      execution_graph 19430 131c070 GetCurrentProcess 19431 131c0e3 19430->19431 19432 131c0ea GetCurrentThread 19430->19432 19431->19432 19433 131c120 19432->19433 19434 131c127 GetCurrentProcess 19432->19434 19433->19434 19435 131c15d 19434->19435 19436 131c185 GetCurrentThreadId 19435->19436 19437 131c1b6 19436->19437 19534 131da10 19535 131da2d 19534->19535 19537 131da71 19535->19537 19538 131c684 19535->19538 19539 131c68f 19538->19539 19542 131e460 19539->19542 19541 131e897 19541->19537 19543 131e46b 19542->19543 19544 131ea09 19543->19544 19546 131e96a 19543->19546 19549 131ea50 19543->19549 19556 131ea68 19543->19556 19544->19541 19545 131e460 2 API calls 19545->19546 19546->19544 19546->19545 19550 131ea68 19549->19550 19551 131eaa5 19550->19551 19552 131a090 2 API calls 19550->19552 19553 1319b59 2 API calls 19550->19553 19564 131eed8 19550->19564 19568 131eee8 19550->19568 19551->19546 19552->19551 19553->19551 19558 131ea99 19556->19558 19559 131eae5 19556->19559 19557 131eaa5 19557->19546 19558->19557 19560 131a090 2 API calls 19558->19560 19561 1319b59 2 API calls 19558->19561 19562 131eee8 2 API calls 19558->19562 19563 131eed8 2 API calls 19558->19563 19559->19546 19560->19559 19561->19559 19562->19559 19563->19559 19565 131eedb 19564->19565 19566 131eef1 19564->19566 19565->19566 19567 131a090 2 API calls 19565->19567 19566->19551 19567->19566 19569 131a090 2 API calls 19568->19569 19570 131eef1 19569->19570 19570->19551 19599 131cd80 19601 131cdae 19599->19601 19600 131cdd7 19603 131ce7f 19600->19603 19605 131cdef 19600->19605 19601->19600 19607 131ceeb 19601->19607 19608 131c700 19601->19608 19604 131c684 2 API calls 19603->19604 19603->19607 19604->19607 19606 131ce7a KiUserCallbackDispatcher 19605->19606 19605->19607 19606->19607 19609 131c70b 19608->19609 19612 131c774 19609->19612 19611 131d395 19611->19600 19613 131c77f 19612->19613 19614 131d450 GetFocus 19613->19614 19615 131d449 19613->19615 19614->19615 19615->19611 19571 1314358 19572 1314362 19571->19572 19576 1314448 19571->19576 19581 1313afc 19572->19581 19574 131437d 19577 131446d 19576->19577 19585 1314539 19577->19585 19589 1314548 19577->19589 19582 1313b07 19581->19582 19583 1315bd8 2 API calls 19582->19583 19584 131727d 19583->19584 19584->19574 19587 131456f 19585->19587 19586 131464c 19586->19586 19587->19586 19593 1313f34 19587->19593 19591 131456f 19589->19591 19590 131464c 19590->19590 19591->19590 19592 1313f34 CreateActCtxA 19591->19592 19592->19590 19594 13155d8 CreateActCtxA 19593->19594 19596 131569b 19594->19596 19597 131c298 DuplicateHandle 19598 131c32e 19597->19598 19438 1316cef 19439 1316cf9 19438->19439 19440 1316d1a 19439->19440 19443 1316ec0 19439->19443 19447 1316eb2 19439->19447 19444 1316ef0 19443->19444 19445 1316f4f 19444->19445 19451 1317200 19444->19451 19445->19445 19448 1316ef0 19447->19448 19449 1316f4f 19448->19449 19450 1317200 2 API calls 19448->19450 19450->19449 19452 1317221 19451->19452 19453 1317229 19452->19453 19456 1315bd8 19452->19456 19453->19445 19455 131727d 19455->19445 19457 1315be3 19456->19457 19460 1315bf8 19457->19460 19459 1317335 19459->19455 19461 1315c03 19460->19461 19464 1315c28 19461->19464 19463 131741a 19463->19459 19465 1315c33 19464->19465 19468 1315c58 19465->19468 19467 131750a 19467->19463 19469 1315c63 19468->19469 19470 1317c1e 19469->19470 19475 131a090 19469->19475 19483 1319b59 19469->19483 19471 1317c5c 19470->19471 19487 131bc91 19470->19487 19471->19467 19476 131a0a3 19475->19476 19477 131a0bb 19476->19477 19492 131a309 19476->19492 19496 131a318 19476->19496 19477->19470 19478 131a0b3 19478->19477 19479 131a2b8 GetModuleHandleW 19478->19479 19480 131a2e5 19479->19480 19480->19470 19504 1319b90 19483->19504 19507 1319b80 19483->19507 19484 1319b6e 19484->19470 19488 131bcc1 19487->19488 19489 131bce5 19488->19489 19511 131bf58 19488->19511 19515 131bf48 19488->19515 19489->19471 19494 131a318 19492->19494 19493 131a351 19493->19478 19494->19493 19500 1319cb8 19494->19500 19498 131a32c 19496->19498 19497 131a351 19497->19478 19498->19497 19499 1319cb8 LoadLibraryExW 19498->19499 19499->19497 19501 131a4d8 LoadLibraryExW 19500->19501 19503 131a551 19501->19503 19503->19493 19506 131a090 2 API calls 19504->19506 19505 1319b9f 19505->19484 19506->19505 19508 1319b90 19507->19508 19510 131a090 2 API calls 19508->19510 19509 1319b9f 19509->19484 19510->19509 19512 131bf65 19511->19512 19513 131bf9f 19512->19513 19519 1319fb8 19512->19519 19513->19489 19516 131bf58 19515->19516 19517 131bf9f 19516->19517 19518 1319fb8 2 API calls 19516->19518 19517->19489 19518->19517 19520 1319fc3 19519->19520 19522 131cc98 19520->19522 19523 131a05c 19520->19523 19522->19522 19524 131a067 19523->19524 19525 1315c58 LoadLibraryExW GetModuleHandleW 19524->19525 19526 131cd07 19525->19526 19527 131a06c LoadLibraryExW GetModuleHandleW 19526->19527 19528 131cd2f 19527->19528 19529 131c684 LoadLibraryExW GetModuleHandleW 19528->19529 19530 131cd36 19529->19530 19532 131ea50 LoadLibraryExW GetModuleHandleW 19530->19532 19533 131ea68 LoadLibraryExW GetModuleHandleW 19530->19533 19531 131cd40 19531->19522 19532->19531 19533->19531

                                                                                                      Executed Functions

                                                                                                      Function 0523EE88, Relevance: .7, Instructions: 657COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 159d96c3d4306c99469a0e8e62e11fcb2a13abe55c18bb85a54eaf8e981cd560
                                                                                                      • Instruction ID: d80b64261f2e503e059eb21d5b48dc6a4b3f083633859cc0e0af0bd52e384084
                                                                                                      • Opcode Fuzzy Hash: 159d96c3d4306c99469a0e8e62e11fcb2a13abe55c18bb85a54eaf8e981cd560
                                                                                                      • Instruction Fuzzy Hash: 67526B74B1112ACFD764DB28D994FA9B7B6BF88310F04C0A5E80AAB764DB34AD41DF50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05237258, Relevance: .5, Instructions: 485COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3c62ec912501d4a86a84413dcfda2323423be81ae6a6608b4cf67b3b01438ec8
                                                                                                      • Instruction ID: aae3df23f6145d61dc34f385a3f79463e9bf1fa6f2ac6aad122f4b1679248b7a
                                                                                                      • Opcode Fuzzy Hash: 3c62ec912501d4a86a84413dcfda2323423be81ae6a6608b4cf67b3b01438ec8
                                                                                                      • Instruction Fuzzy Hash: 4412B0B5A142598FCF14CFA8C485AADBBF2FF89300F158565E809AB395DB30ED45CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131C934, Relevance: .3, Instructions: 265COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2abebd259347dba06f27fab87227fae4e6415cdd27bb4a10478a601aa235f957
                                                                                                      • Instruction ID: 55ec307598df6994eeccb38dc4a73c7269afbfca4088e19bbbefe36737ec85f0
                                                                                                      • Opcode Fuzzy Hash: 2abebd259347dba06f27fab87227fae4e6415cdd27bb4a10478a601aa235f957
                                                                                                      • Instruction Fuzzy Hash: DDA17032E0021A8FCF1ADFA9C8445DDBBB6FF84304B15857AE905BB269DB31A955CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131C060, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0131C0D0
                                                                                                      • GetCurrentThread.KERNEL32 ref: 0131C10D
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0131C14A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0131C1A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: 6db14da44e07c22b0d9633f9685b78f00e777711b774b898273354ad8766484d
                                                                                                      • Instruction ID: 2a556ff3e59568494161b9a36e0e3e1815945c95d74328b21283df9bc7194bae
                                                                                                      • Opcode Fuzzy Hash: 6db14da44e07c22b0d9633f9685b78f00e777711b774b898273354ad8766484d
                                                                                                      • Instruction Fuzzy Hash: EE5148B49002498FDB28CFA9D9887DEBBF0FF48318F248869E419A7394D7755844CF65
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131C070, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0131C0D0
                                                                                                      • GetCurrentThread.KERNEL32 ref: 0131C10D
                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0131C14A
                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0131C1A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Current$ProcessThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 2063062207-0
                                                                                                      • Opcode ID: e61050ffd4bba2c355412e9b03fc458c1e27225a28c9fa221e64d97666523484
                                                                                                      • Instruction ID: e6357f12d0445107c471317afe4f81f37bd7b188fddad064f0b867d9f27bcfdd
                                                                                                      • Opcode Fuzzy Hash: e61050ffd4bba2c355412e9b03fc458c1e27225a28c9fa221e64d97666523484
                                                                                                      • Instruction Fuzzy Hash: 145147B49003498FDB28CFA9D948BDEBBF0BF48318F248469E419A7394D7745844CF65
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E468, Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 41 523e468-523e499 42 523e613-523e637 41->42 43 523e49f-523e4a3 41->43 45 523e63e-523e674 42->45 44 523e4a9-523e4ad 43->44 43->45 46 523e4af-523e4c1 44->46 47 523e4cd-523e4cf 44->47 63 523e67b-523e69f 45->63 46->47 50 523e4d1-523e4d5 47->50 51 523e508-523e514 47->51 53 523e4e1-523e503 50->53 54 523e4d7-523e4db 50->54 61 523e520-523e52a 51->61 62 523e516-523e51a 51->62 57 523e5bd-523e5cc 53->57 54->53 54->57 68 523e5d2 57->68 69 523e5ce-523e5d0 57->69 70 523e53b-523e545 61->70 71 523e52c-523e535 61->71 62->61 62->63 75 523e6a6-523e6f3 63->75 74 523e5da-523e5ff 68->74 69->74 81 523e571-523e575 70->81 82 523e547-523e551 70->82 71->70 71->75 74->42 97 523e6f5-523e6fc 75->97 98 523e6fd-523e70a 75->98 83 523e577-523e57e 81->83 84 523e588-523e5a0 81->84 82->81 91 523e553-523e565 82->91 99 523e581 call 523e738 83->99 100 523e581 call 523e748 83->100 93 523e5a8-523e5b5 84->93 89 523e584-523e586 89->57 89->84 91->81 93->57 97->98 99->89 100->89
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: <)l$ <)l
                                                                                                      • API String ID: 0-717876167
