Windows Analysis Report
R9GpVOQoR3.msi

Overview

General Information

Sample name: R9GpVOQoR3.msi
renamed because original name is a hash value
Original sample name: 88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70.msi
Analysis ID: 1562675
MD5: dce26534527d10b00359837951a4f672
SHA1: 35f2bf722f71ac7d356aca4d097099a8cc3fec23
SHA256: 88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70
Tags: msiuser-johnk3r
Infos:

Detection

Score: 38
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (might use process or thread times for sandbox detection)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dll ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870B0C90 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider, 8_2_00007FF7870B0C90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870E4D00 SetConsoleOutputCP,memset,memset,__acrt_iob_func,__acrt_iob_func,CRYPTO_get_ex_new_index,OPENSSL_init_crypto,memset,malloc,calloc, 8_2_00007FF7870E4D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712F380 malloc,EVP_CipherInit_ex,EVP_CipherUpdate,_exit,EVP_CipherFinal,malloc,malloc,EVP_MAC_init,_exit,EVP_MAC_update,EVP_MAC_update,EVP_MAC_CTX_get_mac_size,EVP_MAC_final,CRYPTO_memcmp,malloc,malloc,htonl,htonl,free,free,ERR_clear_error,free,free, 8_2_00007FF78712F380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870CDB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv, 8_2_00007FF7870CDB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870AD7B0 BIO_new_mem_buf,_exit,PEM_read_bio,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free, 8_2_00007FF7870AD7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870ADE90 EVP_CIPHER_CTX_new,EVP_des_ede3_ecb,EVP_EncryptInit_ex,EVP_EncryptUpdate,EVP_EncryptFinal,_exit,EVP_CIPHER_CTX_free, 8_2_00007FF7870ADE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870AE520 NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free, 8_2_00007FF7870AE520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870AE590 MultiByteToWideChar,malloc,MultiByteToWideChar,CertFindExtension,CryptDecodeObject,malloc,CryptDecodeObject,_stricmp,free,CryptFindOIDInfo,CryptFindOIDInfo,_stricmp,free,free,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,isxdigit,isxdigit,strncmp,CertFindCertificateInStore,CertVerifyTimeValidity,CertFindCertificateInStore,free,OBJ_sn2nid,EVP_PKEY_get_bits,NCryptSignHash,SetLastError,strcmp,NCryptSignHash,SetLastError,calloc,CertOpenStore,CertCloseStore,CertOpenStore,CertCloseStore,CertGetNameStringW,malloc,CertGetNameStringW,d2i_X509,CryptAcquireCertificatePrivateKey,X509_free,NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,free,free,X509_get_pubkey,free,free, 8_2_00007FF7870AE590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00480040 CryptReleaseContext,TextOutW, 8_2_00007FFE00480040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CA040 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid, 8_2_00007FFE004CA040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4070 CRYPTO_free,CRYPTO_memdup, 8_2_00007FFE004C4070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00508050 CRYPTO_malloc,COMP_expand_block, 8_2_00007FFE00508050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00516050 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug, 8_2_00007FFE00516050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00512100 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00512100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B0130 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004B0130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4130 CRYPTO_set_ex_data, 8_2_00007FFE004C4130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F0120 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004F0120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D40F0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 8_2_00007FFE004D40F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B40E0 CRYPTO_get_ex_data, 8_2_00007FFE004B40E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005081A0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 8_2_00007FFE005081A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B6190 CRYPTO_malloc,CRYPTO_free, 8_2_00007FFE004B6190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052C180 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free, 8_2_00007FFE0052C180
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C8150 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004C8150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4170 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004C4170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BE220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free, 8_2_00007FFE004BE220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EC220 CRYPTO_free, 8_2_00007FFE004EC220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E21F0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl, 8_2_00007FFE004E21F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B81E0 CRYPTO_get_ex_data, 8_2_00007FFE004B81E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F0280 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004F0280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B02B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free, 8_2_00007FFE004B02B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F82B0 CRYPTO_memdup, 8_2_00007FFE004F82B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00510240 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 8_2_00007FFE00510240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4270 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004C4270
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F4300 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert, 8_2_00007FFE004F4300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BA330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004BA330
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FA320 CRYPTO_realloc, 8_2_00007FFE004FA320
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B42D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 8_2_00007FFE004B42D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CC2D0 CRYPTO_free, 8_2_00007FFE004CC2D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A62C0 CRYPTO_clear_free, 8_2_00007FFE004A62C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4390 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004C4390
