Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
R9GpVOQoR3.msi

Overview

General Information

Sample name:R9GpVOQoR3.msi
renamed because original name is a hash value
Original sample name:88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70.msi
Analysis ID:1562675
MD5:dce26534527d10b00359837951a4f672
SHA1:35f2bf722f71ac7d356aca4d097099a8cc3fec23
SHA256:88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70
Tags:msiuser-johnk3r
Infos:

Detection

Score:38
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (might use process or thread times for sandbox detection)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7488 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\R9GpVOQoR3.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7520 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7632 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7944 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • openvpn.exe (PID: 7160 cmdline: "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe" MD5: 5E807B5DAD1B6C81982037C714DC9AEF)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7632, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7944, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7632, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7944, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7632, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7944, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.81.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7632, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7632, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7944, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7632, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7944, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-25T21:33:28.737873+010028292021A Network Trojan was detected192.168.2.449732104.21.81.131443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dllReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870B0C90 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,8_2_00007FF7870B0C90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870E4D00 SetConsoleOutputCP,memset,memset,__acrt_iob_func,__acrt_iob_func,CRYPTO_get_ex_new_index,OPENSSL_init_crypto,memset,malloc,calloc,8_2_00007FF7870E4D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712F380 malloc,EVP_CipherInit_ex,EVP_CipherUpdate,_exit,EVP_CipherFinal,malloc,malloc,EVP_MAC_init,_exit,EVP_MAC_update,EVP_MAC_update,EVP_MAC_CTX_get_mac_size,EVP_MAC_final,CRYPTO_memcmp,malloc,malloc,htonl,htonl,free,free,ERR_clear_error,free,free,8_2_00007FF78712F380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870CDB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,8_2_00007FF7870CDB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870AD7B0 BIO_new_mem_buf,_exit,PEM_read_bio,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,8_2_00007FF7870AD7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870ADE90 EVP_CIPHER_CTX_new,EVP_des_ede3_ecb,EVP_EncryptInit_ex,EVP_EncryptUpdate,EVP_EncryptFinal,_exit,EVP_CIPHER_CTX_free,8_2_00007FF7870ADE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870AE520 NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,8_2_00007FF7870AE520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870AE590 MultiByteToWideChar,malloc,MultiByteToWideChar,CertFindExtension,CryptDecodeObject,malloc,CryptDecodeObject,_stricmp,free,CryptFindOIDInfo,CryptFindOIDInfo,_stricmp,free,free,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,MultiByteToWideChar,malloc,MultiByteToWideChar,strncmp,isxdigit,isxdigit,strncmp,CertFindCertificateInStore,CertVerifyTimeValidity,CertFindCertificateInStore,free,OBJ_sn2nid,EVP_PKEY_get_bits,NCryptSignHash,SetLastError,strcmp,NCryptSignHash,SetLastError,calloc,CertOpenStore,CertCloseStore,CertOpenStore,CertCloseStore,CertGetNameStringW,malloc,CertGetNameStringW,d2i_X509,CryptAcquireCertificatePrivateKey,X509_free,NCryptFreeObject,CryptReleaseContext,CertFreeCertificateContext,EVP_PKEY_free,free,free,free,X509_get_pubkey,free,free,8_2_00007FF7870AE590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00480040 CryptReleaseContext,TextOutW,8_2_00007FFE00480040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CA040 OSSL_PROVIDER_do_all,CRYPTO_free,CRYPTO_zalloc,OBJ_txt2nid,8_2_00007FFE004CA040
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4070 CRYPTO_free,CRYPTO_memdup,8_2_00007FFE004C4070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00508050 CRYPTO_malloc,COMP_expand_block,8_2_00007FFE00508050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00516050 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,memcpy,EVP_MD_get0_name,EVP_MD_is_a,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFE00516050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00512100 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00512100
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B0130 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004B0130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4130 CRYPTO_set_ex_data,8_2_00007FFE004C4130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F0120 CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004F0120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D40F0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFE004D40F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B40E0 CRYPTO_get_ex_data,8_2_00007FFE004B40E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005081A0 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_mark,ERR_clear_last_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFE005081A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B6190 CRYPTO_malloc,CRYPTO_free,8_2_00007FFE004B6190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052C180 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,EVP_PKEY_derive_set_peer,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,8_2_00007FFE0052C180
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C8150 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004C8150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4170 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004C4170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BE220 CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,8_2_00007FFE004BE220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EC220 CRYPTO_free,8_2_00007FFE004EC220
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E21F0 CRYPTO_zalloc,BIO_ctrl,BIO_ctrl,8_2_00007FFE004E21F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B81E0 CRYPTO_get_ex_data,8_2_00007FFE004B81E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F0280 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004F0280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B02B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,strncmp,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,8_2_00007FFE004B02B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F82B0 CRYPTO_memdup,8_2_00007FFE004F82B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00510240 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,8_2_00007FFE00510240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4270 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004C4270
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F4300 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_insert,8_2_00007FFE004F4300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BA330 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFE004BA330
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FA320 CRYPTO_realloc,8_2_00007FFE004FA320
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B42D0 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,CRYPTO_strdup,OPENSSL_LH_new,OPENSSL_LH_set_thunks,ERR_new,X509_STORE_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,OPENSSL_sk_num,ERR_new,OPENSSL_sk_new_null,ERR_new,OPENSSL_sk_new_null,ERR_new,CRYPTO_new_ex_data,ERR_new,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFE004B42D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CC2D0 CRYPTO_free,8_2_00007FFE004CC2D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A62C0 CRYPTO_clear_free,8_2_00007FFE004A62C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4390 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004C4390
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050C360 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,8_2_00007FFE0050C360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00526360 ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,d2i_PUBKEY_ex,EVP_PKEY_missing_parameters,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,8_2_00007FFE00526360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D4340 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFE004D4340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004DA340 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFE004DA340
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EA410 CRYPTO_zalloc,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFE004EA410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D8410 CRYPTO_free,CRYPTO_free,CRYPTO_free,GetCurrentProcessId,OpenSSL_version,BIO_snprintf,8_2_00007FFE004D8410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E2400 CRYPTO_free,8_2_00007FFE004E2400
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A23C0 CloseHandle,CloseHandle,DeleteCriticalSection,CRYPTO_free,CRYPTO_free,8_2_00007FFE004A23C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050A4B0 RAND_bytes_ex,CRYPTO_malloc,memset,8_2_00007FFE0050A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005284B7 ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,8_2_00007FFE005284B7
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00502480 BIO_write_ex,BIO_write_ex,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00502480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E2480 CRYPTO_zalloc,8_2_00007FFE004E2480
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00520490 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,8_2_00007FFE00520490
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C44A0 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004C44A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C0450 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,8_2_00007FFE004C0450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A2460 CRYPTO_malloc,CRYPTO_zalloc,InitializeCriticalSection,CreateSemaphoreA,CreateSemaphoreA,CloseHandle,CRYPTO_free,8_2_00007FFE004A2460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00510510 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,8_2_00007FFE00510510
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004DE520 memcmp,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_set_debug,OSSL_ERR_STATE_new,OSSL_ERR_STATE_save,CRYPTO_free,8_2_00007FFE004DE520
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B24D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,8_2_00007FFE004B24D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E84E0 CRYPTO_free,8_2_00007FFE004E84E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C8590 CRYPTO_malloc,CRYPTO_realloc,memset,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,CRYPTO_free,CRYPTO_strdup,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_new,ERR_set_mark,EVP_KEYMGMT_fetch,X509_STORE_CTX_get0_param,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_nid2obj,OBJ_create,OBJ_create,OBJ_create,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,OBJ_add_sigid,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004C8590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D45B0 BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,8_2_00007FFE004D45B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B25A0 CRYPTO_strdup,CRYPTO_free,8_2_00007FFE004B25A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BC610 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFE004BC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00524630 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,8_2_00007FFE00524630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052861C CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE0052861C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005285E4 ERR_new,ERR_set_debug,OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OSSL_STACK_OF_X509_free,EVP_PKEY_free,ERR_new,ERR_set_debug,X509_free,OSSL_STACK_OF_X509_free,8_2_00007FFE005285E4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005285F6 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,8_2_00007FFE005285F6
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4670 CRYPTO_free,CRYPTO_malloc,memcpy,8_2_00007FFE004C4670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EA710 OPENSSL_LH_retrieve,CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFE004EA710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AE700 CRYPTO_malloc,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFE004AE700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F2700 OPENSSL_cleanse,CRYPTO_free,8_2_00007FFE004F2700
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A8720 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE004A8720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005226D0 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,8_2_00007FFE005226D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F2780 OPENSSL_cleanse,CRYPTO_free,8_2_00007FFE004F2780
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EE7B0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004EE7B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052C770 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE0052C770
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A8812 ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,8_2_00007FFE004A8812
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00512800 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00512800
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A27F0 DeleteCriticalSection,CRYPTO_free,8_2_00007FFE004A27F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F2890 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_zalloc,OPENSSL_cleanse,CRYPTO_free,8_2_00007FFE004F2890
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AE880 CRYPTO_THREAD_run_once,8_2_00007FFE004AE880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4850 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,8_2_00007FFE004C4850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EC850 CRYPTO_malloc,memcmp,memcpy,memcpy,8_2_00007FFE004EC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A2860 CRYPTO_zalloc,InitializeCriticalSection,8_2_00007FFE004A2860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FE860 CRYPTO_malloc,8_2_00007FFE004FE860
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F0920 CRYPTO_malloc,memcpy,CRYPTO_free,8_2_00007FFE004F0920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EA920 OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFE004EA920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F6921 BIO_puts,BIO_puts,CRYPTO_zalloc,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,BIO_printf,CRYPTO_free,BIO_puts,8_2_00007FFE004F6921
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FE920 CRYPTO_free,8_2_00007FFE004FE920
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F08C0 CRYPTO_clear_free,CRYPTO_free,8_2_00007FFE004F08C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FE8C0 CRYPTO_free,8_2_00007FFE004FE8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CA8C0 EVP_PKEY_new,CRYPTO_malloc,CRYPTO_malloc,ERR_set_mark,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,OBJ_txt2nid,OBJ_txt2nid,OBJ_txt2nid,ERR_pop_to_mark,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,8_2_00007FFE004CA8C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E68C0 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004E68C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0051C9B0 ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,8_2_00007FFE0051C9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CC9B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,8_2_00007FFE004CC9B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F89A0 CRYPTO_realloc,8_2_00007FFE004F89A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F4950 OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFE004F4950
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A2940 CRYPTO_zalloc,_beginthreadex,CRYPTO_free,8_2_00007FFE004A2940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00502940 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFE00502940