                                                                                                      • Opcode ID: e3c931f8c4456f497deebb99a538fe5a1ec1a3d9a8ee056243f2cfce94b668f9
                                                                                                      • Instruction ID: b63ee76a696ac49a089dbf82e82baa7736298f4ecb9b187583c1c839d63fd434
                                                                                                      • Opcode Fuzzy Hash: e3c931f8c4456f497deebb99a538fe5a1ec1a3d9a8ee056243f2cfce94b668f9
                                                                                                      • Instruction Fuzzy Hash: 1871D0B47283519FC7259B38C49967E7BE7AF85204F46886CD04A8B381DF34EC0ACB51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E18F, Relevance: 2.6, Strings: 2, Instructions: 103COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 101 523e18f-523e1ab 102 523e1cd-523e1f1 101->102 103 523e1ad-523e1b1 101->103 105 523e1f8-523e21c 102->105 104 523e1b3-523e1b8 103->104 103->105 106 523e223-523e2a2 104->106 107 523e1ba 104->107 105->106 122 523e2a4-523e2c8 106->122 123 523e2c9-523e2d3 106->123 143 523e1bc call 523e278 107->143 144 523e1bc call 523e18f 107->144 111 523e1c2-523e1cc 126 523e2d5-523e2f9 123->126 127 523e2fa-523e2fe 123->127 128 523e300-523e324 127->128 129 523e325-523e380 127->129 142 523e387-523e390 129->142 143->111 144->111
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: <)l$ <)l
                                                                                                      • API String ID: 0-717876167
                                                                                                      • Opcode ID: 8b0d0b20537ef79366319caad45cf7efcea7c84541d97114b0ed96939ae7cd23
                                                                                                      • Instruction ID: c9aa589f944430a5c5ebd50b4632e8aefc23af26d288f6a1e2b6aaf769a7a80d
                                                                                                      • Opcode Fuzzy Hash: 8b0d0b20537ef79366319caad45cf7efcea7c84541d97114b0ed96939ae7cd23
                                                                                                      • Instruction Fuzzy Hash: 7C316835B192101FD328937888557BE37E7EFC6254F49886DC08ADB780CE34AC078382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523CA28, Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 145 523ca28-523ca38 146 523ca4a-523ca71 145->146 147 523ca3a-523ca40 145->147 150 523ca83-523ca87 146->150 151 523ca73-523ca79 146->151 147->146 152 523caa3-523cab5 150->152 153 523ca89-523ca9b 150->153 151->150 156 523cab7-523cabd 152->156 157 523cacd-523cad1 152->157 153->152 158 523cac1-523cac3 156->158 159 523cabf 156->159 160 523cad3-523cadc call 523e0d0 157->160 161 523cade-523cae1 157->161 158->157 159->157 160->161
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $%%l$$%%l
                                                                                                      • API String ID: 0-3813784091
                                                                                                      • Opcode ID: c05ec814acda5232a98ca8aae911e34e25766094c71bee04615bb1ed92fc60db
                                                                                                      • Instruction ID: 447c5e758b90f4902a34d2887d3696d57f5f22afdd1292fd864c4a7b990f803b
                                                                                                      • Opcode Fuzzy Hash: c05ec814acda5232a98ca8aae911e34e25766094c71bee04615bb1ed92fc60db
                                                                                                      • Instruction Fuzzy Hash: 1D1142743282219BDF24FB28D811A26A397AF81635F34C73A953AA77D4CF709C458B91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131A090, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 164 131a090-131a0a5 call 1318ae4 167 131a0a7 164->167 168 131a0bb-131a0bf 164->168 217 131a0ad call 131a309 167->217 218 131a0ad call 131a318 167->218 169 131a0c1-131a0cb 168->169 170 131a0d3-131a114 168->170 169->170 175 131a121-131a12f 170->175 176 131a116-131a11e 170->176 171 131a0b3-131a0b5 171->168 172 131a1f0-131a2b0 171->172 212 131a2b2-131a2b5 172->212 213 131a2b8-131a2e3 GetModuleHandleW 172->213 178 131a131-131a136 175->178 179 131a153-131a155 175->179 176->175 181 131a141 178->181 182 131a138-131a13f call 1318af0 178->182 180 131a158-131a15f 179->180 185 131a161-131a169 180->185 186 131a16c-131a173 180->186 184 131a143-131a151 181->184 182->184 184->180 185->186 189 131a180-131a189 call 1318b00 186->189 190 131a175-131a17d 186->190 195 131a196-131a19b 189->195 196 131a18b-131a193 189->196 190->189 197 131a1b9-131a1bd 195->197 198 131a19d-131a1a4 195->198 196->195 219 131a1c0 call 131a5f0 197->219 220 131a1c0 call 131a600 197->220 198->197 200 131a1a6-131a1b6 call 1319c7c call 1319c8c 198->200 200->197 202 131a1c3-131a1c6 205 131a1e9-131a1ef 202->205 206 131a1c8-131a1e6 202->206 206->205 212->213 214 131a2e5-131a2eb 213->214 215 131a2ec-131a300 213->215 214->215 217->171 218->171 219->202 220->202
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0131A2D6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: bb11ec056585096ac40d4d4aac92090d04bcaecd978ae56bf9a06f7bb1f44e54
                                                                                                      • Instruction ID: 830329c807a4fa1fe68c398c322f078628c712eeba8bda4e4d33465e79f3e61e
                                                                                                      • Opcode Fuzzy Hash: bb11ec056585096ac40d4d4aac92090d04bcaecd978ae56bf9a06f7bb1f44e54
                                                                                                      • Instruction Fuzzy Hash: FD712470A01B458FD728DF29D4447AABBF1BF88348F008A2DD58ADBB54D775E809CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 013155CC, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 221 13155cc-1315699 CreateActCtxA 223 13156a2-13156fc 221->223 224 131569b-13156a1 221->224 231 131570b-131570f 223->231 232 13156fe-1315701 223->232 224->223 233 1315711-131571d 231->233 234 1315720 231->234 232->231 233->234 235 1315721 234->235 235->235
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 01315689
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 3349e26c43a90f355d0a2480c7d51454c2bf437e42144b9806cf5aa8b9f4dd51
                                                                                                      • Instruction ID: c7a070ba08cf57042457f17760cd7ed10e2661121b9bf3d1b05eacee53e30ec8
                                                                                                      • Opcode Fuzzy Hash: 3349e26c43a90f355d0a2480c7d51454c2bf437e42144b9806cf5aa8b9f4dd51
                                                                                                      • Instruction Fuzzy Hash: EB4103B0C00328CFDB24CF99C884BDEBBB1BF89318F21846AD418AB254D7756946CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 01313F34, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 237 1313f34-1315699 CreateActCtxA 240 13156a2-13156fc 237->240 241 131569b-13156a1 237->241 248 131570b-131570f 240->248 249 13156fe-1315701 240->249 241->240 250 1315711-131571d 248->250 251 1315720 248->251 249->248 250->251 252 1315721 251->252 252->252
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 01315689
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: fdb69b2bf06d6f0e659288c6dd3fa7a118b13694b2a1082d4eca04a89365e3d8
                                                                                                      • Instruction ID: 4e6641ed02f318dd7fd218abfd05c41d84ec3c6e0e88f74638f9b63c5a1b42dc
                                                                                                      • Opcode Fuzzy Hash: fdb69b2bf06d6f0e659288c6dd3fa7a118b13694b2a1082d4eca04a89365e3d8
                                                                                                      • Instruction Fuzzy Hash: 8D41F3B1C0062CCBDB24CF9AC884BDEBBB5BF89308F518469D419AB254DB756945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131C290, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 254 131c290-131c32c DuplicateHandle 255 131c335-131c352 254->255 256 131c32e-131c334 254->256 256->255
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131C31F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: fc947301437700b06d08b81d3cceb3f54c8f5e7dcf3a4436c716f9e81169d133
                                                                                                      • Instruction ID: 9c7db93923a6e76df5b36aacc152d643a660bda9a2c056d74dc6107d81b1189c
                                                                                                      • Opcode Fuzzy Hash: fc947301437700b06d08b81d3cceb3f54c8f5e7dcf3a4436c716f9e81169d133
                                                                                                      • Instruction Fuzzy Hash: E82100B69002589FDB10CFA9D584AEEBBF4AB08324F14845AE954A7350D378A944DFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131C298, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 259 131c298-131c32c DuplicateHandle 260 131c335-131c352 259->260 261 131c32e-131c334 259->261 261->260
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131C31F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 01bcd5682cd620a58c49c52671e8f1113a28d8dff9bb69e9474c682cac07be11
                                                                                                      • Instruction ID: ca4cfab178a6dd3c3116ef5867a31e3618fd2cea35988f4b8bab5ef09174df73
                                                                                                      • Opcode Fuzzy Hash: 01bcd5682cd620a58c49c52671e8f1113a28d8dff9bb69e9474c682cac07be11
                                                                                                      • Instruction Fuzzy Hash: 2C21F5B59002499FDB10CF9AD584ADEFBF4FB48324F14841AE954A3350D378A944CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131A4D0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 264 131a4d0-131a518 266 131a520-131a54f LoadLibraryExW 264->266 267 131a51a-131a51d 264->267 268 131a551-131a557 266->268 269 131a558-131a575 266->269 267->266 268->269
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0131A351,00000800,00000000,00000000), ref: 0131A542
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 2afc24e4b88c685c1c4e118074059df68e1b7e677537e77b5cebf36ced0cadb9
                                                                                                      • Instruction ID: 8128f304818760081afd6efbf50ac5741ecb4ad77b72c65decff11852bc20928
                                                                                                      • Opcode Fuzzy Hash: 2afc24e4b88c685c1c4e118074059df68e1b7e677537e77b5cebf36ced0cadb9
                                                                                                      • Instruction Fuzzy Hash: 6B1114B6800249CFDB14CF9AD488ADEFBF4EB48324F04842AD955A7200C375A545CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 01319CB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 272 1319cb8-131a518 274 131a520-131a54f LoadLibraryExW 272->274 275 131a51a-131a51d 272->275 276 131a551-131a557 274->276 277 131a558-131a575 274->277 275->274 276->277