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050C360 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug, 8_2_00007FFE0050C360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00526360 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 8_2_00007FFE00526360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D4340 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 8_2_00007FFE004D4340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004DA340 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free, 8_2_00007FFE004DA340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EA410 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 8_2_00007FFE004EA410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D8410 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf, 8_2_00007FFE004D8410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E2400 CRYPTO_free, 8_2_00007FFE004E2400
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A23C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004A23C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050A4B0 RAND_bytes_ex,CRYPTO_malloc,memset, 8_2_00007FFE0050A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005284B7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free, 8_2_00007FFE005284B7
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00502480 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00502480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E2480 CRYPTO_zalloc, 8_2_00007FFE004E2480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00520490 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00520490
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C44A0 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004C44A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C0450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free, 8_2_00007FFE004C0450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free, 8_2_00007FFE004A2460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00510510 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 8_2_00007FFE00510510
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004DE520 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free, 8_2_00007FFE004DE520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B24D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free, 8_2_00007FFE004B24D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E84E0 CRYPTO_free, 8_2_00007FFE004E84E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C8590 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004C8590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D45B0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup, 8_2_00007FFE004D45B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B25A0 CRYPTO_strdup,CRYPTO_free, 8_2_00007FFE004B25A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BC610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error, 8_2_00007FFE004BC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00524630 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free, 8_2_00007FFE00524630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052861C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE0052861C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005285E4 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free, 8_2_00007FFE005285E4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005285F6 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free, 8_2_00007FFE005285F6
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4670 CRYPTO_free,CRYPTO_malloc,memcpy, 8_2_00007FFE004C4670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EA710 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free, 8_2_00007FFE004EA710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AE700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error, 8_2_00007FFE004AE700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F2700 OPENSSL_cleanse,CRYPTO_free, 8_2_00007FFE004F2700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A8720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE004A8720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005226D0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 8_2_00007FFE005226D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F2780 OPENSSL_cleanse,CRYPTO_free, 8_2_00007FFE004F2780
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EE7B0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004EE7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052C770 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE0052C770
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A8812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new, 8_2_00007FFE004A8812
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00512800 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00512800
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A27F0 DeleteCriticalSection,CRYPTO_free, 8_2_00007FFE004A27F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F2890 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free, 8_2_00007FFE004F2890
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AE880 CRYPTO_THREAD_run_once, 8_2_00007FFE004AE880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4850 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock, 8_2_00007FFE004C4850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EC850 CRYPTO_malloc,memcmp,memcpy,memcpy, 8_2_00007FFE004EC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2860 CRYPTO_zalloc,InitializeCriticalSection, 8_2_00007FFE004A2860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FE860 CRYPTO_malloc, 8_2_00007FFE004FE860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F0920 CRYPTO_malloc,memcpy,CRYPTO_free, 8_2_00007FFE004F0920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EA920 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 8_2_00007FFE004EA920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F6921 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts, 8_2_00007FFE004F6921
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FE920 CRYPTO_free, 8_2_00007FFE004FE920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F08C0 CRYPTO_clear_free,CRYPTO_free, 8_2_00007FFE004F08C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FE8C0 CRYPTO_free, 8_2_00007FFE004FE8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CA8C0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free, 8_2_00007FFE004CA8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E68C0 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004E68C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0051C9B0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free, 8_2_00007FFE0051C9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CC9B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004CC9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F89A0 CRYPTO_realloc, 8_2_00007FFE004F89A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F4950 OPENSSL_LH_delete,CRYPTO_free, 8_2_00007FFE004F4950
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free, 8_2_00007FFE004A2940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00502940 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free, 8_2_00007FFE00502940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EE960 CRYPTO_zalloc, 8_2_00007FFE004EE960