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EE960 CRYPTO_zalloc,8_2_00007FFE004EE960
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4A30 ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE004C4A30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BE9C0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,8_2_00007FFE004BE9C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B49F0 CRYPTO_memdup,CRYPTO_free,8_2_00007FFE004B49F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FA9E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004FA9E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B6A90 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,OSSL_PARAM_construct_int,OSSL_PARAM_construct_end,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,8_2_00007FFE004B6A90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A2A80 CRYPTO_free,CRYPTO_free,8_2_00007FFE004A2A80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052AA80 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,ERR_new,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE0052AA80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004ACAB0 X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,8_2_00007FFE004ACAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EEAB0 BIO_ADDR_family,BIO_ADDR_family,memcmp,BIO_ADDR_family,BIO_ADDR_family,memcmp,CRYPTO_malloc,BIO_ADDR_clear,BIO_ADDR_clear,8_2_00007FFE004EEAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052CA60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_uint32,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,8_2_00007FFE0052CA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B4A72 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFE004B4A72
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D4A70 ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,8_2_00007FFE004D4A70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00512A50 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00512A50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EAA60 CRYPTO_zalloc,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_free,CRYPTO_free,8_2_00007FFE004EAA60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00512B00 CRYPTO_realloc,8_2_00007FFE00512B00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BAAD0 CRYPTO_set_ex_data,8_2_00007FFE004BAAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FAAD0 CRYPTO_zalloc,8_2_00007FFE004FAAD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CCB90 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,8_2_00007FFE004CCB90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00526BB0 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,EVP_CIPHER_free,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,8_2_00007FFE00526BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AAB80 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,X509_free,EVP_PKEY_free,d2i_PUBKEY_ex,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,8_2_00007FFE004AAB80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00514B90 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFE00514B90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D6B40 CRYPTO_free,CRYPTO_free,8_2_00007FFE004D6B40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004ACB70 CRYPTO_zalloc,CRYPTO_zalloc,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_memdup,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,8_2_00007FFE004ACB70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FAC00 CRYPTO_realloc,8_2_00007FFE004FAC00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00506C00 ERR_new,ERR_set_debug,SetLastError,BIO_write,BIO_test_flags,BIO_test_flags,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFE00506C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00516C00 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE00516C00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D6BC0 CRYPTO_malloc,8_2_00007FFE004D6BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BABF0 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004BABF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00520CA0 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00520CA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FECB0 CRYPTO_free,8_2_00007FFE004FECB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A8C60 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,8_2_00007FFE004A8C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A2C60 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004A2C60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050CD00 EVP_MD_get_size,ERR_new,ERR_set_debug,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,EVP_DigestUpdate,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key_ex,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,8_2_00007FFE0050CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00520D00 CRYPTO_zalloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE00520D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CCD20 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,8_2_00007FFE004CCD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AECD0 COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,8_2_00007FFE004AECD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EACD0 CRYPTO_free,8_2_00007FFE004EACD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00510CF0 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,8_2_00007FFE00510CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C4CC0 CRYPTO_zalloc,CRYPTO_new_ex_data,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,memcpy,8_2_00007FFE004C4CC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F2CF0 OPENSSL_LH_retrieve,CRYPTO_zalloc,CRYPTO_free,OPENSSL_LH_insert,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_insert,8_2_00007FFE004F2CF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AEDB0 CRYPTO_THREAD_run_once,8_2_00007FFE004AEDB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EADA0 CRYPTO_zalloc,OSSL_ERR_STATE_new,CRYPTO_free,8_2_00007FFE004EADA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00518D60 CRYPTO_free,CRYPTO_memdup,8_2_00007FFE00518D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D4D40 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,8_2_00007FFE004D4D40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00508D50 BIO_free,BIO_free,BIO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,CRYPTO_free,8_2_00007FFE00508D50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052CE30 BN_bin2bn,ERR_new,ERR_set_debug,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE0052CE30
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BCDC0 CRYPTO_malloc,CRYPTO_clear_free,8_2_00007FFE004BCDC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FEE90 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,8_2_00007FFE004FEE90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A4E80 CRYPTO_free,8_2_00007FFE004A4E80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00514E90 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE00514E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00508E60 CRYPTO_zalloc,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_uint,ERR_new,strcmp,OSSL_PARAM_get_uint32,ERR_new,strcmp,OSSL_PARAM_get_int,ERR_new,OSSL_PARAM_get_int,ERR_new,ERR_new,ERR_set_debug,BIO_up_ref,BIO_free,BIO_up_ref,BIO_up_ref,ERR_new,ERR_set_debug,ERR_set_error,EVP_CIPHER_is_a,EVP_CIPHER_is_a,8_2_00007FFE00508E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F2F00 OPENSSL_LH_retrieve,CRYPTO_free,OPENSSL_LH_delete,OPENSSL_LH_retrieve,OPENSSL_LH_insert,OPENSSL_LH_error,OPENSSL_LH_delete,CRYPTO_free,8_2_00007FFE004F2F00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C0EF0 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFE004C0EF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CCEE0 CRYPTO_free,memset,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE004CCEE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B2F50 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,8_2_00007FFE004B2F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00520F50 CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00520F50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FEF60 OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004FEF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AD010 EVP_PKEY_free,X509_free,EVP_PKEY_free,OSSL_STACK_OF_X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE004AD010
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C1000 CRYPTO_malloc,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,CRYPTO_realloc,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,8_2_00007FFE004C1000
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A1030 GetEnvironmentVariableW,GetACP,MultiByteToWideChar,malloc,MultiByteToWideChar,GetEnvironmentVariableW,malloc,GetEnvironmentVariableW,WideCharToMultiByte,CRYPTO_malloc,WideCharToMultiByte,CRYPTO_free,free,free,getenv,8_2_00007FFE004A1030
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A6FC0 EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,8_2_00007FFE004A6FC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004AB0B0 i2d_PUBKEY,ASN1_item_i2d,CRYPTO_free,8_2_00007FFE004AB0B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F30B0 EVP_EncryptUpdate,OPENSSL_LH_retrieve,8_2_00007FFE004F30B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B5050 CRYPTO_set_ex_data,8_2_00007FFE004B5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C5050 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE004C5050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F3050 OPENSSL_LH_free,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,8_2_00007FFE004F3050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B5070 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,8_2_00007FFE004B5070
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FF060 CRYPTO_malloc,CRYPTO_free,8_2_00007FFE004FF060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004DD110 CRYPTO_free,8_2_00007FFE004DD110
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00517130 memchr,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE00517130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00503130 ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_CIPHER_CTX_get0_cipher,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,8_2_00007FFE00503130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B9120 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,8_2_00007FFE004B9120
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D50E0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFE004D50E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005291A0 CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,8_2_00007FFE005291A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F3190 RAND_priv_bytes_ex,CRYPTO_zalloc,EVP_CIPHER_fetch,EVP_CIPHER_CTX_new,EVP_CIPHER_free,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_new,OPENSSL_LH_set_thunks,OPENSSL_LH_free,OPENSSL_LH_doall,OPENSSL_LH_free,EVP_CIPHER_CTX_free,CRYPTO_free,EVP_CIPHER_free,8_2_00007FFE004F3190
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050B1B0 CRYPTO_free,8_2_00007FFE0050B1B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CD150 CRYPTO_free,CRYPTO_malloc,8_2_00007FFE004CD150
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050F170 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,8_2_00007FFE0050F170
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004ED140 CRYPTO_realloc,8_2_00007FFE004ED140
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A321D X509_VERIFY_PARAM_get0_peername,ASYNC_WAIT_CTX_get_status,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,X509_VERIFY_PARAM_get0_peername,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,8_2_00007FFE004A321D
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C1210 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,8_2_00007FFE004C1210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E3230 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004E3230
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050B210 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE0050B210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004D51F0 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,8_2_00007FFE004D51F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005112B0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,8_2_00007FFE005112B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FF280 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,8_2_00007FFE004FF280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00521260 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,8_2_00007FFE00521260
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A5240 CRYPTO_zalloc,CRYPTO_free,8_2_00007FFE004A5240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F1277 CRYPTO_realloc,8_2_00007FFE004F1277
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C9300 CRYPTO_realloc,memcpy,8_2_00007FFE004C9300
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0051B310 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_size,ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,8_2_00007FFE0051B310
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F276CDE-219F-4225-94D5-04B7DB2F9854}Jump to behavior
Source: unknownHTTPS traffic detected: 104.21.81.131:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1978685438.00007FFDFA67C000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: R9GpVOQoR3.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1989067213.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: R9GpVOQoR3.msi, MSI834C.tmp.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0034AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EC1EC FindFirstFileExW,8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,8_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003433F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA,8_2_00007FFE003433F0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49732 -> 104.21.81.131:443
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: openvpn.exe.1.drStatic PE information: Found NDIS imports: FwpmFilterAdd0, FwpmFreeMemory0, FwpmEngineOpen0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmGetAppIdFromFileName0, FwpmEngineClose0
Source: Joe Sandbox ViewIP Address: 104.21.81.131 104.21.81.131
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870CDB60 malloc,free,CRYPTO_memcmp,strcmp,strcmp,_close,free,free,free,free,free,recv,8_2_00007FF7870CDB60
Source: global trafficDNS traffic detected: DNS query: key-keys.com
Source: unknownHTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: key-keys.comContent-Length: 48Cache-Control: no-cache
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://ocsp.digicert.com0
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://openvpn.net/faq.html#dhcpclientserv
Source: openvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://openvpn.net/howto.html#mitm
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: libcrypto-3-x64.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1902246354.0000000004DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: R9GpVOQoR3.msiString found in binary or memory: https://key-keys.com/licenseUser.phpAI_DATA_SETTER_4Params
Source: powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: openvpn.exeString found in binary or memory: https://www.openssl.org/
Source: openvpn.exe, 00000008.00000002.1988845679.00007FFE00561000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 00000008.00000002.1986975321.00007FFDFA77F000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.drString found in binary or memory: https://www.openssl.org/H
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownHTTPS traffic detected: 104.21.81.131:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870B0880: EVP_CIPHER_fetch,EVP_CIPHER_get_key_length,EVP_CIPHER_free,strcmp,strcmp,strcmp,strcmp,memcpy,memcpy,DeviceIoControl,_exit,8_2_00007FF7870B0880
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\63589e.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6417.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI657F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65CF.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI661E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6738.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI834C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2FB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA33A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD4D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB703.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{2F276CDE-219F-4225-94D5-04B7DB2F9854}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB80D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6358a1.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6358a1.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6417.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787125C208_2_00007FF787125C20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870A34408_2_00007FF7870A3440