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0131A351,00000800,00000000,00000000), ref: 0131A542
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: aa8ae76e3816f98a72f40a190988a48bbf6c853d2aa03b5a5dd74a663c289ca3
                                                                                                      • Instruction ID: 1ecb21192ca934f814f7e3c1056d43361a663eac36c0319d3fc9360a983cb3b2
                                                                                                      • Opcode Fuzzy Hash: aa8ae76e3816f98a72f40a190988a48bbf6c853d2aa03b5a5dd74a663c289ca3
                                                                                                      • Instruction Fuzzy Hash: EC1147B5904248CFDB14CF9AD444ADEFBF4EB48324F00842AD555A7300C374A545CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131A270, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 280 131a270-131a2b0 281 131a2b2-131a2b5 280->281 282 131a2b8-131a2e3 GetModuleHandleW 280->282 281->282 283 131a2e5-131a2eb 282->283 284 131a2ec-131a300 282->284 283->284
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0131A2D6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 769d4589f256227afa182a5fd77a0d262623f7f24719ab1302f119c506c02d73
                                                                                                      • Instruction ID: 8fd29c34f4e5b4a39a2079dfc2099fe8b962bae89709688f41785456dc21f1bf
                                                                                                      • Opcode Fuzzy Hash: 769d4589f256227afa182a5fd77a0d262623f7f24719ab1302f119c506c02d73
                                                                                                      • Instruction Fuzzy Hash: 5B1110B5C002598FDB14CF9AD444BDEFBF4AB88324F14852AD859B7300C375A546CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052393C8, Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 286 52393c8-52393f1 287 52393f3-5239414 286->287 288 5239450-5239460 286->288 287->288 296 5239416-523941c 287->296 291 5239636-523963d 288->291 292 5239466-5239470 288->292 297 523963f-5239647 call 5239150 291->297 298 523964c-523965f 291->298 294 5239472-5239479 292->294 295 523947a-5239484 292->295 302 523948a-52394ca 295->302 303 5239669-523970a 295->303 300 523942a-523942f 296->300 301 523941e-5239420 296->301 297->298 305 5239431-5239435 300->305 306 523943c-5239449 300->306 301->300 315 52394e2-52394e6 302->315 316 52394cc-52394d2 302->316 334 5239711-5239747 303->334 335 523970c 303->335 305->306 306->288 319 5239513-523952b call 5239140 315->319 320 52394e8-523950d 315->320 317 52394d6-52394d8 316->317 318 52394d4 316->318 317->315 318->315 329 5239538-5239540 319->329 330 523952d-5239532 319->330 320->319 332 5239542-5239550 329->332 333 5239556-5239575 329->333 330->329 332->333 339 5239577-523957d 333->339 340 523958d-5239591 333->340 346 5239751 334->346 347 5239749 334->347 335->334 344 5239581-5239583 339->344 345 523957f 339->345 342 5239593-52395a0 340->342 343 52395ea-5239633 340->343 352 52395a2-52395d4 342->352 353 52395d6-52395e3 342->353 343->291 344->340 345->340 351 5239752 346->351 347->346 351->351 352->353 353->343
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $%%l
                                                                                                      • API String ID: 0-2623905514
                                                                                                      • Opcode ID: 94620057f237d9a793586ae8b757fd17c107f52111a7a2909e96ca9e5cf3e635
                                                                                                      • Instruction ID: b49afd42d9e5de2d23ead7ca4b1fa71f52a7ff98a578c522831b696db1e82592
                                                                                                      • Opcode Fuzzy Hash: 94620057f237d9a793586ae8b757fd17c107f52111a7a2909e96ca9e5cf3e635
                                                                                                      • Instruction Fuzzy Hash: 97B18E74B152059FDB18DFA8D595BAEBBF2BF8A304F214069E506AB3A1CB70DC41CB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05230958, Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Xc)l
                                                                                                      • API String ID: 0-1697529776
                                                                                                      • Opcode ID: b8b3e95600d3732efc74d9ec80555131324214bd5c15a38694cf011160afee49
                                                                                                      • Instruction ID: 844181d1b346ceb5c00270f053c08ae298b665df2832ce2a8a30e991ce66720e
                                                                                                      • Opcode Fuzzy Hash: b8b3e95600d3732efc74d9ec80555131324214bd5c15a38694cf011160afee49
                                                                                                      • Instruction Fuzzy Hash: 6151F2747141198FCB08DB7DC4A4A6EB7EAEFC8664B16807AD90ACB351DF30DC0187A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05234538, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $%%l
                                                                                                      • API String ID: 0-2623905514
                                                                                                      • Opcode ID: bab41b80b9c602bda43e6e15d6a858bc55e7a587eaeb304a47c589bb6d7c4689
                                                                                                      • Instruction ID: 5de9c2c515602d571c7c215ca9ce60cbbd9827838dc672bb9018eafd6a7f3573
                                                                                                      • Opcode Fuzzy Hash: bab41b80b9c602bda43e6e15d6a858bc55e7a587eaeb304a47c589bb6d7c4689
                                                                                                      • Instruction Fuzzy Hash: 634102703242148FDB28A724C459B7A73E2BFC2218F4488BDD14A8B390CF74AC45CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E278, Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x$l
                                                                                                      • API String ID: 0-3243016539
                                                                                                      • Opcode ID: 8c1e976bb0c56e235d74b06839e2a3d333f2c9d2d8e378c8da977acc63f35efa
                                                                                                      • Instruction ID: 6d4351445f2d5d60e85ff7137c1ec19e69fcf28b09826a850f8d91c326aebaa1
                                                                                                      • Opcode Fuzzy Hash: 8c1e976bb0c56e235d74b06839e2a3d333f2c9d2d8e378c8da977acc63f35efa
                                                                                                      • Instruction Fuzzy Hash: B031B4323152104FD314E73AE494AAAB3EBEFC9724B598939E40AC7744DF31AC0AC780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05239E60, Relevance: .3, Instructions: 332COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2828ee0aa2d980f06f5c0df817b9a9f2b6b29458774329ef328de4f177a09d31
                                                                                                      • Instruction ID: 89b2482196f965a6b2dce7e6a80418dfd0f56f6bfafe9fef48ce812d5592a5a9
                                                                                                      • Opcode Fuzzy Hash: 2828ee0aa2d980f06f5c0df817b9a9f2b6b29458774329ef328de4f177a09d31
                                                                                                      • Instruction Fuzzy Hash: ADF12634624619DFCB15DF19C4899A9BBB2FF4A304F41C0A5E84A9B360DB74EE85CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05238558, Relevance: .3, Instructions: 267COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3ed89f76c5acddfe9013829758f7576f53ade0f4c7a1bd4a65884b166d3296cd
                                                                                                      • Instruction ID: 5219b8e75a944bb5542f7696397c0ad387dab07cd94757f991410eb88416b588
                                                                                                      • Opcode Fuzzy Hash: 3ed89f76c5acddfe9013829758f7576f53ade0f4c7a1bd4a65884b166d3296cd
                                                                                                      • Instruction Fuzzy Hash: B5A1C1797152059FCB14CF64D855AAEBBB6FF89210F14842AF906CB351DB31EC16CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05237918, Relevance: .3, Instructions: 253COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e0eb24a9f8c2b85d05602fa3d50647f180bf6f9e398ae48159fc8b160062ce99
                                                                                                      • Instruction ID: 8c841c89bb7ba87a6c61518413c755dc2f6a9291b15fae25d0b3da5ec719fc18
                                                                                                      • Opcode Fuzzy Hash: e0eb24a9f8c2b85d05602fa3d50647f180bf6f9e398ae48159fc8b160062ce99
                                                                                                      • Instruction Fuzzy Hash: F691CFB572020AEFCF14CF64C85597ABBB7FF88251B158529E90697320EB70DE51CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233540, Relevance: .2, Instructions: 249COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f34f28610c38f751d38f5ef0352138d024966b673e18fe27a4e0f1ec2e63b60a
                                                                                                      • Instruction ID: 07b9e69f3825eee63e3cd837eb366d8e58bdf118f5d750a86906d03f5658180b
                                                                                                      • Opcode Fuzzy Hash: f34f28610c38f751d38f5ef0352138d024966b673e18fe27a4e0f1ec2e63b60a
                                                                                                      • Instruction Fuzzy Hash: 0781DDB9B241149FCB04DB28D4949AEBBE2FFD8351B158469E906DB360DF30DD06CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05237C40, Relevance: .2, Instructions: 229COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c2d3abfb97badfe2fd75f364fa30f951d04a766bc739f683b7d72a25d90e6d47
                                                                                                      • Instruction ID: 22eb5c3d0a18db89406c997b2227257ae96b0b40971d6af5a895260c6f33fa62
                                                                                                      • Opcode Fuzzy Hash: c2d3abfb97badfe2fd75f364fa30f951d04a766bc739f683b7d72a25d90e6d47
                                                                                                      • Instruction Fuzzy Hash: F8A19079A11109EFCF19DF94E989AADBBB2FF48310F148059F906A7360CB31AD12DB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05232018, Relevance: .2, Instructions: 205COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 116e56f5580edbb41675d14576b6486e648364492805084efc79702df400ff63