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4A30 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE004C4A30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BE9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug, 8_2_00007FFE004BE9C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B49F0 CRYPTO_memdup,CRYPTO_free, 8_2_00007FFE004B49F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FA9E0 CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004FA9E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B6A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup, 8_2_00007FFE004B6A90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2A80 CRYPTO_free,CRYPTO_free, 8_2_00007FFE004A2A80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052AA80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE0052AA80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004ACAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free, 8_2_00007FFE004ACAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EEAB0 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear, 8_2_00007FFE004EEAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052CA60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free, 8_2_00007FFE0052CA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B4A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004B4A72
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D4A70 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free, 8_2_00007FFE004D4A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00512A50 CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00512A50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EAA60 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free, 8_2_00007FFE004EAA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00512B00 CRYPTO_realloc, 8_2_00007FFE00512B00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BAAD0 CRYPTO_set_ex_data, 8_2_00007FFE004BAAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FAAD0 CRYPTO_zalloc, 8_2_00007FFE004FAAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CCB90 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004CCB90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00526BB0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free, 8_2_00007FFE00526BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AAB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free, 8_2_00007FFE004AAB80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00514B90 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug, 8_2_00007FFE00514B90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D6B40 CRYPTO_free,CRYPTO_free, 8_2_00007FFE004D6B40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004ACB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup, 8_2_00007FFE004ACB70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FAC00 CRYPTO_realloc, 8_2_00007FFE004FAC00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00506C00 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free, 8_2_00007FFE00506C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00516C00 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE00516C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D6BC0 CRYPTO_malloc, 8_2_00007FFE004D6BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004BABF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00520CA0 CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00520CA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FECB0 CRYPTO_free, 8_2_00007FFE004FECB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A8C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset, 8_2_00007FFE004A8C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2C60 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004A2C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050CD00 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free, 8_2_00007FFE0050CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00520D00 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE00520D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CCD20 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004CCD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort, 8_2_00007FFE004AECD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EACD0 CRYPTO_free, 8_2_00007FFE004EACD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00510CF0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy, 8_2_00007FFE00510CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C4CC0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy, 8_2_00007FFE004C4CC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F2CF0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert, 8_2_00007FFE004F2CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AEDB0 CRYPTO_THREAD_run_once, 8_2_00007FFE004AEDB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EADA0 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free, 8_2_00007FFE004EADA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00518D60 CRYPTO_free,CRYPTO_memdup, 8_2_00007FFE00518D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D4D40 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free, 8_2_00007FFE004D4D40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00508D50 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free, 8_2_00007FFE00508D50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052CE30 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE0052CE30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BCDC0 CRYPTO_malloc,CRYPTO_clear_free, 8_2_00007FFE004BCDC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FEE90 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004FEE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A4E80 CRYPTO_free, 8_2_00007FFE004A4E80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00514E90 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE00514E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00508E60 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a, 8_2_00007FFE00508E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F2F00 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free, 8_2_00007FFE004F2F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C0EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error, 8_2_00007FFE004C0EF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CCEE0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE004CCEE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B2F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once, 8_2_00007FFE004B2F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00520F50 CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00520F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FEF60 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004FEF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AD010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE004AD010