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870A94608_2_00007FF7870A9460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871060608_2_00007FF787106060
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712E4708_2_00007FF78712E470
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871148D08_2_00007FF7871148D0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871434A08_2_00007FF7871434A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C48C08_2_00007FF7870C48C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870E4D008_2_00007FF7870E4D00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78713E3508_2_00007FF78713E350
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787136F808_2_00007FF787136F80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712F3808_2_00007FF78712F380
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870A1F608_2_00007FF7870A1F60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870CDB608_2_00007FF7870CDB60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78713FF608_2_00007FF78713FF60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871237C08_2_00007FF7871237C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871353C08_2_00007FF7871353C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712ABD08_2_00007FF78712ABD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787110BA08_2_00007FF787110BA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C2BC08_2_00007FF7870C2BC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870D27C08_2_00007FF7870D27C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870CA3F08_2_00007FF7870CA3F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787123FE08_2_00007FF787123FE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871457E08_2_00007FF7871457E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78714A2408_2_00007FF78714A240
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870F3A208_2_00007FF7870F3A20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871196508_2_00007FF787119650
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870A56408_2_00007FF7870A5640
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871416308_2_00007FF787141630
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870D6A608_2_00007FF7870D6A60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787137E908_2_00007FF787137E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870A62908_2_00007FF7870A6290
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C16B08_2_00007FF7870C16B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78710BAA08_2_00007FF78710BAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712D2A08_2_00007FF78712D2A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78713EAB08_2_00007FF78713EAB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C8EBD8_2_00007FF7870C8EBD
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78713EF108_2_00007FF78713EF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712E7108_2_00007FF78712E710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871426F08_2_00007FF7871426F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871365408_2_00007FF787136540
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870ABD208_2_00007FF7870ABD20
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78713A1308_2_00007FF78713A130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870B9D708_2_00007FF7870B9D70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870AAD608_2_00007FF7870AAD60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C8D608_2_00007FF7870C8D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870AE5908_2_00007FF7870AE590
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871025B08_2_00007FF7871025B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870C21A08_2_00007FF7870C21A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787139DA08_2_00007FF787139DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7871116008_2_00007FF787111600
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712AA108_2_00007FF78712AA10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78714BE108_2_00007FF78714BE10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78712A1E08_2_00007FF78712A1E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787126DF08_2_00007FF787126DF0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003440908_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0034AC808_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003433F08_2_00007FFE003433F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003455A08_2_00007FFE003455A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003478C08_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349CD08_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E60688_2_00007FFE003E6068
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DE0CC8_2_00007FFE003DE0CC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E815C8_2_00007FFE003E815C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D42108_2_00007FFE003D4210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EC1EC8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D44148_2_00007FFE003D4414
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E83D88_2_00007FFE003E83D8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E24AC8_2_00007FFE003E24AC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E05888_2_00007FFE003E0588
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EE6148_2_00007FFE003EE614
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0034E6A08_2_00007FFE0034E6A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003466708_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E66E88_2_00007FFE003E66E8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00344B708_2_00007FFE00344B70
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E8C248_2_00007FFE003E8C24
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00348CB08_2_00007FFE00348CB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DCE988_2_00007FFE003DCE98
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D8EA88_2_00007FFE003D8EA8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D4EC08_2_00007FFE003D4EC0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003F2ED08_2_00007FFE003F2ED0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003F0FE08_2_00007FFE003F0FE0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DF1088_2_00007FFE003DF108
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DB2E08_2_00007FFE003DB2E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D93B48_2_00007FFE003D93B4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EB4108_2_00007FFE003EB410
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003474608_2_00007FFE00347460
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DD53C8_2_00007FFE003DD53C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0034F5308_2_00007FFE0034F530
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003F356C8_2_00007FFE003F356C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003497908_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EF7908_2_00007FFE003EF790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D58548_2_00007FFE003D5854
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D39F08_2_00007FFE003D39F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DBB2C8_2_00007FFE003DBB2C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E5BD48_2_00007FFE003E5BD4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D3BF48_2_00007FFE003D3BF4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D5C588_2_00007FFE003D5C58
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D3E008_2_00007FFE003D3E00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003D40048_2_00007FFE003D4004
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005160508_2_00007FFE00516050
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005081A08_2_00007FFE005081A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004A22108_2_00007FFE004A2210
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FE2808_2_00007FFE004FE280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004DC2508_2_00007FFE004DC250
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004C22E08_2_00007FFE004C22E0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EC3608_2_00007FFE004EC360
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050A4B08_2_00007FFE0050A4B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052C4508_2_00007FFE0052C450
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BC6108_2_00007FFE004BC610
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050E6B08_2_00007FFE0050E6B0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005107208_2_00007FFE00510720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004E87108_2_00007FFE004E8710
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005007208_2_00007FFE00500720
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050A8808_2_00007FFE0050A880
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EC8508_2_00007FFE004EC850
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004CCAA08_2_00007FFE004CCAA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00526BB08_2_00007FFE00526BB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004F8CB08_2_00007FFE004F8CB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0050CD008_2_00007FFE0050CD00
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004B0EB08_2_00007FFE004B0EB0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00514E908_2_00007FFE00514E90
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00504E608_2_00007FFE00504E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004EEF108_2_00007FFE004EEF10
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005031308_2_00007FFE00503130
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004FF2808_2_00007FFE004FF280
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE005172708_2_00007FFE00517270
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052E2CE appears 37 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF7870B2CE0 appears 934 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052E2DA appears 35 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF7870B3310 appears 49 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052E2D4 appears 257 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF7870A26F0 appears 77 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE003CDAAC appears 216 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052EA72 appears 110 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FF7870B3290 appears 515 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052EFC0 appears 470 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE004E92F0 appears 57 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052E39A appears 714 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE004D8340 appears 44 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE0052EA66 appears 139 times
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: String function: 00007FFE004D83D0 appears 46 times
Source: libwinpthread-1.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: libassuan-0.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: vlc.exe.1.drStatic PE information: Number of sections : 14 > 10
Source: libgpg-error-0.dll.1.drStatic PE information: Number of sections : 12 > 10
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: R9GpVOQoR3.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msiBinary or memory string: OriginalFilenameSecureProp.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs R9GpVOQoR3.msi
Source: R9GpVOQoR3.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs R9GpVOQoR3.msi
Source: classification engineClassification label: sus38.troj.evad.winMSI@10/153@1/1
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003455A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit,8_2_00007FFE003455A0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLB861.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFED056EB7B30F59ED.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: openvpn.exeString found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exeString found in binary or memory: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Source: openvpn.exeString found in binary or memory: Use --help for more information.
Source: openvpn.exeString found in binary or memory: Use --help for more information.
Source: openvpn.exeString found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exeString found in binary or memory: %s General Options: --config file : Read configuration options from file. --help : Show options. --version : Show copyright and version information. Tunnel Options: --local host : Local host name or ip address. Implies --bind. --remote ho
Source: openvpn.exeString found in binary or memory: tun-stop
Source: openvpn.exeString found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: openvpn.exeString found in binary or memory: %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\R9GpVOQoR3.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libssl-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libcrypto-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libpkcs11-helper-1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: libcrypto-3-x64.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeSection loaded: cryptbase.dllJump to behavior
Source: vlc.lnk.1.drLNK file: ..\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: OK
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F276CDE-219F-4225-94D5-04B7DB2F9854}Jump to behavior
Source: R9GpVOQoR3.msiStatic file information: File size 56130466 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb, source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libcrypto-3-x64.pdb source: openvpn.exe, 00000008.00000002.1978685438.00007FFDFA67C000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: R9GpVOQoR3.msi
Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: openvpn.exe, 00000008.00000002.1989067213.00007FFE1A541000.00000002.00000001.01000000.0000000A.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SecureProp.pdb source: R9GpVOQoR3.msi, SecureProp.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: R9GpVOQoR3.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb{{ source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\openvpn\out\build\win-amd64-release\Release\openvpn.pdb source: openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: R9GpVOQoR3.msi, MSI834C.tmp.1.dr
Source: Binary string: C:\buildbot\msbuild\openvpn-build\src\vcpkg\buildtrees\openssl\x64-windows-ovpn-rel\libssl-3-x64.pdb source: openvpn.exe, 00000008.00000002.1988353237.00007FFE00530000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source: vlc.exe.1.drStatic PE information: 0xA6D0A6C0 [Sun Sep 8 06:27:12 2058 UTC]
Source: vlc.exe.1.drStatic PE information: section name: .buildid
Source: vlc.exe.1.drStatic PE information: section name: .xdata
Source: vlc.exe.1.drStatic PE information: section name: /4
Source: libassuan-0.dll.1.drStatic PE information: section name: .xdata
Source: libgpg-error-0.dll.1.drStatic PE information: section name: .xdata
Source: VCRUNTIME140.dll.1.drStatic PE information: section name: _RDATA
Source: libwinpthread-1.dll.1.drStatic PE information: section name: .xdata
Source: SecureProp.dll.1.drStatic PE information: section name: .fptable
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: libpkcs11-helper-1.dll.1.drStatic PE information: section name: .hdata
Source: MSIAD4D.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6417.tmp.1.drStatic PE information: section name: .fptable
Source: MSI657F.tmp.1.drStatic PE information: section name: .fptable
Source: MSI65CF.tmp.1.drStatic PE information: section name: .fptable
Source: MSI661E.tmp.1.drStatic PE information: section name: .fptable
Source: MSI6738.tmp.1.drStatic PE information: section name: .fptable
Source: MSI834C.tmp.1.drStatic PE information: section name: .fptable
Source: MSIA2FB.tmp.1.drStatic PE information: section name: .fptable
Source: MSIA33A.tmp.1.drStatic PE information: section name: .fptable
Source: MSIB703.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02A0BD83 push esp; ret 4_2_02A0BD93