                                                                                                      • Instruction ID: 805c0e8594c2d5ad5c7ae580df731cbb2ef127a939ec0178a5d9d28e2ad6e166
                                                                                                      • Opcode Fuzzy Hash: 116e56f5580edbb41675d14576b6486e648364492805084efc79702df400ff63
                                                                                                      • Instruction Fuzzy Hash: 6581C275A14219CFCF04DFA9E885AAEBBB2FF88310F15C165E905AB295DB34DC05CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05234B48, Relevance: .2, Instructions: 204COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8c0a6c8d2e1e50a38dd6d8dcee1d51cbc2c3f9d024e533d4a867fc6ad6ee1dfa
                                                                                                      • Instruction ID: 908a6babf2d575a63178dc5c98023d759a5ffdacf0016b28df32493cb0d12901
                                                                                                      • Opcode Fuzzy Hash: 8c0a6c8d2e1e50a38dd6d8dcee1d51cbc2c3f9d024e533d4a867fc6ad6ee1dfa
                                                                                                      • Instruction Fuzzy Hash: 03718E757146158FCB14EB78C898A6A73B6FFC9714F1185A9E51ACB3A1CB30EC06CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05234DC8, Relevance: .2, Instructions: 197COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1b68f3ac0c007884b4e3324a00c9763029aea45eb260e59ad4cabae5b811bc0b
                                                                                                      • Instruction ID: fdf6e18a2dda74b481c6b91fe7e63c7208c0ec5017ba7cacb860a3d979c2e124
                                                                                                      • Opcode Fuzzy Hash: 1b68f3ac0c007884b4e3324a00c9763029aea45eb260e59ad4cabae5b811bc0b
                                                                                                      • Instruction Fuzzy Hash: 8151D0707142118FCB14AB78D859A7E73A7AFC5229F1585A9E51ECB390DF30EC0A87D1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05235C79, Relevance: .2, Instructions: 187COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: da74c476c04324a8ac190bafbaeba684ab1c5e38dc6fa2d5caa8f10221a54c0b
                                                                                                      • Instruction ID: 40a774ed8510de48f69a0452f9f7150fa9b0e8c4195abdd719af7cf3f63361cd
                                                                                                      • Opcode Fuzzy Hash: da74c476c04324a8ac190bafbaeba684ab1c5e38dc6fa2d5caa8f10221a54c0b
                                                                                                      • Instruction Fuzzy Hash: 9C718B74B1420C9FCB09EBE4D490AEEBBB2EF88308F018029D246673A4DB355C05DFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05236118, Relevance: .2, Instructions: 185COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e69aaf8a6eda9ef925ebe2d54b0045472e85708c3566e0c510a2db9c41bcee0d
                                                                                                      • Instruction ID: 86fa9a66e383f30f2576bc01ddebd0382df78672ef6eee4343246da31daf1b2b
                                                                                                      • Opcode Fuzzy Hash: e69aaf8a6eda9ef925ebe2d54b0045472e85708c3566e0c510a2db9c41bcee0d
                                                                                                      • Instruction Fuzzy Hash: D5614C7AB001159FCB11CF99C880DAABBF6FF8D310B1581A9E659DB321DB31E915CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233950, Relevance: .2, Instructions: 182COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d8f08066f1c029e7c1ddf100401788304d5b5e17604a1a133d215020ae3a00f2
                                                                                                      • Instruction ID: 59367b3cb17c0b08bb7eb44525b1786c5a2351b90d112f61e59d410439c56af5
                                                                                                      • Opcode Fuzzy Hash: d8f08066f1c029e7c1ddf100401788304d5b5e17604a1a133d215020ae3a00f2
                                                                                                      • Instruction Fuzzy Hash: DE51FF703146014F8728EB3A949856EB7E7BFC86543058A3DD64BCB7A5EF70EC068B81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C2D8, Relevance: .2, Instructions: 181COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3d86e8a8c372a73c35f14220fa6f25f457146cf9d82753d4b6984426723b8aba
                                                                                                      • Instruction ID: cdffa3ed5c8a8b36f2ac57e47088bbcc06591b3968ae2131e38fa914c1c4cb3b
                                                                                                      • Opcode Fuzzy Hash: 3d86e8a8c372a73c35f14220fa6f25f457146cf9d82753d4b6984426723b8aba
                                                                                                      • Instruction Fuzzy Hash: B0713C74214501DFC308EFB8C991929B7B6FF89324B54866CE816AB395DB32EC17CB84
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523F550, Relevance: .2, Instructions: 179COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9906d78720fb678bce24452f2138c6cf35519fcccfd30854cab3125f83637153
                                                                                                      • Instruction ID: 55b6ba80e21ec7ed6deecbc7982bb623d3821472e6deb7b1dd199b36fc06574e
                                                                                                      • Opcode Fuzzy Hash: 9906d78720fb678bce24452f2138c6cf35519fcccfd30854cab3125f83637153
                                                                                                      • Instruction Fuzzy Hash: F6814C74A1111ACFE724DB28D995FADB7B2BF88310F1080E9E80A9B765DB349D81DF10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523F63C, Relevance: .2, Instructions: 174COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 65ee9182b36339d63fd58c0e774b94dc0c8e0cbd50d77ef8637a22ba2be360ae
                                                                                                      • Instruction ID: 11966fb92f3ccb98931d03fc226af83525c0b4b690a6df9c879470ec944c6b8f
                                                                                                      • Opcode Fuzzy Hash: 65ee9182b36339d63fd58c0e774b94dc0c8e0cbd50d77ef8637a22ba2be360ae
                                                                                                      • Instruction Fuzzy Hash: F6815A74A1015ACFD764DB28D995BADB7B2BF88310F1080E9E80AAB765DB349D81CF10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05230040, Relevance: .2, Instructions: 174COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ded27f0585b25e79f620c451e748d1048644bab6a1103a91353a876d8572bf38
                                                                                                      • Instruction ID: 87e2af6b22ef97d7d4fc2394646fdb961f54a7cbb9a2e62a725c8096994d0499
                                                                                                      • Opcode Fuzzy Hash: ded27f0585b25e79f620c451e748d1048644bab6a1103a91353a876d8572bf38
                                                                                                      • Instruction Fuzzy Hash: 195170757002099FDB14CFA5D884AAFBBBAFF88311F14806AE916D7251DB31E911CBB0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05234810, Relevance: .2, Instructions: 155COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: df227b45bba4b3d69fd0e9ebb567bb92af05b1384d1bc1094e67bc903cacf556
                                                                                                      • Instruction ID: e77f86ea74b22699fc334e10e8f598c5a76ed06041bfd628f96a3241a032a6b7
                                                                                                      • Opcode Fuzzy Hash: df227b45bba4b3d69fd0e9ebb567bb92af05b1384d1bc1094e67bc903cacf556
                                                                                                      • Instruction Fuzzy Hash: C261F974A102098FCB14EF68C489EA9BBF2BF49314F1545A8D509AB361DB31EC85CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05239CE0, Relevance: .1, Instructions: 143COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 94e44ba3eb822236aeb824248d1c987f32dc7b6a87e102b7176a9fe7888617b2
                                                                                                      • Instruction ID: 30eec6daa67dfc482d311adaffa71c922c724c305f650cc826ceedfee664888d
                                                                                                      • Opcode Fuzzy Hash: 94e44ba3eb822236aeb824248d1c987f32dc7b6a87e102b7176a9fe7888617b2
                                                                                                      • Instruction Fuzzy Hash: 015157727142169FCB15DF68C8829BE7BB6FF89310B0540A6E909CB362CB75DC91CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05235D20, Relevance: .1, Instructions: 142COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48c6c11ccbc5225f83755729d548bc20c0ffd05e6edb6ff92a442ba518fdd00a
                                                                                                      • Instruction ID: 4674778fab9f8a17b0ff98cfebb7fd5dbd1036ca174f5403e1ecb4316db8ac98
                                                                                                      • Opcode Fuzzy Hash: 48c6c11ccbc5225f83755729d548bc20c0ffd05e6edb6ff92a442ba518fdd00a
                                                                                                      • Instruction Fuzzy Hash: E7510574B0520C9FCB08EBE0D890AEEBBB6EF88304F118029D216673A4DB355D55DFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523D2C0, Relevance: .1, Instructions: 136COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6fdf0b9a29374407c0bc0718b641173be68299ffe93f7da3bf57b898ac03f2e4
                                                                                                      • Instruction ID: 62b2e32e93d1d6d06f7f71e0c104df45c49eedf3d33282c56be671d1079eeee2
                                                                                                      • Opcode Fuzzy Hash: 6fdf0b9a29374407c0bc0718b641173be68299ffe93f7da3bf57b898ac03f2e4
                                                                                                      • Instruction Fuzzy Hash: A9516A70A14719AFCB14DF78D4806AEBBF2BF88244F508929E54A9B740DB71A948CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05231E38, Relevance: .1, Instructions: 133COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 69f70844d1dd93c0ba8fbd6b36f8e9cd5b830b36fdaf9d8ca7724c67aeb2e2c7
                                                                                                      • Instruction ID: 7a2adb5482df825b8737834db26186c12e08a73d8c460f3d5b803f20e27f579d