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C1000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error, 8_2_00007FFE004C1000
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A1030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv, 8_2_00007FFE004A1030
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A6FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug, 8_2_00007FFE004A6FC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004AB0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free, 8_2_00007FFE004AB0B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F30B0 EVP_EncryptUpdate,OPENSSL_LH_retrieve, 8_2_00007FFE004F30B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B5050 CRYPTO_set_ex_data, 8_2_00007FFE004B5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C5050 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE004C5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F3050 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free, 8_2_00007FFE004F3050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B5070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock, 8_2_00007FFE004B5070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FF060 CRYPTO_malloc,CRYPTO_free, 8_2_00007FFE004FF060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004DD110 CRYPTO_free, 8_2_00007FFE004DD110
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00517130 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE00517130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00503130 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free, 8_2_00007FFE00503130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B9120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock, 8_2_00007FFE004B9120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D50E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 8_2_00007FFE004D50E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005291A0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug, 8_2_00007FFE005291A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F3190 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free, 8_2_00007FFE004F3190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050B1B0 CRYPTO_free, 8_2_00007FFE0050B1B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CD150 CRYPTO_free,CRYPTO_malloc, 8_2_00007FFE004CD150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050F170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug, 8_2_00007FFE0050F170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004ED140 CRYPTO_realloc, 8_2_00007FFE004ED140
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init, 8_2_00007FFE004A321D
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C1210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free, 8_2_00007FFE004C1210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E3230 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004E3230
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050B210 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE0050B210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004D51F0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free, 8_2_00007FFE004D51F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005112B0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug, 8_2_00007FFE005112B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FF280 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy, 8_2_00007FFE004FF280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00521260 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free, 8_2_00007FFE00521260
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A5240 CRYPTO_zalloc,CRYPTO_free, 8_2_00007FFE004A5240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F1277 CRYPTO_realloc, 8_2_00007FFE004F1277
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C9300 CRYPTO_realloc,memcpy, 8_2_00007FFE004C9300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0051B310 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free, 8_2_00007FFE0051B310
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F276CDE-219F-4225-94D5-04B7DB2F9854} Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.81.131:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1978685438.00007FFDFA67C000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: R9GpVOQoR3.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1989067213.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: R9GpVOQoR3.msi, MSI834C.tmp.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0034AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EC1EC FindFirstFileExW, 8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 8_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003433F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA, 8_2_00007FFE003433F0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49732 -> 104.21.81.131:443
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: openvpn.exe.1.dr Static PE information: Found NDIS imports: FwpmFilterAdd0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmGetAppIdFromFileName0, FwpmEngineClose0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.81.131 104.21.81.131
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870CDB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv, 8_2_00007FF7870CDB60
Source: global traffic DNS traffic detected: DNS query: key-keys.com
Source: unknown HTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: key-keys.comContent-Length: 48Cache-Control: no-cache
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://openvpn.net/faq.html#dhcpclientserv
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://openvpn.net/howto.html#mitm
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: libcrypto-3-x64.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1902246354.0000000004DD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: R9GpVOQoR3.msi String found in binary or memory: https://key-keys.com/licenseUser.phpAI_DATA_SETTER_4Params
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: openvpn.exe String found in binary or memory: https://www.openssl.org/
Source: openvpn.exe, 00000008.00000002.1988845679.00007FFE00561000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 00000008.00000002.1986975321.00007FFDFA77F000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.dr String found in binary or memory: https://www.openssl.org/H
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 104.21.81.131:443 -> 192.168.2.4:49732 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 8_2_00007FFE00346670
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870B0880: EVP_CIPHER_fetch,EVP_CIPHER_get_key_length,EVP_CIPHER_free,strcmp,strcmp,strcmp,strcmp,memcpy,memcpy,DeviceIoControl,_exit, 8_2_00007FF7870B0880