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870BD2CD push rbx; iretd 8_2_00007FF7870BD2CE
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00484745 push rsi; ret 8_2_00007FFE00484746
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BC2B8 push 050001C2h; retn 0001h8_2_00007FFE004BC2C5
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BC2D0 push 680001C2h; retn 0001h8_2_00007FFE004BC2D5
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE004BC2C8 push 680001C2h; retn 0001h8_2_00007FFE004BC2CD
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6738.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2FB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA33A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI657F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI834C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI661E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6417.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65CF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB703.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI661E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6417.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6738.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2FB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAD4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA33A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65CF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI657F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI834C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB703.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetAdaptersInfo,malloc,GetAdaptersInfo,malloc,8_2_00007FF787137970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3750Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 583Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6738.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA2FB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAD4D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA33A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI657F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI834C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI661E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6417.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI65CF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB703.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003455A0 GetLocalTime,GetCurrentProcess,GetProcessTimes,FileTimeToSystemTime,OutputDebugStringW,GetLocalTime,GetDateFormatW,VirtualQuery,FormatMessageW,FindClose,WinExec,ReadThreadProfilingData,WriteConsoleOutputCharacterW,SetThreadpoolThreadMaximum,GetCurrentConsoleFontEx,SetHandleInformation,GetCurrentThreadId,GetEnvironmentVariableW,RegisterWaitForSingleObject,OffsetClipRgn,FindNLSStringEx,OpenMutexW,OutputDebugStringW,CloseHandle,OutputDebugStringW,GetTempPathW,GetFileAttributesW,OutputDebugStringA,RegOpenKeyExW,RegCloseKey,OutputDebugStringW,Concurrency::cancel_current_task,GetConsoleAliasesW,GetConsoleCursorInfo,RegisterApplicationRecoveryCallback,lstrcmpiW,CreateThreadpool,GetSystemPowerStatus,BeginUpdateResourceW,LoadResource,UnlockFileEx,CreateMutexExW,CreateMemoryResourceNotification,FindResourceW,GetCalendarInfoEx,DosDateTimeToFileTime,CreateThreadpoolWork,UnlockFileEx,GetFirmwareEnvironmentVariableW,DeleteProcThreadAttributeList,EnumTimeFormatsW,GetSystemFileCacheSize,CreateFileW,CancelThreadpoolIo,BackupSeek,SetStdHandle,CreateThreadpoolWork,FreeEnvironmentStringsW,GetUserDefaultLangID,EnumResourceNamesExW,IsDBCSLeadByte,GetConsoleProcessList,CloseThreadpoolIo,OpenFileById,RtlCaptureStackBackTrace,GetThreadPreferredUILanguages,TerminateThread,FatalExit,8_2_00007FFE003455A0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeAPI coverage: 1.8 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep count: 3750 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 583 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0034AC80 GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003478C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GetLocalTime,OpenMutexA,GetTempPathW,GetTempFileNameW,CreateThreadpoolWait,GetSystemDefaultLangID,lstrlenW,HeapReAlloc,UnregisterBadMemoryNotification,ConnectNamedPipe,DeleteTimerQueueEx,FindFirstFileNameW,VirtualQuery,WaitCommEvent,CompareStringOrdinal,SetThreadErrorMode,WriteConsoleOutputW,IsThreadpoolTimerSet,NeedCurrentDirectoryForExePathW,HeapFree,GetDefaultCommConfigW,GetNamedPipeClientSessionId,FindVolumeClose,CreateSemaphoreW,CloseHandle,WakeConditionVariable,VerifyVersionInfoW,CompareStringEx,ConvertFiberToThread,GetStartupInfoW,GetOverlappedResultEx,GetProcessId,GetStringTypeW,WriteConsoleOutputCharacterW,SetTapeParameters,RegisterApplicationRestart,AddScopedPolicyIDAce,ConvertThreadToFiberEx,WaitForDebugEvent,UnregisterBadMemoryNotification,GetThreadSelectorEntry,LeaveCriticalSection,SetSystemFileCacheSize,VerifyScripts,SetUserGeoID,GetLocalTime,GetShortPathNameW,IsProcessInJob,GetVolumePathNamesForVolumeNameW,EscapeCommFunction,DeleteTimerQueueEx,WriteProcessMemory,IsValidLanguageGroup,GetDynamicTimeZoneInformation,InitOnceExecuteOnce,GetNumberOfConsoleMouseButtons,RtlCaptureStackBackTrace,GetNamedPipeServerProcessId,LoadResource,WinExec,GetCommModemStatus,FreeConsole,LoadResource,GetCurrentThread,CompareFileTime,HeapLock,GetNumberOfConsoleInputEvents,OpenFileMappingW,SetCommState,IsBadStringPtrW,GetStringTypeW,VirtualProtect,8_2_00007FFE003478C0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003EC1EC FindFirstFileExW,8_2_00007FFE003EC1EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00346670 GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunct8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,8_2_00007FFE00349790
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003433F0 GetTempPathA,GetTempFileNameA,QueryFullProcessImageNameW,CommConfigDialogW,CallbackMayRunLong,lstrcatW,UnregisterApplicationRestart,GetThreadSelectorEntry,BuildCommDCBW,SetConsoleHistoryInfo,PtVisible,CreatePrivateNamespaceW,GetConsoleSelectionInfo,WakeConditionVariable,PeekNamedPipe,EnumCalendarInfoExEx,Polygon,OpenWaitableTimerW,GetLogicalDrives,EnumResourceTypesExW,GetPhysicallyInstalledSystemMemory,SetEventWhenCallbackReturns,CopyFileW,GetFirmwareType,GetStartupInfoW,GetColorAdjustment,CreateMetaFileW,CancelWaitableTimer,BackupRead,GetCommState,GetCommandLineW,GetWindowsDirectoryW,GetConsoleCursorInfo,GetNamedPipeServerProcessId,GetMaximumProcessorGroupCount,OpenWaitableTimerW,SetFileAttributesTransactedW,DeleteTimerQueueEx,SetFileAttributesW,MoveFileExW,WaitForThreadpoolTimerCallbacks,CreateThreadpoolWait,CopyFileW,ReadConsoleOutputCharacterW,SetFirmwareEnvironmentVariableW,GetTempFileNameW,AddScopedPolicyIDAce,GetCPInfoExW,QueryInformationJobObject,FatalExit,CreateThreadpoolWork,RegOpenKeyExA,GetLongPathNameW,SetConsoleCP,VerifyScripts,CreateThreadpoolIo,EnumResourceLanguagesW,FindNLSString,CancelThreadpoolIo,UpdateResourceW,CheckNameLegalDOS8Dot3W,ScrollConsoleScreenBufferW,GetVolumeNameForVolumeMountPointW,TransactNamedPipe,ReadFile,CreateEventW,GetLogicalDriveStringsW,CreateDirectoryExW,EnumResourceTypesW,RegQueryValueExA,GetThreadGroupAffinity,CreateWaitableTimerW,GetNamedPipeClientComputerNameW,VirtualFreeEx,TerminateThread,SetDynamicTimeZoneInformation,GetLogicalDriveStringsW,CloseThreadpoolWork,GetThreadIdealProcessorEx,CreateJobObjectW,UnregisterWait,OpenFileById,MapViewOfFile,UnregisterWait,AddIntegrityLabelToBoundaryDescriptor,CancelIo,SetThreadPriorityBoost,QueryPerformanceFrequency,RegCloseKey,OutputDebugStringA,8_2_00007FFE003433F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,8_2_00007FFE00349CD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q5classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QEclasses/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q4classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q6classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompiler.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q%classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.1.drBinary or memory string: .classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QIclasses/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.jdi.jmod.1.drBinary or memory string: HWJclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q4classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QEclasses/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q4classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QAclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses$ClassInfo.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: Wclasses/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q3classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.classPK
Source: jdk.jconsole.jmod.1.drBinary or memory string: n/Q4classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q0classes/jdk/vm/ci/services/JVMCIPermission.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QIclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q3classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCICompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric.class
Source: jdk.jdi.jmod.1.drBinary or memory string: ;%Eclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QVclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QHclasses/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q<classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q8classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/aarch64/AArch64HotSpotJVMCIBackendFactory.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q>classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassPaths.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QFclasses/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.class
Source: jdk.jdi.jmod.1.drBinary or memory string: :B:classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$1.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.class}
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q-classes/jdk/vm/ci/runtime/JVMCICompiler.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QBclasses/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIServiceLocator.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Exit.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q;classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/SharedLibraryJVMCIReflection.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerImpl.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QLclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.jdi.jmod.1.drBinary or memory string: Et?classes/com/sun/tools/jdi/JDWP$VirtualMachine$SetDefaultStratum.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineManagerService.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QPclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$4.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/PathSearchingVirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIUnsupportedOperationError.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllThreads.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.class
Source: jdk.jdi.jmod.1.drBinary or memory string: )classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: 5classes/com/sun/tools/jdi/JDWP$VirtualMachine$ReleaseEvents.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q<classes/com/sun/tools/jdi/VirtualMachineManagerService.class}
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q@classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIBackend.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/services/JVMCIPermission.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.jdi.jmod.1.drBinary or memory string: Qclasses/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.jconsole.jmod.1.drBinary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.class
Source: jdk.jdi.jmod.1.drBinary or memory string: Bv"classes/com/sun/tools/jdi/JDWP$VirtualMachine$InstanceCounts.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/VirtualMachineManager.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIReflection.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature$ClassInfo.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Version.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllModules.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QLclasses/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q;classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Resume.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/common/JVMCIError.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Capabilities.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$2.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Dispose.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q2classes/com/sun/tools/jdi/VirtualMachineImpl.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q,classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QOclasses/jdk/vm/ci/hotspot/HotSpotJVMCICompilerConfig$DummyCompilerFactory.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QFclasses/com/sun/tools/jdi/JDWP$VirtualMachine$ClassesBySignature.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$Suspend.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$TopLevelThreadGroups.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCI.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QCclasses/com/sun/tools/jdi/JDWP$VirtualMachine$CapabilitiesNew.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevel.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q5classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$3.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$IDSizes.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q)classes/jdk/vm/ci/common/JVMCIError.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$SoftObjectReference.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCIRuntime.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$HoldEvents.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QEclasses/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/amd64/AMD64HotSpotJVMCIBackendFactory.classPK
Source: jdk.jconsole.jmod.1.drBinary or memory string: classes/sun/tools/jconsole/LocalVirtualMachine.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q9classes/com/sun/tools/jdi/VirtualMachineManagerImpl.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$DisposeObjects$Request.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/QSclasses/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.class
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q(classes/com/sun/jdi/VirtualMachine.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCICompilerFactory$CompilationLevelAdjustment.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/jdi/VirtualMachine.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$CreateString.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$RedefineClasses$ClassDef.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClasses.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/JDWP$VirtualMachine$AllClassesWithGeneric$ClassInfo.classPK
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/Q:classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$Option.class
Source: jdk.jdi.jmod.1.drBinary or memory string: classes/com/sun/tools/jdi/VirtualMachineImpl$1.classPK
Source: jdk.jdi.jmod.1.drBinary or memory string: n/Q/classes/com/sun/jdi/VirtualMachineManager.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: n/QGclasses/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime$WeakReferenceHolder.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/runtime/JVMCI.class
Source: jdk.internal.vm.ci.jmod.1.drBinary or memory string: classes/jdk/vm/ci/hotspot/HotSpotJVMCIRuntime.classPK
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,8_2_00007FFE00344090
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe "C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78714C9F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF78714C9F0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00344090 AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,8_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003CC808 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFE003CC808
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003DC8B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFE003DC8B4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00480DA0 SetUnhandledExceptionFilter,8_2_00007FFE00480DA0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE0052F040 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFE0052F040