                                                                                                      • Opcode Fuzzy Hash: 69f70844d1dd93c0ba8fbd6b36f8e9cd5b830b36fdaf9d8ca7724c67aeb2e2c7
                                                                                                      • Instruction Fuzzy Hash: 0F414431B042058FCB149BA8E455AAEBBF7EFC4210F158439D51AEB394DF349C19CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05239178, Relevance: .1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: cebdc94e89ccaac38642bc01fec33fc6cd5bafab8a4f24207ae964bc138a141b
                                                                                                      • Instruction ID: 99713eb44978fafb043007b3013db3049bce415e51ff6af2c6d1a3765a562f7e
                                                                                                      • Opcode Fuzzy Hash: cebdc94e89ccaac38642bc01fec33fc6cd5bafab8a4f24207ae964bc138a141b
                                                                                                      • Instruction Fuzzy Hash: A941DF757282118FC7149B38C455BAE77F2BF86301F0584AEE08AD73A1CB349C45CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05235F49, Relevance: .1, Instructions: 110COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: eb83f1465f38261d89470edb04a0dfc59d095db4d100d96b435bbac6f4f38079
                                                                                                      • Instruction ID: 85a31871c0baf2c58c91701c9bfc7624ef309e7903855a5f9f670cac90f0366d
                                                                                                      • Opcode Fuzzy Hash: eb83f1465f38261d89470edb04a0dfc59d095db4d100d96b435bbac6f4f38079
                                                                                                      • Instruction Fuzzy Hash: FE412175B14255EFC701EB68D885AADBBF1FF85304B91CAA9C009DB786DB309D09CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C150, Relevance: .1, Instructions: 87COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 11d3fa2a4ba2709762c1695e274fdaec28b9803b411fe812582eeec44703af73
                                                                                                      • Instruction ID: 345259fd7030ea0be646cd5178e95180ebd4489dc2f55963e75ec456c2935199
                                                                                                      • Opcode Fuzzy Hash: 11d3fa2a4ba2709762c1695e274fdaec28b9803b411fe812582eeec44703af73
                                                                                                      • Instruction Fuzzy Hash: 98318471224102DBD318DB68C951625B3A2EF89314F14C65CD867AB3E5CB72EC13CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E748, Relevance: .1, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 74760701de8fe9042ce281b14127aa427d3fef2c6a1b431cf5c156f5464b2a82
                                                                                                      • Instruction ID: 8629bd54254e4205db5913bbee1b59a945102394866819abeed9aaa8a0727a37
                                                                                                      • Opcode Fuzzy Hash: 74760701de8fe9042ce281b14127aa427d3fef2c6a1b431cf5c156f5464b2a82
                                                                                                      • Instruction Fuzzy Hash: B13198B56242229FCB14CF24C98196ABF79FF44344B0781A5D44ADB252D730EC49CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C160, Relevance: .1, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4a9b538aa91f3a5fd0b2611496b7029bbea659c1d1e8a47c8308196b5a36dfc1
                                                                                                      • Instruction ID: 13e275c61cb292a4ff16316aa47dc0d21d57db2fe9ef9ea94a64c288930fc43b
                                                                                                      • Opcode Fuzzy Hash: 4a9b538aa91f3a5fd0b2611496b7029bbea659c1d1e8a47c8308196b5a36dfc1
                                                                                                      • Instruction Fuzzy Hash: 85315071224102DBD318DB68D851A25B3A2EF89354B24C65DD867AB3E5CB72EC13CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233E80, Relevance: .1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0b66d13accaf6ccd33bc6af9ab5bd166fee2293c9f91819f69564f1ca6dea483
                                                                                                      • Instruction ID: 1728fc2eb960045ed8474eaa57c1ccb41cf1ddac7ec37096eea9521832942d58
                                                                                                      • Opcode Fuzzy Hash: 0b66d13accaf6ccd33bc6af9ab5bd166fee2293c9f91819f69564f1ca6dea483
                                                                                                      • Instruction Fuzzy Hash: B32100743282118FD325CB2AD849A7A7BF6BF88621B08496DF04AC72E1CB75DD49CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523CD58, Relevance: .1, Instructions: 77COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f95b1dc6cf352649f8433302f759038dfb566268809e74c02d5c2483fac421c7
                                                                                                      • Instruction ID: 792d09248e69c6b6bde6f488e108b2c5f01565f8dc6fa7ab0a26e89a7e22d0a1
                                                                                                      • Opcode Fuzzy Hash: f95b1dc6cf352649f8433302f759038dfb566268809e74c02d5c2483fac421c7
                                                                                                      • Instruction Fuzzy Hash: AC313B38A11209EFCB14EFA4E4984AEBBB2FF89305F508468E90167384CF36AD55CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD3EC, Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c8ef6ec60635e77367fbc47d6bb5f126929f594c20d424932eda09e8229bf6d6
                                                                                                      • Instruction ID: 8587a44b5eba4f0db736d0d7a96fa74329ea23b5b371dbe455f6302843506465
                                                                                                      • Opcode Fuzzy Hash: c8ef6ec60635e77367fbc47d6bb5f126929f594c20d424932eda09e8229bf6d6
                                                                                                      • Instruction Fuzzy Hash: C12136B1514249DFDB05DF54D9C0BE6BB71FB84368F24C569DA090B207C33AE846C6A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD4D8, Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8ce4248eed8a030b9edf56890f1ce671ae81100156c8a0e7ee728b6192515c58
                                                                                                      • Instruction ID: ed58f0c15299f77ae1c917df590d9b246f081e7754d3fdffbbc9c68cb9d0cd1f
                                                                                                      • Opcode Fuzzy Hash: 8ce4248eed8a030b9edf56890f1ce671ae81100156c8a0e7ee728b6192515c58
                                                                                                      • Instruction Fuzzy Hash: 0A216AB1514249DFDB01CF44E8C0BD6BF65FB8836CF248569DA054B206C336D846C7A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05232EA8, Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8824be26a9be19bac548c146c9f068fcc04cada9cb8160a6c67f59553e78b088
                                                                                                      • Instruction ID: db7d0ddfaee59b31b4bf7933c9818155e454f4c2ec30f145e8c3dfb9185ed3e8
                                                                                                      • Opcode Fuzzy Hash: 8824be26a9be19bac548c146c9f068fcc04cada9cb8160a6c67f59553e78b088
                                                                                                      • Instruction Fuzzy Hash: FC2145B4E2420ACFCF14DBA4C452BBEBBB2FF45304F158569C555AB391DB349806CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012CD01C, Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503852539.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12cd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c16803edc501d51a66a87f7ddedbd5c863ea24d3162b1d65935d5316184c7c0d
                                                                                                      • Instruction ID: 1459f80dbd4b0253794e12884ae082af8700bab34ee94b6a9d88e4450917d054
                                                                                                      • Opcode Fuzzy Hash: c16803edc501d51a66a87f7ddedbd5c863ea24d3162b1d65935d5316184c7c0d
                                                                                                      • Instruction Fuzzy Hash: CB2137B1514248DFDB11CF58D4C0B16BBA1FB84754F24CA7DDA494B246C377D807CAA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012CD1D4, Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503852539.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12cd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 052262ab691d9935d868fae5ce62ca5217ffac6687d0e2ac2a85253a1fdacedd
                                                                                                      • Instruction ID: 3db639069f89b374a2dec248bb4c80c10d419d5d2bdf294ecf1cf529714d29f7
                                                                                                      • Opcode Fuzzy Hash: 052262ab691d9935d868fae5ce62ca5217ffac6687d0e2ac2a85253a1fdacedd
                                                                                                      • Instruction Fuzzy Hash: 782137B1554248DFDB01CF94D9C0B26BBA2FB84724F24C77DDA494B247C376D806CAA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05230006, Relevance: .1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9dd639fb18907d3e205dde2c7bbbbd4219e8be6e44dc2d8e5dec92f2644dc809
                                                                                                      • Instruction ID: f6156fb10f6da7c25b6117b2d6a4eee75ebe83798d2f3fb2017aec54a6686db5
                                                                                                      • Opcode Fuzzy Hash: 9dd639fb18907d3e205dde2c7bbbbd4219e8be6e44dc2d8e5dec92f2644dc809
                                                                                                      • Instruction Fuzzy Hash: 791103736092899FCF03CAA4CC50DDB7FB9EF4A210F0941A7E541E7162D625C819CBB1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05235B88, Relevance: .1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5d422c99db69f9b1ea112a6affc6f0870f43c9a30a0ee1a9503723281adb58df
                                                                                                      • Instruction ID: b3bb79f6b9bb82af0dc3c89c59af84abbae48253dd524cf16a81b9d459771ad2
                                                                                                      • Opcode Fuzzy Hash: 5d422c99db69f9b1ea112a6affc6f0870f43c9a30a0ee1a9503723281adb58df