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\63589e.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6417.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI657F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI65CF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI661E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6738.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI834C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2FB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA33A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIAD4D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB703.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{2F276CDE-219F-4225-94D5-04B7DB2F9854} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB80D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6358a1.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6358a1.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI6417.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787125C20 8_2_00007FF787125C20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870A3440 8_2_00007FF7870A3440
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870A9460 8_2_00007FF7870A9460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787106060 8_2_00007FF787106060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712E470 8_2_00007FF78712E470
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871148D0 8_2_00007FF7871148D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871434A0 8_2_00007FF7871434A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C48C0 8_2_00007FF7870C48C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870E4D00 8_2_00007FF7870E4D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78713E350 8_2_00007FF78713E350
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787136F80 8_2_00007FF787136F80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712F380 8_2_00007FF78712F380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870A1F60 8_2_00007FF7870A1F60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870CDB60 8_2_00007FF7870CDB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78713FF60 8_2_00007FF78713FF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871237C0 8_2_00007FF7871237C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871353C0 8_2_00007FF7871353C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712ABD0 8_2_00007FF78712ABD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787110BA0 8_2_00007FF787110BA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C2BC0 8_2_00007FF7870C2BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870D27C0 8_2_00007FF7870D27C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870CA3F0 8_2_00007FF7870CA3F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787123FE0 8_2_00007FF787123FE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871457E0 8_2_00007FF7871457E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78714A240 8_2_00007FF78714A240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870F3A20 8_2_00007FF7870F3A20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787119650 8_2_00007FF787119650
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870A5640 8_2_00007FF7870A5640
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787141630 8_2_00007FF787141630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870D6A60 8_2_00007FF7870D6A60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787137E90 8_2_00007FF787137E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870A6290 8_2_00007FF7870A6290
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C16B0 8_2_00007FF7870C16B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78710BAA0 8_2_00007FF78710BAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712D2A0 8_2_00007FF78712D2A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78713EAB0 8_2_00007FF78713EAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C8EBD 8_2_00007FF7870C8EBD
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78713EF10 8_2_00007FF78713EF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712E710 8_2_00007FF78712E710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871426F0 8_2_00007FF7871426F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787136540 8_2_00007FF787136540
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870ABD20 8_2_00007FF7870ABD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78713A130 8_2_00007FF78713A130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870B9D70 8_2_00007FF7870B9D70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870AAD60 8_2_00007FF7870AAD60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C8D60 8_2_00007FF7870C8D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870AE590 8_2_00007FF7870AE590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7871025B0 8_2_00007FF7871025B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870C21A0 8_2_00007FF7870C21A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787139DA0 8_2_00007FF787139DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787111600 8_2_00007FF787111600
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712AA10 8_2_00007FF78712AA10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78714BE10 8_2_00007FF78714BE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78712A1E0 8_2_00007FF78712A1E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787126DF0 8_2_00007FF787126DF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344090 8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0034AC80 8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003433F0 8_2_00007FFE003433F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003455A0 8_2_00007FFE003455A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003478C0 8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349CD0 8_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E6068 8_2_00007FFE003E6068
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DE0CC 8_2_00007FFE003DE0CC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E815C 8_2_00007FFE003E815C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D4210 8_2_00007FFE003D4210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EC1EC 8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D4414 8_2_00007FFE003D4414
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E83D8 8_2_00007FFE003E83D8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E24AC 8_2_00007FFE003E24AC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E0588 8_2_00007FFE003E0588
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EE614 8_2_00007FFE003EE614