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349790 UnregisterSuspendResumeNotification,ValidateRect,MessageBoxIndirectW,SetFileAttributesW,IsProcessDPIAware,SetProcessRestrictionExemption,GetModuleHandleExW,FindWindowExW,GetGUIThreadInfo,TransmitCommChar,HeapQueryInformation,SetSystemCursor,GetNumberOfConsoleInputEvents,RemoveVectoredExceptionHandler,SetLocaleInfoW,CopyFileW,mouse_event,GetCurrentProcess,GlobalReAlloc,EndDeferWindowPos,DefRawInputProc,GetUserDefaultLocaleName,PrefetchVirtualMemory,EnumWindows,DialogBoxParamW,DialogBoxParamW,SetProcessWorkingSetSizeEx,GetLastInputInfo,GetPriorityClass,SetNamedPipeHandleState,MapVirtualKeyW,OpenPrivateNamespaceW,SetSystemCursor,GetCurrentConsoleFont,TzSpecificLocalTimeToSystemTimeEx,FlushViewOfFile,FindNextVolumeW,NotifyUILanguageChange,EscapeCommFunction,Wow64SuspendThread,DeleteAtom,GetSystemDefaultLCID,GetFirmwareType,ReleaseSRWLockExclusive,SetCommTimeouts,RtlCaptureContext,GetCommMask,QueryProtectedPolicy,WriteConsoleW,RemoveDllDirectory,GetUserDefaultLangID,CreateMailslotW,StartThreadpoolIo,FatalAppExitW,GetCommProperties,Wow64SetThreadContext,GetFileInformationByHandle,SetConsoleHistoryInfo,WriteProfileStringW,InitializeSynchronizationBarrier,SetFilePointerEx,SetMailslotInfo,GetNumaAvailableMemoryNodeEx,GetProcessGroupAffinity,FindResourceW,ApplicationRecoveryInProgress,DnsHostnameToComputerNameW,GetConsoleProcessList,DeleteTimerQueueEx,GetNLSVersionEx,PurgeComm,OpenFileMappingW,FindFirstFileNameTransactedW,SetThreadpoolStackInformation,CheckTokenCapability,GetCurrencyFormatW,GetConsoleProcessList,GetCurrentConsoleFont,MapViewOfFileEx,RequestWakeupLatency,FlsFree,ConvertDefaultLocale,GetProcessHeap,TryEnterCriticalSection,EnumLanguageGroupLocalesW,EnumLanguageGroupLocalesW,DeleteTimerQueueEx,InitializeConditionVariable,GetLongPathNameTransactedW,8_2_00007FFE00349790
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssadc5.ps1" -propfile "c:\users\user\appdata\local\temp\msiadb3.txt" -scriptfile "c:\users\user\appdata\local\temp\scradb4.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scradb5.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssadc5.ps1" -propfile "c:\users\user\appdata\local\temp\msiadb3.txt" -scriptfile "c:\users\user\appdata\local\temp\scradb4.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scradb5.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787143F40 GetStdHandle,GetConsoleMode,SetConsoleMode,_exit,SetConsoleCtrlHandler,MultiByteToWideChar,malloc,MultiByteToWideChar,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,WaitForSingleObject,free,_exit,8_2_00007FF787143F40
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003F5D60 cpuid 8_2_00007FFE003F5D60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: AllocConsole,SetConsoleScreenBufferInfoEx,TryEnterCriticalSection,AreFileApisANSI,IsValidCodePage,SetDefaultCommConfigW,GetProcessHandleCount,ReleaseMutexWhenCallbackReturns,CloseThreadpoolTimer,DeleteCriticalSection,SetFileShortNameW,SystemTimeToFileTime,GetPrivateProfileSectionW,WriteConsoleW,GetStringTypeA,CreateEventExW,GetCurrentDirectoryW,GetFileAttributesW,GlobalAlloc,OutputDebugStringW,GlobalLock,LocalAlloc,FindNextVolumeW,GetCapture,GetEnvironmentStringsW,GetNumaAvailableMemoryNode,GetCurrentConsoleFontEx,SetComputerNameExW,UnregisterApplicationRestart,AnyPopup,IsZoomed,lstrcpyW,ReadConsoleInputW,GetMaximumProcessorCount,SetupComm,GetDiskFreeSpaceW,LocalLock,GetProcessHeap,IsDebuggerPresent,WaitForThreadpoolTimerCallbacks,GlobalHandle,SetUnhandledExceptionFilter,CreateThreadpool,HeapAlloc,MulDiv,SetCommConfig,FindNextFileW,SetFileValidData,ReleaseMutex,SetThreadLocale,CreateFileMappingFromApp,PrepareTape,GetLogicalProcessorInformation,WriteFileEx,VirtualAlloc,AllocConsole,CloseHandle,WritePrivateProfileSectionW,GetLocaleInfoW,GlobalSize,HeapFree,CreateTapePartition,GetDriveTypeW,GetErrorMode,GetCurrentThreadId,SetConsoleTextAttribute,CreateEventExW,GetProcessHandleCount,IsDBCSLeadByte,GetMaximumProcessorCount,8_2_00007FFE00344090
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetStartupInfoW,CopyFile2,SetProcessPriorityBoost,IsValidLanguageGroup,SetProcessPriorityBoost,AssignProcessToJobObject,GetModuleFileNameW,GetComputerNameW,GetPrivateProfileSectionW,GetDefaultCommConfigW,SystemTimeToFileTime,GetNumaProcessorNode,GetLocaleInfoEx,GetCurrentProcessorNumber,FindFirstFileNameW,CopyFileTransactedW,QueryPerformanceCounter,FlushConsoleInputBuffer,MapUserPhysicalPagesScatter,LCMapStringW,QueryMemoryResourceNotification,VerifyScripts,FindStringOrdinal,SetFileTime,SetThreadGroupAffinity,EnumTimeFormatsW,OutputDebugStringA,8_2_00007FFE0034AC80
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFE003F007C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFE003F014C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FFE003F01E4
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: SetProcessShutdownParameters,GetLocaleInfoEx,8_2_00007FFE00480390
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetThreadSelectorEntry,GetLocaleInfoEx,8_2_00007FFE00480398
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoEx,8_2_00007FFE004803A8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFE003F042C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFE004804F8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_00007FFE003F0584
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFE003F0634
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetProcessShutdownParameters,WriteConsoleOutputW,SetWaitableTimerEx,GetThreadId,LocalReAlloc,GetFirmwareEnvironmentVariableW,WakeAllConditionVariable,RegisterApplicationRecoveryCallback,GetNumberOfConsoleInputEvents,ContinueDebugEvent,DuplicateHandle,HeapReAlloc,CancelWaitableTimer,CancelIo,GetNumaHighestNodeNumber,SetFilePointer,FindNextVolumeMountPointW,InterlockedPushEntrySList,CreateWaitableTimerW,GlobalSize,DeleteVolumeMountPointW,IsWow64Process,QueryDosDeviceW,ReadFileEx,RegisterApplicationRecoveryCallback,ToAsciiEx,lstrcmpiW,SetThreadpoolTimerEx,GetRawInputData,GetFullPathNameW,TabbedTextOutW,QueryThreadProfiling,CreateMailslotW,EnumResourceTypesW,AcquireSRWLockExclusive,CharPrevExA,GetWindowsDirectoryW,GetWindowPlacement,GetFullPathNameTransactedW,SetFirmwareEnvironmentVariableW,BackupWrite,SetTapeParameters,IsValidLocaleName,CopyFileExW,LoadCursorFromFileW,FindFirstVolumeW,CharToOemW,AddSecureMemoryCacheCallback,MulDiv,QueryThreadProfiling,GetKeyboardLayout,DrawEdge,LoadPackagedLibrary,GetDynamicTimeZoneInformation,DebugActiveProcess,GetSystemDirectoryW,HeapCompact,GlobalHandle,WaitNamedPipeW,SetCommState,CreateMailslotW,VirtualProtect,InterlockedFlushSList,GlobalGetAtomNameW,AllocConsole,GetNLSVersionEx,GetSystemTimes,PowerSetRequest,WriteConsoleW,SetTimeZoneInformation,QueryProtectedPolicy,GetCurrentProcessorNumber,CompareFileTime,GetCurrentThread,ConvertDefaultLocale,GetActiveProcessorGroupCount,SetConsoleCursorPosition,SetConsoleOutputCP,NeedCurrentDirectoryForExePathW,OfferVirtualMemory,SetFileIoOverlappedRange,PrefetchVirtualMemory,SystemTimeToFileTime,GetProfileIntW,GetConsoleCursorInfo,GlobalGetAtomNameW,SizeofResource,GetCurrentThread,OpenEventW,EnumSystemGeoID,SleepConditionVariableCS,OpenWaitableTimerW,EnumResourceNamesW,SetThreadpoolStackInformation,GetLogicalProcessorInformationEx,ReadFileEx,GetConsoleAliasesW,QueryThreadProfiling,GetFileSizeEx,VirtualUnlock,GetSystemDirectoryW,FindNextChangeNotification,HeapWalk,TerminateThread,HeapWalk,UnlockFile,QueryThreadpoolStackInformation,CreateDirectoryExW,FindFirstFileTransactedW,LockFile,GetFileTime,CloseThreadpoolTimer,CheckTokenMembershipEx,UnregisterApplicationRestart,GetSystemTime,FlushFileBuffers,FindVolumeClose,GetUserDefaultLCID,ConvertThreadToFiber,AddSecureMemoryCacheCallback,GetNumaHighestNodeNumber,CloseThreadpoolIo,GetProcessPreferredUILanguages,DnsHostnameToComputerNameW,RaiseException,GetFileAttributesExW,SetVolumeMountPointW,lstrlenW,GetUserDefaultLCID,SetCommMask,SizeofResource,GetSystemDEPPolicy,GetVolumeNameForVolumeMountPointW,FreeLibrary,DrawFocusRect,DnsHostnameToComputerNameW,GetSystemMenu,GetThreadPriorityBoost,RegisterWindowMessageW,LogicalToPhysicalPoint,FreeLibraryWhenCallbackReturns,DdeSetUserHandle,GetModuleFileNameW,RemoveVectoredContinueHandler,SetConsoleMode,IsThreadpoolTimerSet,SetProcessWorkingSetSize,GetScrollPos,SetWindowContextHelpId,FlushConsoleInputBuffer,SetWaitableTimerEx,IsValidCodePage,CommConfigDialogW,EscapeCommFunction,EnumSystemLocales8_2_00007FFE00346670