                                                                                                      • Instruction Fuzzy Hash: 15218475B20105AFCB18DB69D455AAEBBF6EF8C714F148419E906AB3A0CFB05C01CB95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012CD006, Relevance: .1, Instructions: 63COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503852539.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12cd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bd75a129cf4d363ff9fec0779c68399ec99ff46925f3b04909504119af5f6e0f
                                                                                                      • Instruction ID: 2bf8b48bd8c9f145f0c6d1d325f2cc2993e8708f6b609b3d5acd1871c311dbd9
                                                                                                      • Opcode Fuzzy Hash: bd75a129cf4d363ff9fec0779c68399ec99ff46925f3b04909504119af5f6e0f
                                                                                                      • Instruction Fuzzy Hash: 672195754083849FCB03CF18D994711BF71EB46314F28C6EAD9458F257C33A9846CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233BF8, Relevance: .1, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 597a00ec2dec7d4179a5d4d4952e0a6a510883e2d38d17469b60f4b555fb66c1
                                                                                                      • Instruction ID: d0c9649020b9bb9a8f331d4bf7ce1b612931df8ed084a3c80fa565b09f202c1b
                                                                                                      • Opcode Fuzzy Hash: 597a00ec2dec7d4179a5d4d4952e0a6a510883e2d38d17469b60f4b555fb66c1
                                                                                                      • Instruction Fuzzy Hash: CB210475A001098FCB54CFA9C585AEDBBF2FF88310B2549A9D419EB361D732AE41CB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05234527, Relevance: .1, Instructions: 58COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: af6528a72f6c8aca6f95d4fd87cc868fc63cf738d978b0b3d5f8f28201f0db7e
                                                                                                      • Instruction ID: f4c56a014a8fac7b539fcd786702b7452ffcca53825b0d90e5dd3224db1455dd
                                                                                                      • Opcode Fuzzy Hash: af6528a72f6c8aca6f95d4fd87cc868fc63cf738d978b0b3d5f8f28201f0db7e
                                                                                                      • Instruction Fuzzy Hash: B1210A706247448FD725A724C00D7BA77F2BF82315F4548AEE19B472D1CBB1A848CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523FC09, Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6275222e0ed7f1734a14fde00594ed121d386b2bafd5614067e6742002c76531
                                                                                                      • Instruction ID: 7042859609507089426406cb9e52aab0e06385dfaa9e93dccaa833525198fc8e
                                                                                                      • Opcode Fuzzy Hash: 6275222e0ed7f1734a14fde00594ed121d386b2bafd5614067e6742002c76531
                                                                                                      • Instruction Fuzzy Hash: 84018036B640159BDF208A56B90E3BEF76AFFC0665F004426ED06D71D0DBB98A818680
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD3E7, Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                                      • Instruction ID: 57740134fa1eea7cc2f8ee9e8c4dafce504d895040fb9c7e52ff8318df4d2e34
                                                                                                      • Opcode Fuzzy Hash: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                                      • Instruction Fuzzy Hash: B3110376404284CFCB02CF44D5C4B96BF72FB84324F28C6A9D9080B617C33AE45ACBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD4D3, Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                                      • Instruction ID: e1e0eb6d82d98d076fce38a54212e8aa08de85de9636e2f2cc3edc2a3c7f2763
                                                                                                      • Opcode Fuzzy Hash: a4ebfea70809b752dd87daf1091c6fefd11053e22c75fac3715a094701740d1c
                                                                                                      • Instruction Fuzzy Hash: 7D110372404285CFCB12CF44E5C4B96BF71FB88328F2482A9D9050B217C33AD45ACBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233CF0, Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ca570960c3daf6183f8918c1c2b31277304c800a7ac95f40cad479e0f816be0a
                                                                                                      • Instruction ID: 9e7c4d1d14f9c2c52852221669cc29f0d2759ac60e5839c3f2387a518ae4cf85
                                                                                                      • Opcode Fuzzy Hash: ca570960c3daf6183f8918c1c2b31277304c800a7ac95f40cad479e0f816be0a
                                                                                                      • Instruction Fuzzy Hash: 16118F74A20118DFCB44CF99E884DDDBBB2FF88321F4182A6E905A7351D770AA54CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05237F47, Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 91094765495421163bfb93ad9420030ab70e83a2f8ebeabee23ce0686e3ddfd1
                                                                                                      • Instruction ID: 6ccaaaa11510679c75795d9b05227a3181f12d9412dba2ae3bf924903fdf321a
                                                                                                      • Opcode Fuzzy Hash: 91094765495421163bfb93ad9420030ab70e83a2f8ebeabee23ce0686e3ddfd1
                                                                                                      • Instruction Fuzzy Hash: 2511CE7A701204AFCB09CF68E459B59BB6AFF89300F158128FA06CB751CB31E812CBD0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012CD1CF, Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503852539.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12cd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
                                                                                                      • Instruction ID: c4d388f2faa4bc8a0a0363f36efdaaec49a7d0fb1aa7683b0c261bcbe367183a
                                                                                                      • Opcode Fuzzy Hash: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
                                                                                                      • Instruction Fuzzy Hash: 6411EE76804284CFDB02CF54C5C0B15BB72FB84224F24C6AEDA484B257C33AD40ACB92
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523D4E1, Relevance: .1, Instructions: 52COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5c21e6727216f60e3a9a67ea8a993606dc7e70526ba871a1a2b4ff7dabaadbe1
                                                                                                      • Instruction ID: 72574a6b0fb9e5b4049654130bf237aae07fd76e79c310a5ebabf00083cf4c5c
                                                                                                      • Opcode Fuzzy Hash: 5c21e6727216f60e3a9a67ea8a993606dc7e70526ba871a1a2b4ff7dabaadbe1
                                                                                                      • Instruction Fuzzy Hash: 75110A7112C7541FC315EB34E4616AA7B72DF92200B46CE69C1858F5A5DF706C0EC792
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052354A8, Relevance: .1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c405f52150279cd2a178ad3df28f92d6022ab0e912120b3f70d6bc5c2beec353
                                                                                                      • Instruction ID: b13ab4d2cc8719a8262176bc7bca7c2549ecb1251dbdf37d631ed51ac7bdd289
                                                                                                      • Opcode Fuzzy Hash: c405f52150279cd2a178ad3df28f92d6022ab0e912120b3f70d6bc5c2beec353
                                                                                                      • Instruction Fuzzy Hash: B00197777092804FC305EB3CE444AD5BFA5EFC1340B0A81BAD409CB362D9A08C06C380
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E0D0, Relevance: .0, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4308fea2611a8d1dff4cfc9bbaf91cf8038993fec2cfbfb5047a7728fe60eafd
                                                                                                      • Instruction ID: b83bd27d194b54a5ddfd7f3f9160765f8eb26e33ed7054fffa22532779ba0852
                                                                                                      • Opcode Fuzzy Hash: 4308fea2611a8d1dff4cfc9bbaf91cf8038993fec2cfbfb5047a7728fe60eafd
                                                                                                      • Instruction Fuzzy Hash: 75015EBA3153449BC32AFB78F00D6957B26EF91722B44417AF10A87380CB319866CB51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523E738, Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d1ecad80273946f1e826309b3001a961a1ccd0a89d9bcdcd4f6b017072df9a71
                                                                                                      • Instruction ID: 76427130eaef7e869ef7bf28c3cac4b5e0c2d294c8708b51b8d8275722e6e6f6
                                                                                                      • Opcode Fuzzy Hash: d1ecad80273946f1e826309b3001a961a1ccd0a89d9bcdcd4f6b017072df9a71
                                                                                                      • Instruction Fuzzy Hash: 0E01D4F683D3C59EC7138BB15D1A1E97F759F17211F0A44EBC18996093D238460ACB22
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052391D8, Relevance: .0, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1ea43ee1c5522454bd181b7c9b83cfb5ee0ab6124ff5871f58882a080d2b2c76
                                                                                                      • Instruction ID: 71d506383c57c60d28053f24e9484b1eb05607cbe52e8853a648262fe43eb149
                                                                                                      • Opcode Fuzzy Hash: 1ea43ee1c5522454bd181b7c9b83cfb5ee0ab6124ff5871f58882a080d2b2c76
                                                                                                      • Instruction Fuzzy Hash: 07017C71350A158F8714EF2ED481D2AB7F6FF892143168A69E14ADB731EB30EC498B80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD731, Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b09a9cdb4090ee684bb7703228ed30110bb0abeb80167276ac6a8472fcd47305
                                                                                                      • Instruction ID: c170794e712456ba04fbf4802e293c9d493079ed82772d69be5522d7f6662330
                                                                                                      • Opcode Fuzzy Hash: b09a9cdb4090ee684bb7703228ed30110bb0abeb80167276ac6a8472fcd47305
                                                                                                      • Instruction Fuzzy Hash: 3F01D4714283889AE7144A6ACCC47F6BB98EF803BCF18855AEE044A242C3789844D6B1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523CE8A, Relevance: .0, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0b45daa26acd2cbe636c7cb21ac745bd75bcfe38066f144a11d933e1313f26f0