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0034E6A0 8_2_00007FFE0034E6A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00346670 8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E66E8 8_2_00007FFE003E66E8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344B70 8_2_00007FFE00344B70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E8C24 8_2_00007FFE003E8C24
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00348CB0 8_2_00007FFE00348CB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DCE98 8_2_00007FFE003DCE98
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D8EA8 8_2_00007FFE003D8EA8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D4EC0 8_2_00007FFE003D4EC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003F2ED0 8_2_00007FFE003F2ED0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003F0FE0 8_2_00007FFE003F0FE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DF108 8_2_00007FFE003DF108
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DB2E0 8_2_00007FFE003DB2E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D93B4 8_2_00007FFE003D93B4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EB410 8_2_00007FFE003EB410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00347460 8_2_00007FFE00347460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DD53C 8_2_00007FFE003DD53C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0034F530 8_2_00007FFE0034F530
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003F356C 8_2_00007FFE003F356C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349790 8_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EF790 8_2_00007FFE003EF790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D5854 8_2_00007FFE003D5854
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D39F0 8_2_00007FFE003D39F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DBB2C 8_2_00007FFE003DBB2C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E5BD4 8_2_00007FFE003E5BD4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D3BF4 8_2_00007FFE003D3BF4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D5C58 8_2_00007FFE003D5C58
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D3E00 8_2_00007FFE003D3E00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003D4004 8_2_00007FFE003D4004
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00516050 8_2_00007FFE00516050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE005081A0 8_2_00007FFE005081A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004A2210 8_2_00007FFE004A2210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FE280 8_2_00007FFE004FE280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004DC250 8_2_00007FFE004DC250
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004C22E0 8_2_00007FFE004C22E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EC360 8_2_00007FFE004EC360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050A4B0 8_2_00007FFE0050A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052C450 8_2_00007FFE0052C450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BC610 8_2_00007FFE004BC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050E6B0 8_2_00007FFE0050E6B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00510720 8_2_00007FFE00510720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004E8710 8_2_00007FFE004E8710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00500720 8_2_00007FFE00500720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050A880 8_2_00007FFE0050A880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EC850 8_2_00007FFE004EC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004CCAA0 8_2_00007FFE004CCAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00526BB0 8_2_00007FFE00526BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004F8CB0 8_2_00007FFE004F8CB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0050CD00 8_2_00007FFE0050CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004B0EB0 8_2_00007FFE004B0EB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00514E90 8_2_00007FFE00514E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00504E60 8_2_00007FFE00504E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004EEF10 8_2_00007FFE004EEF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00503130 8_2_00007FFE00503130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004FF280 8_2_00007FFE004FF280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00517270 8_2_00007FFE00517270
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052E2CE appears 37 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FF7870B2CE0 appears 934 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052E2DA appears 35 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FF7870B3310 appears 49 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052E2D4 appears 257 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FF7870A26F0 appears 77 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE003CDAAC appears 216 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052EA72 appears 110 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FF7870B3290 appears 515 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052EFC0 appears 470 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE004E92F0 appears 57 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052E39A appears 714 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE004D8340 appears 44 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE0052EA66 appears 139 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: String function: 00007FFE004D83D0 appears 46 times
PE file contains more sections than normal
Source: libwinpthread-1.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: libassuan-0.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: vlc.exe.1.dr Static PE information: Number of sections : 14 > 10
Source: libgpg-error-0.dll.1.dr Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: R9GpVOQoR3.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msi Binary or memory string: OriginalFilenameSecureProp.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msi Binary or memory string: OriginalFilenameDataUploader.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msi Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs R9GpVOQoR3.msi
Source: classification engine Classification label: sus38.troj.evad.winMSI@10/153@1/1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003455A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit, 8_2_00007FFE003455A0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB861.tmp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFED056EB7B30F59ED.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Jump to behavior
Source: openvpn.exe String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe String found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exe String found in binary or memory: Use --help for more information.
Source: openvpn.exe String found in binary or memory: Use --help for more information.