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00007FFE003F0768
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: EnumSystemLocalesW,8_2_00007FFE003E4C50
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: GetLocaleInfoW,8_2_00007FFE003E51E8
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,8_2_00007FFE003EFD20
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF78714D3EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00007FF78714D3EC
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE003E815C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,8_2_00007FFE003E815C
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,8_2_00007FFE00349CD0
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF7870CD370 socket,listen,_exit,getsockname,free,free,8_2_00007FF7870CD370
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787115E60 setsockopt,bind,_exit,8_2_00007FF787115E60
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FF787115660 listen,_exit,free,free,8_2_00007FF787115660
Source: C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exeCode function: 8_2_00007FFE00349CD0 GetDynamicTimeZoneInformation,SetUnhandledExceptionFilter,IsClipboardFormatAvailable,SleepConditionVariableSRW,GetActiveProcessorGroupCount,GetDlgItemInt,CreateDirectoryTransactedW,LoadPackagedLibrary,GetCommModemStatus,ReleaseMutex,WaitForDebugEvent,GetFullPathNameTransactedW,RaiseException,GetACP,GetBrushOrgEx,GlobalUnlock,GetNamedPipeClientComputerNameW,SetTapeParameters,WritePrivateProfileSectionW,FindCloseChangeNotification,BackupWrite,LocalFlags,GetThreadPreferredUILanguages,GetDeviceCaps,GetVolumePathNameW,CreateBrushIndirect,GetEnhMetaFileW,LPtoDP,PowerCreateRequest,GetConsoleOutputCP,SleepConditionVariableSRW,RaiseException,SetThreadPriorityBoost,OpenFile,SetFilePointerEx,FindNLSStringEx,QueryDosDeviceW,OpenMutexW,SetFileAttributesTransactedW,InterlockedPopEntrySList,PowerCreateRequest,GlobalReAlloc,GetProcAddress,LoadModule,CloseThreadpoolCleanupGroup,GetProcessHeaps,GetNLSVersionEx,GetCommState,FreeUserPhysicalPages,FreeResource,GetLocalTime,GetSystemInfo,CreateEventExW,MapViewOfFile,CreateRemoteThread,SetProcessShutdownParameters,SetDllDirectoryW,GetLongPathNameTransactedW,GetNumberOfConsoleMouseButtons,SetCalendarInfoW,DisassociateCurrentThreadFromCallback,GetCommProperties,BindIoCompletionCallback,CompareStringOrdinal,SetCommMask,Wow64GetThreadContext,IsProcessInJob,SystemTimeToTzSpecificLocalTime,IsValidLocale,RegCreateKeyExW,RegSetValueExW,RegCloseKey,CreateMutexW,MessageBoxW,CloseHandle,OutputDebugStringA,GetProcessHeaps,SetFileApisToANSI,FindVolumeMountPointClose,InitOnceExecuteOnce,UnregisterApplicationRestart,FileTimeToDosDateTime,InitializeProcThreadAttributeList,ReOpenFile,LCMapStringW,SetProcessWorkingSetSizeEx,FindNLSString,GetMaximumProcessorCount,DdeReconnect,FindFirstVolumeW,InterlockedPushListSListEx,IsWindowUnicode,GetNumaAvailableMemoryNodeEx,TzSpecificLocalTimeToSystemTimeEx,ChangeDisplaySettingsW,UserHandleGrantAccess,GetTapeParameters,RemoveVectoredExceptionHandler,EnumTimeFormatsW,FindNextVolumeW,GetWriteWatch,SetProcessPreferredUILanguages,CharUpperW,GetStartupInfoW,DdeNameService,GetVersionExW,FatalExit,FatalExit,8_2_00007FFE00349CD0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
Network Sniffing		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Deobfuscate/Decode Files or Information		11
Input Capture		11
Peripheral Device Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)11
Process Injection		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS1
Network Sniffing		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets37
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials121
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion		Proc Filesystem31
Virtualization/Sandbox Evasion		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562675 Sample: R9GpVOQoR3.msi Startdate: 25/11/2024 Architecture: WINDOWS Score: 38 41 key-keys.com 2->41 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->51 53 3 other signatures 2->53 9 msiexec.exe 126 172 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 27 C:\Windows\Installer\MSIB703.tmp, PE32 9->27 dropped 29 C:\Windows\Installer\MSIAD4D.tmp, PE32 9->29 dropped 31 C:\Windows\Installer\MSIA33A.tmp, PE32 9->31 dropped 33 40 other files (12 malicious) 9->33 dropped 14 msiexec.exe 38 9->14         started        19 openvpn.exe 1 9->19         started        process6 dnsIp7 43 key-keys.com 104.21.81.131, 443, 49732 CLOUDFLARENETUS United States 14->43 35 C:\Users\user\AppData\Local\...\scrADB4.ps1, Unicode 14->35 dropped 37 C:\Users\user\AppData\Local\...\pssADC5.ps1, Unicode 14->37 dropped 39 C:\Users\user\AppData\Local\...\msiADB3.txt, Unicode 14->39 dropped 45 Bypasses PowerShell execution policy 14->45 21 powershell.exe 17 14->21         started        23 conhost.exe 19->23         started        file8 signatures9 process10 process11 25 conhost.exe 21->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dll24%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe0%ReversingLabs
C:\Windows\Installer\MSI6417.tmp0%ReversingLabs
C:\Windows\Installer\MSI657F.tmp0%ReversingLabs
C:\Windows\Installer\MSI65CF.tmp0%ReversingLabs
C:\Windows\Installer\MSI661E.tmp0%ReversingLabs
C:\Windows\Installer\MSI6738.tmp0%ReversingLabs
C:\Windows\Installer\MSI834C.tmp0%ReversingLabs
C:\Windows\Installer\MSIA2FB.tmp0%ReversingLabs
C:\Windows\Installer\MSIA33A.tmp0%ReversingLabs
C:\Windows\Installer\MSIAD4D.tmp0%ReversingLabs
C:\Windows\Installer\MSIB703.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://key-keys.com/licenseUser.phpAI_DATA_SETTER_4Params0%Avira URL Cloudsafe
https://key-keys.com/licenseUser.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
key-keys.com
104.21.81.131
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://key-keys.com/licenseUser.phptrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://openvpn.net/howto.html#mitmopenvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBdqpowershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000004.00000002.1902246354.0000000004DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://key-keys.com/licenseUser.phpAI_DATA_SETTER_4ParamsR9GpVOQoR3.msifalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://www.openssl.org/Hopenvpn.exe, 00000008.00000002.1988845679.00007FFE00561000.00000002.00000001.01000000.00000007.sdmp, openvpn.exe, 00000008.00000002.1986975321.00007FFDFA77F000.00000002.00000001.01000000.00000008.sdmp, libcrypto-3-x64.dll.1.drfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000004.00000002.1905080934.000000000577D000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://openvpn.net/faq.html#dhcpclientservopenvpn.exe, openvpn.exe, 00000008.00000000.1969466696.00007FF78714E000.00000002.00000001.01000000.00000006.sdmp, openvpn.exe, 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1902246354.0000000004711000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.openssl.org/openvpn.exefalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1902246354.0000000004868000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.21.81.131
                                  		key-keys.comUnited States
                                  		13335CLOUDFLARENETUStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1562675
                                  Start date and time:2024-11-25 21:32:16 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 40s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:12
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:R9GpVOQoR3.msi
                                  renamed because original name is a hash value
                                  Original Sample Name:88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70.msi
                                  Detection:SUS
                                  Classification:sus38.troj.evad.winMSI@10/153@1/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 47
                                  • Number of non-executed functions: 194
                                  Cookbook Comments:
                                  • Found application associated with file extension: .msi