                                                                                                      • Instruction ID: 0f178d1da9625791fb9b458589ae96e40c19c5d475f0cb7de1793f3293c96870
                                                                                                      • Opcode Fuzzy Hash: 0b45daa26acd2cbe636c7cb21ac745bd75bcfe38066f144a11d933e1313f26f0
                                                                                                      • Instruction Fuzzy Hash: 00018C78A15309EFCB14DFA0E489AADBB32EF89314F518569E501673D0CB369856CF41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD5DB, Relevance: .0, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 70790677c7af26b6faf85ee4e1300b61309b24d5d89bb2ae103dbf00100be124
                                                                                                      • Instruction ID: c76ea3098037881d0cb39bd3632a70900c90ac5b0b46596d93848340b86cebc4
                                                                                                      • Opcode Fuzzy Hash: 70790677c7af26b6faf85ee4e1300b61309b24d5d89bb2ae103dbf00100be124
                                                                                                      • Instruction Fuzzy Hash: 5AF04476200604AF93208F0AD985C63FBADEBD8774319C49AEC4A4B712C671FC42CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05236028, Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9526ac0c836a5b5fba13b778a4ed95d73d2eec16cc5e4f3706a0b9e3b5caa4c2
                                                                                                      • Instruction ID: 26141d17c449547005c9f6ad0534964905fdf1b68b4d1a11b59d854431023672
                                                                                                      • Opcode Fuzzy Hash: 9526ac0c836a5b5fba13b778a4ed95d73d2eec16cc5e4f3706a0b9e3b5caa4c2
                                                                                                      • Instruction Fuzzy Hash: 9C011D74E10219BF8B44EFA5E4956ADBBF1EF84304B90C9A9D405EB340EB706E089F40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD730, Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0ad5a54a910ac14cd01b3c804ed54e63d2fa0d8a60495e0c97498bf4d85ad8d8
                                                                                                      • Instruction ID: 9b597abe85e92ed87c4f2bd261019f595a91fdf8726f574be85c4f386bb8ba7a
                                                                                                      • Opcode Fuzzy Hash: 0ad5a54a910ac14cd01b3c804ed54e63d2fa0d8a60495e0c97498bf4d85ad8d8
                                                                                                      • Instruction Fuzzy Hash: 9DF0C8714042889EE7148B1ACCC47F2FFE8EB81778F18C45AEE480B242C3785844DAB0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C850, Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: cc655497a989d208a6163d7e4a93305e55a6ebd5de0822632decdbf21e27feb3
                                                                                                      • Instruction ID: 59efe451911478d0748bac1287791087894053a119117414c6a70d6984285f78
                                                                                                      • Opcode Fuzzy Hash: cc655497a989d208a6163d7e4a93305e55a6ebd5de0822632decdbf21e27feb3
                                                                                                      • Instruction Fuzzy Hash: 0AF0FFB4E202199FCB21AFA8D8017BE7BB6FF84310F00416EC50A67240CB719906CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 012BD5CC, Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.503801496.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_12bd000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 81ebc1b996fa8125f9c38f8b660fcb4c0ae4dbe4fdf3d17b2eae6c41bbe6d7a0
                                                                                                      • Instruction ID: 04251f7129a2bd4fe4989d913207ae1a92fd65f9fad224c2e9e8bd66eb1ddbd6
                                                                                                      • Opcode Fuzzy Hash: 81ebc1b996fa8125f9c38f8b660fcb4c0ae4dbe4fdf3d17b2eae6c41bbe6d7a0
                                                                                                      • Instruction Fuzzy Hash: 40F03775104A40AFD3258F06C985C62BBB9EB8976471A8489E8894B322C670FC42CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052353B0, Relevance: .0, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35abd0bec2057003fdcf58fee25aca1feefce47f57006d30d2c4272713197775
                                                                                                      • Instruction ID: dbb6cfa0a1a3344fdec44594c200245e26e04248a399c2402902120c882fd2bc
                                                                                                      • Opcode Fuzzy Hash: 35abd0bec2057003fdcf58fee25aca1feefce47f57006d30d2c4272713197775
                                                                                                      • Instruction Fuzzy Hash: 77F090393152059FD709F778E441778339AAFC0308B008469C80D87B49EF71A8268BA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052360B2, Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 79eb4512c7c7313d8ea7f872c64ab4c1ead81a325e7591d18dd037584ec4eddd
                                                                                                      • Instruction ID: cef711993beb4adc377d1fb61d78b674d00b53a82c2a2a52c3d0b63fd6886c7c
                                                                                                      • Opcode Fuzzy Hash: 79eb4512c7c7313d8ea7f872c64ab4c1ead81a325e7591d18dd037584ec4eddd
                                                                                                      • Instruction Fuzzy Hash: 5CF0307221E3C05FC3035739AC29842BFB5EF8726031B86DBD084CB193D5248846C7A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05235440, Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5bfb3047fa5203538d6120428d8b8e295aff8bc41bf3b3b911d4ae5c9999c7f7
                                                                                                      • Instruction ID: 6c3cb4f5aebc0f898c79409b5d257b0b51492a9c6d249c7fe4a1cdbfe3e9c944
                                                                                                      • Opcode Fuzzy Hash: 5bfb3047fa5203538d6120428d8b8e295aff8bc41bf3b3b911d4ae5c9999c7f7
                                                                                                      • Instruction Fuzzy Hash: 97F082393002048FC704FB7DE444A9A77DAEFC5755B114079D905C7755EEB09C158791
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05230888, Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c14d50055bcd9ff9bde3267555aa46288ebcb5d38ab36e377bae986c2fa1e2b6
                                                                                                      • Instruction ID: 1cb7527604e6d503ad70c150a3730544282b9e913f3513fa03798e93a104e89d
                                                                                                      • Opcode Fuzzy Hash: c14d50055bcd9ff9bde3267555aa46288ebcb5d38ab36e377bae986c2fa1e2b6
                                                                                                      • Instruction Fuzzy Hash: 430114B1D00219DFCB40EFA8D8419AEBBF1FF48310B10C929D559A7200E335AA12CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052352D8, Relevance: .0, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ef8de30aaa2343800cd238100be59ec4317be17b16977ff2a8239b1639d35bcc
                                                                                                      • Instruction ID: 07c5c896186e65f80e336f4d390db499b9652522f4ded50fefda379c95a5c490
                                                                                                      • Opcode Fuzzy Hash: ef8de30aaa2343800cd238100be59ec4317be17b16977ff2a8239b1639d35bcc
                                                                                                      • Instruction Fuzzy Hash: 47F062B6A1B208DBC301FFB0E890A993367A7843457528B74C4008776CEB302D39CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C7C6, Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 959ed6f2e8dec410ca353cf33406eb62dc79fa2ebc751e9f0d899dbab3d78c89
                                                                                                      • Instruction ID: dfea617fd6014b25297126eb7cc587a637279da4b172bc20ec3ec3a7ce171a4f
                                                                                                      • Opcode Fuzzy Hash: 959ed6f2e8dec410ca353cf33406eb62dc79fa2ebc751e9f0d899dbab3d78c89
                                                                                                      • Instruction Fuzzy Hash: 6FF01AA261E3C08FC7038778A82A4C43F329F9719074E48DBE085EF9B7C1169E46D312
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052338E8, Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5d9a38c973a5a1b28fe9a0db3346c128eb2e1bab229b6a76973a1a09a0dcbbf5
                                                                                                      • Instruction ID: 3607699e1db189c4486e8fc4b27ac44be9f20738f96d971564449c34a812cfc8
                                                                                                      • Opcode Fuzzy Hash: 5d9a38c973a5a1b28fe9a0db3346c128eb2e1bab229b6a76973a1a09a0dcbbf5
                                                                                                      • Instruction Fuzzy Hash: B5F082711507509BC320AF2DD848A86BBA5EF86330B524B5DD1A58B6F1C771A8068B54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C070, Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4d7b966cb51d31ad1a58377262ff2884bf49cabb5f0d6e5014a6a58dbb210a7a
                                                                                                      • Instruction ID: b080a8a90d6b44d624f1d835eb48c33098cd755a35083aeaf83712eb5d5af98c
                                                                                                      • Opcode Fuzzy Hash: 4d7b966cb51d31ad1a58377262ff2884bf49cabb5f0d6e5014a6a58dbb210a7a
                                                                                                      • Instruction Fuzzy Hash: 41E092317243118BC3186639D4496AE73EA9FCA211F10847DE08ED3340CFB59C42DB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052353A0, Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 06f7f99684dfa193e4ce5111cf3c3d541a255e2d85a30b76442d04d2f2cb5137
                                                                                                      • Instruction ID: 06f15e601067ccb7587dac18852fcef6551bc145315250a08f939b8a926b288e
                                                                                                      • Opcode Fuzzy Hash: 06f7f99684dfa193e4ce5111cf3c3d541a255e2d85a30b76442d04d2f2cb5137