Source: openvpn.exe String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe String found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exe String found in binary or memory: tun-stop
Source: openvpn.exe String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: openvpn.exe String found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\R9GpVOQoR3.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: libssl-3-x64.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: libpkcs11-helper-1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: libcrypto-3-x64.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Section loaded: cryptbase.dll Jump to behavior
Source: vlc.lnk.1.dr LNK file: ..\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F276CDE-219F-4225-94D5-04B7DB2F9854} Jump to behavior
Source: R9GpVOQoR3.msi Static file information: File size 56130466 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1978685438.00007FFDFA67C000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: R9GpVOQoR3.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1989067213.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: R9GpVOQoR3.msi, MSI834C.tmp.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Binary contains a suspicious time stamp
Source: vlc.exe.1.dr Static PE information: 0xA6D0A6C0 [Sun Sep 8 06:27:12 2058 UTC]
PE file contains sections with non-standard names
Source: vlc.exe.1.dr Static PE information: section name: .buildid
Source: vlc.exe.1.dr Static PE information: section name: .xdata
Source: vlc.exe.1.dr Static PE information: section name: /4
Source: libassuan-0.dll.1.dr Static PE information: section name: .xdata
Source: libgpg-error-0.dll.1.dr Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.1.dr Static PE information: section name: _RDATA
Source: libwinpthread-1.dll.1.dr Static PE information: section name: .xdata
Source: SecureProp.dll.1.dr Static PE information: section name: .fptable
Source: UnRar.exe.1.dr Static PE information: section name: _RDATA
Source: libpkcs11-helper-1.dll.1.dr Static PE information: section name: .hdata
Source: MSIAD4D.tmp.1.dr Static PE information: section name: .fptable
Source: MSI6417.tmp.1.dr Static PE information: section name: .fptable
Source: MSI657F.tmp.1.dr Static PE information: section name: .fptable
Source: MSI65CF.tmp.1.dr Static PE information: section name: .fptable
Source: MSI661E.tmp.1.dr Static PE information: section name: .fptable
Source: MSI6738.tmp.1.dr Static PE information: section name: .fptable
Source: MSI834C.tmp.1.dr Static PE information: section name: .fptable
Source: MSIA2FB.tmp.1.dr Static PE information: section name: .fptable
Source: MSIA33A.tmp.1.dr Static PE information: section name: .fptable
Source: MSIB703.tmp.1.dr Static PE information: section name: .fptable
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_02A0BD83 push esp; ret 4_2_02A0BD93
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870BD2CD push rbx; iretd 8_2_00007FF7870BD2CE
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00484745 push rsi; ret 8_2_00007FFE00484746
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BC2B8 push 050001C2h; retn 0001h 8_2_00007FFE004BC2C5
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BC2D0 push 680001C2h; retn 0001h 8_2_00007FFE004BC2D5
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE004BC2C8 push 680001C2h; retn 0001h 8_2_00007FFE004BC2CD
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6738.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2FB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIAD4D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA33A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI657F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI834C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI661E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6417.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI65CF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB703.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI661E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6417.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI6738.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2FB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIAD4D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA33A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI65CF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI657F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI834C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB703.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetAdaptersInfo,malloc,GetAdaptersInfo,malloc, 8_2_00007FF787137970
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3750 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 583 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI6738.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIA2FB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIAD4D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIA33A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI657F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI834C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI661E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI6417.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI65CF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB703.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Found evasive API chain (might use process or thread times for sandbox detection)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003455A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit, 8_2_00007FFE003455A0
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe API coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020 Thread sleep count: 3750 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016 Thread sleep count: 583 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0034AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect, 8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003EC1EC FindFirstFileExW, 8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct 8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 8_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003433F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA, 8_2_00007FFE003433F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 8_2_00007FFE00349CD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q5classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QEclasses/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q4classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q6classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q%classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: .classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QIclasses/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: HWJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q4classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QEclasses/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q4classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QAclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: Wclasses/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q3classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.classPK