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7944 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • VT rate limit hit for: R9GpVOQoR3.msi

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:33:30API Interceptor4x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.21.81.131Wednesday January 26 2022 925 AM .htmGet hashmaliciousHTMLPhisherBrowse
                                    Updated Proposal and Statements.docxGet hashmaliciousHTMLPhisherBrowse
                                      TELEFAX_EricksonZMK346ZMK26LN3LN.HTMGet hashmaliciousHTMLPhisherBrowse
                                        TELEFAX_EricksonZMK346ZMK26LN3LN.HTMGet hashmaliciousHTMLPhisherBrowse
                                          TELEFAX_CbtsLYI913LYI83ZL6ZL.HTMGet hashmaliciousHTMLPhisherBrowse
                                            BACs payment receipt.htmlGet hashmaliciousUnknownBrowse

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.187.240
                                              https://Saic.anastaclooverseas.com/zwfgemvfcbcitui/xivyvjldaquzs/Zgktmgjdfgpirwe89g0xmaersk/ixiswwcbzmfgee/jebqtppyunp/random.bby/inpoxqhfiww/gmail.com/ozwunijponqp8Get hashmaliciousUnknownBrowse
                                              • 104.21.71.35
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              • 172.67.187.240
                                              Fumari INC.emlGet hashmaliciousUnknownBrowse
                                              • 104.18.11.200
                                              https://invites-doc.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                              • 104.21.4.141
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.187.240
                                              Fumari INC.emlGet hashmaliciousUnknownBrowse
                                              • 104.18.11.200
                                              http://www.thecrownstate.co.uk/Get hashmaliciousUnknownBrowse
                                              • 104.21.19.197
                                              https://sites.google.com/ceqy.com/rfp/homeGet hashmaliciousHTMLPhisherBrowse
                                              • 104.21.68.132
                                              https://yancesybros.com/WHF9842BVD.htmlGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              37f463bf4616ecd445d4a1937da06e19INV-0542.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 104.21.81.131
                                              MSM8C42iAN.exeGet hashmaliciousDarkCloudBrowse
                                              • 104.21.81.131
                                              November Quotation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                              • 104.21.81.131
                                              PO_203-25.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 104.21.81.131
                                              wMy37vlfvz.exeGet hashmaliciousDarkCloudBrowse
                                              • 104.21.81.131
                                              WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 104.21.81.131
                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                              • 104.21.81.131
                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                              • 104.21.81.131
                                              412300061474#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 104.21.81.131
                                              order requirements CIF-TRC809910645210.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.81.131