                                                                                                      • Instruction Fuzzy Hash: 1BE0D87975A3444FC70AF63CF4425A83F21FF90204301466AD84DC7353CE6488278FA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052354D0, Relevance: .0, Instructions: 26COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bc2e9d907aaad4830b9172110c54798865214b792df6db9ce44c7cf343c7eae3
                                                                                                      • Instruction ID: 88e1ec0e02e541abd49f20d5b90c118923a4fd09b8fdb4c8207dffa518087def
                                                                                                      • Opcode Fuzzy Hash: bc2e9d907aaad4830b9172110c54798865214b792df6db9ce44c7cf343c7eae3
                                                                                                      • Instruction Fuzzy Hash: DFE026D736D1E49FC3128BBC28661F23B70DA9B25138480CAE54D8F695D104942FC361
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C950, Relevance: .0, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2dc7f7a62e7b24c85b5ea839625ee73f32470ea08ceb8aeffa89b1b000422afa
                                                                                                      • Instruction ID: e859ebd906df6299d520aebcf4ec599a00460edced771bb0dc388ec1b4b5bfa1
                                                                                                      • Opcode Fuzzy Hash: 2dc7f7a62e7b24c85b5ea839625ee73f32470ea08ceb8aeffa89b1b000422afa
                                                                                                      • Instruction Fuzzy Hash: D7E048B51102068FD700EB58D4C5D35B3A6FF49714B554AD4E00CAF766DB22ECD1CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C121, Relevance: .0, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8b716079965a9ff0ffe87e2a96888dc6380c0aa9b87f559a201cae1133d8536b
                                                                                                      • Instruction ID: ada731d21f3fcae2419354f4bea356180692fffb84bf2bbd6be382980cd4ddfb
                                                                                                      • Opcode Fuzzy Hash: 8b716079965a9ff0ffe87e2a96888dc6380c0aa9b87f559a201cae1133d8536b
                                                                                                      • Instruction Fuzzy Hash: AFE0173A14A2808FD302C764D898DD53F71AF9A154B2A85EAE489CF663D211A80A8B61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C2A0, Relevance: .0, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 123fc6c9452502e5b6427800ec786231487974b7402c222363fbb748cbff0cd8
                                                                                                      • Instruction ID: 310487ffed0a7be18a3e614ef6a24c2ec5090a57d6e18607b253a057b80c8b8d
                                                                                                      • Opcode Fuzzy Hash: 123fc6c9452502e5b6427800ec786231487974b7402c222363fbb748cbff0cd8
                                                                                                      • Instruction Fuzzy Hash: 97D05EB240A2943FC3026A61AC05893BF6CEE031A13064056F884D2453C2244820C3F4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523BF28, Relevance: .0, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f44bf2da52fbb6c8c57480f846f01765a30e549a6504615c211bef71c7a81909
                                                                                                      • Instruction ID: d929b589768705c5d19c0e68772eac4ec50dd4b4c5b558c7f64ddb5ecacca177
                                                                                                      • Opcode Fuzzy Hash: f44bf2da52fbb6c8c57480f846f01765a30e549a6504615c211bef71c7a81909
                                                                                                      • Instruction Fuzzy Hash: CCD012A176420B4DE7306C52840B3BA318B7FC0305F68D0F5A44D0448AEEBA95C59551
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523C100, Relevance: .0, Instructions: 14COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b142a9de0fe1055ea6fefd4c6ddb74ca37118cb90df0917053c48e2cb68768fe
                                                                                                      • Instruction ID: b6ead89483cf6e1e95f0ee842192fc4a9a9c9eefa102e9ce81090df5edfd35e1
                                                                                                      • Opcode Fuzzy Hash: b142a9de0fe1055ea6fefd4c6ddb74ca37118cb90df0917053c48e2cb68768fe
                                                                                                      • Instruction Fuzzy Hash: 59C08CA22AA3911CE7028AA09C2A5F13F3CCF43010B4A04E3F8C4C95ABE26408414232
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05233E50, Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fb4af9f66e20fdad85518ca0c7b9640177f690711e8ebacb9d66131bdb0ea1ec
                                                                                                      • Instruction ID: e2e50471f1c17cf8b393d72cd3adf19ab70c6f89bf75a8283312617de3846749
                                                                                                      • Opcode Fuzzy Hash: fb4af9f66e20fdad85518ca0c7b9640177f690711e8ebacb9d66131bdb0ea1ec
                                                                                                      • Instruction Fuzzy Hash: 21C012B55162802FD7026620CE1A9C03F34DB433907130586E001C616290150B418BA6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052391B8, Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3ded3c7ffc522deb62821e8671168cb337e6d9ff7eb93815e047e9b05595d281
                                                                                                      • Instruction ID: 911e809c62b6c9315f9bcd83ecde11f1a4c2e9177313e14b31e53ef0fb40a274
                                                                                                      • Opcode Fuzzy Hash: 3ded3c7ffc522deb62821e8671168cb337e6d9ff7eb93815e047e9b05595d281
                                                                                                      • Instruction Fuzzy Hash: B9D02230169308CFC300DBA8D088E9077A4FF44208F2549F8F08C9B322CB61FC198B21
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 052391C8, Relevance: .0, Instructions: 12COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f84c754e4f7eb2378448ebbcfa5d39b6e9d3f208e6cbd7bad1639eecf80af8bd
                                                                                                      • Instruction ID: 88e810bacc1bf072fb19d85b692340471a0f00a6eb85f9ed327552a21f76b7bf
                                                                                                      • Opcode Fuzzy Hash: f84c754e4f7eb2378448ebbcfa5d39b6e9d3f208e6cbd7bad1639eecf80af8bd
                                                                                                      • Instruction Fuzzy Hash: CCC08C702B8208CFC200D729C485A1133AEFF45B08F8108E0F604DB722CB62FC005601
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0523AF7F, Relevance: .0, Instructions: 11COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 27b5256218568d83f6f603198e6cd3d77a4051217ea7c0bf5e01290ff4a7a66d
                                                                                                      • Instruction ID: d8954a42bb37d13ab310abc052548c25512c7d0d4520be0aa97e314e6e679dea
                                                                                                      • Opcode Fuzzy Hash: 27b5256218568d83f6f603198e6cd3d77a4051217ea7c0bf5e01290ff4a7a66d
                                                                                                      • Instruction Fuzzy Hash: 0CC02BD3C09A8426D3030190AC4F3E03B70DF62300FCC069B840580640F10CC4D0020B
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05239198, Relevance: .0, Instructions: 10COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 426453536690cb678ce6874b7469e55997c1e5e99f87e6fa916220ee3ed33f62
                                                                                                      • Instruction ID: dd6037e2555493bfe96cddf3021860afd234f413e16096d5c7133e4a51327ad7
                                                                                                      • Opcode Fuzzy Hash: 426453536690cb678ce6874b7469e55997c1e5e99f87e6fa916220ee3ed33f62
                                                                                                      • Instruction Fuzzy Hash: 0CB092E11F921E028B102199950A775320EDF81529F8A09B1258875A029A9A68B1106A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 05232E80, Relevance: .0, Instructions: 5COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.509481255.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_5230000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e12391d1b1e5b0c8b96d61524a61c11082b7326ca99ade3310e73763d510016d
                                                                                                      • Instruction ID: f5d61eed7d73ac0f48893ad378a199aaafd4d045329e4b244a8658583865ec69
                                                                                                      • Opcode Fuzzy Hash: e12391d1b1e5b0c8b96d61524a61c11082b7326ca99ade3310e73763d510016d
                                                                                                      • Instruction Fuzzy Hash: F7B0015A6789C0DAC6626B2471AA3D97FA06FC7910FD948E1A0C101C126A084406E246
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 0131EF30, Relevance: .3, Instructions: 315COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9d9fcf1ea610d7e594ca1a2e03b8d66b22412c1b74e1b26980587ee31596788b
                                                                                                      • Instruction ID: 7d151dfba73153de2ee8879758978d3a754f14794479f64a1ff7a892f354c5ff
                                                                                                      • Opcode Fuzzy Hash: 9d9fcf1ea610d7e594ca1a2e03b8d66b22412c1b74e1b26980587ee31596788b
                                                                                                      • Instruction Fuzzy Hash: 5312D3F54117468BE732CF65E8C828DBBB9B795328F904308D2616FAD8D7B8154ACF84
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0131EF22, Relevance: .2, Instructions: 224COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.504086647.0000000001310000.00000040.00000001.sdmp, Offset: 01310000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_1310000_Courvix-VPN.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9af4b3e6b45b8447ec74bcb3ecfb19640d7a4f61072ab9559dbee5294de83739
                                                                                                      • Instruction ID: b6be85ea15993db2a897abd533b9fa9240318ded58f35cb4837dd9b45b8126f4
                                                                                                      • Opcode Fuzzy Hash: 9af4b3e6b45b8447ec74bcb3ecfb19640d7a4f61072ab9559dbee5294de83739
                                                                                                      • Instruction Fuzzy Hash: A5C11AB18117468BE732CF65E8C828DBBB9FB95328F514308D2616F6D8D7B8154ACF84
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%