Source: jdk.jconsole.jmod.1.dr Binary or memory string: n/Q4classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q0classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QIclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q3classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: ;%Eclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QVclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q<classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q8classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QFclasses/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: :B:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q-classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q;classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QLclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: Et?classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QPclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: )classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: 5classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q<classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: Qclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.jconsole.jmod.1.dr Binary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: Bv"classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/VirtualMachineManager.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QLclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/common/JVMCIError.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q2classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QOclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QFclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCI.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q)classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QEclasses/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.classPK
Source: jdk.jconsole.jmod.1.dr Binary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q9classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/QSclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q(classes/com/sun/jdi/VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/jdi/VirtualMachine.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.classPK
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.jdi.jmod.1.dr Binary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.classPK
Source: jdk.jdi.jmod.1.dr Binary or memory string: n/Q/classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: n/QGclasses/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.internal.vm.ci.jmod.1.dr Binary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.classPK
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 8_2_00007FFE00344090
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 8_2_00007FFE00344090
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78714C9F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF78714C9F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 8_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003CC808 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFE003CC808
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003DC8B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFE003DC8B4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00480DA0 SetUnhandledExceptionFilter, 8_2_00007FFE00480DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE0052F040 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFE0052F040

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW, 8_2_00007FFE00349790
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssadc5.ps1" -propfile "c:\users\user\appdata\local\temp\msiadb3.txt" -scriptfile "c:\users\user\appdata\local\temp\scradb4.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scradb5.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssadc5.ps1" -propfile "c:\users\user\appdata\local\temp\msiadb3.txt" -scriptfile "c:\users\user\appdata\local\temp\scradb4.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scradb5.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787143F40 GetStdHandle,GetConsoleMode,SetConsoleMode,_exit,SetConsoleCtrlHandler,MultiByteToWideChar,malloc,MultiByteToWideChar,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,WaitForSingleObject,free,_exit, 8_2_00007FF787143F40
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003F5D60 cpuid 8_2_00007FFE003F5D60
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount, 8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA, 8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: EnumSystemLocalesW, 8_2_00007FFE003F007C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: EnumSystemLocalesW, 8_2_00007FFE003F014C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00007FFE003F01E4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: SetProcessShutdownParameters,GetLocaleInfoEx, 8_2_00007FFE00480390
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetThreadSelectorEntry,GetLocaleInfoEx, 8_2_00007FFE00480398
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoEx, 8_2_00007FFE004803A8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW, 8_2_00007FFE003F042C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW, 8_2_00007FFE004804F8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00007FFE003F0584
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW, 8_2_00007FFE003F0634
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunction,EnumSystemLocales 8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00007FFE003F0768
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: EnumSystemLocalesW, 8_2_00007FFE003E4C50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: GetLocaleInfoW, 8_2_00007FFE003E51E8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_00007FFE003EFD20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF78714D3EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_00007FF78714D3EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE003E815C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 8_2_00007FFE003E815C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 8_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF7870CD370 socket,listen,_exit,getsockname,free,free, 8_2_00007FF7870CD370
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787115E60 setsockopt,bind,_exit, 8_2_00007FF787115E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FF787115660 listen,_exit,free,free, 8_2_00007FF787115660
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe Code function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit, 8_2_00007FFE00349CD0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562675 Sample: R9GpVOQoR3.msi Startdate: 25/11/2024 Architecture: WINDOWS Score: 38 41 key-keys.com 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->51 53 3 other signatures 2->53 9 msiexec.exe 126 172 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 27 C:\Windows\Installer\MSIB703.tmp, PE32 9->27 dropped 29 C:\Windows\Installer\MSIAD4D.tmp, PE32 9->29 dropped 31 C:\Windows\Installer\MSIA33A.tmp, PE32 9->31 dropped 33 40 other files (12 malicious) 9->33 dropped 14 msiexec.exe 38 9->14         started        19 openvpn.exe 1 9->19         started        process6 dnsIp7 43 key-keys.com 104.21.81.131, 443, 49732 CLOUDFLARENETUS United States 14->43 35 C:\Users\user\AppData\Local\...\scrADB4.ps1, Unicode 14->35 dropped 37 C:\Users\user\AppData\Local\...\pssADC5.ps1, Unicode 14->37 dropped 39 C:\Users\user\AppData\Local\...\msiADB3.txt, Unicode 14->39 dropped 45 Bypasses PowerShell execution policy 14->45 21 powershell.exe 17 14->21         started        23 conhost.exe 19->23         started        file8 signatures9 process10 process11 25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.81.131
 key-keys.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
key-keys.com 104.21.81.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://key-keys.com/licenseUser.php true
  • Avira URL Cloud: safe
 unknown