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exev.1.6.3__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                v.1.5.4__x64__.msiGet hashmaliciousLegionLoaderBrowse
                                                  LegionLoader (21).msiGet hashmaliciousUnknownBrowse
                                                    LegionLoader (22).msiGet hashmaliciousUnknownBrowse
                                                      LegionLoader (17).msiGet hashmaliciousUnknownBrowse
                                                        LegionLoader (13).msiGet hashmaliciousUnknownBrowse
                                                          LegionLoader (14).msiGet hashmaliciousUnknownBrowse
                                                            LegionLoader (15).msiGet hashmaliciousUnknownBrowse
                                                              LegionLoader (10).msiGet hashmaliciousUnknownBrowse
                                                                LegionLoader (11).msiGet hashmaliciousUnknownBrowse

                                                                  Created / dropped Files

                                                                  C:\Config.Msi\6358a0.rbs

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):23509
                                                                  Entropy (8bit):5.837507682656535
                                                                  Encrypted:false
                                                                  SSDEEP:384:79/YMrWF+8fw1Hv18EBd0pbOgcx2WcCsrlQJ8XCPSBmifF5fNvMCyncwicwoM9b6:79/YMrWF+8fw1Hv18EBd0pbOgcx2WcC3
                                                                  MD5:E1B6284906722296442220369FF2E8D8
                                                                  SHA1:C88F9FABDA6EA5FD5AFF127546E19EB274750954
                                                                  SHA-256:033BBB19D692E256133F529E6E2FE6D7817359F387B63097E13A55F7F3BE2BDE
                                                                  SHA-512:A685C390317B148591FD9CE569A3099EB326A938A51D85AAC2AC52C5357F65797728A310E48830A86D750ADF5F952ACD99F4AE96C25449C856F7885779F2F0FA
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:...@IXOS.@.....@0|yY.@.....@.....@.....@.....@.....@......&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}..Oovi Appc..R9GpVOQoR3.msi.@.....@.....@.....@......icon_27.exe..&.{4EC82513-0279-4313-850F-996E4FDD9AFE}.....@.....@.....@.....@.......@.....@.....@.......@......Oovi Appc......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{CBCD90DF-DB36-4D67-AEDD-4171F1E02C1A}&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}.@......&.{8BD726EB-D80E-44BF-87C1-E0FF3732DEBE}&.{2F276CDE-219F

                                                                  C:\ProgramData\vlc.lnk

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Jun 18 23:44:58 2021, mtime=Mon Nov 25 19:33:34 2024, atime=Fri Jun 18 23:44:58 2021, length=984312, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):2119
                                                                  Entropy (8bit):3.8478556274847313
                                                                  Encrypted:false
                                                                  SSDEEP:48:8iwUuAt14RRAtzJLNgZXiZ4IJaLdu1iAJal:8iduJ+tJaLc/Ja
                                                                  MD5:176961612DA6B089FAC2CAD84A7E2862
                                                                  SHA1:060CB5B02CE3287678AE2F261B67AFC0C327099E
                                                                  SHA-256:A5E7C44BAC4BAAB982552BAFD61190B9CB5278ADB7CF94898AED8212D06FEB28
                                                                  SHA-512:AC01E0DE086E484D94B6713D773763C3FC818A3A01611DC1F1EAEBBB56BA08B9A2F92A88F680944FC1EDFBB5FA1DFFC128DB0C61064BEC50D5F69CDD411A168F
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:L..................F.@.. ....a'T.d....Ly?...a'T.d..........................$.:..DG..Yr?.D..U..k0.&...&......vk.v....dP.8y?...n.Ly?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY"............................%..A.p.p.D.a.t.a...B.V.1.....yY0...Roaming.@......CW.^yY0...........................o...R.o.a.m.i.n.g.....^.1.....yY0...YUWEIQ~1..F......yY0.yY0.....=.....................o...Y.u.w.e.i. .Q.u.s.i.....\.1.....yY2...OOVIAP~1..D......yY0.yY2....._.........................O.o.v.i. .A.p.p.c.....V.2......R.. .vlc.exe.@.......R..yY2...............................v.l.c...e.x.e.......j...............-.......i....................C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe..;.....\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.u.w.e.i. .Q.u.s.i.\.O.o.v.i. .A.p.p.c.\.v.l.c...e.x.e.4.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.Y.u.w.e.i. .Q.u.s.i.\.O.o.v.i. .A.p.p.c.\.e.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\licenseUser[1].htm

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2
                                                                  Entropy (8bit):1.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:u:u
                                                                  MD5:E99BB33727D338314912E86FBDEC87AF
                                                                  SHA1:6779AFBC3E993C547CA0800A9754F37A6E80E0ED
                                                                  SHA-256:6856C5A3A26B5A3F2EAD70CA56870769D1FEE88F9C457F4360812F2203565824
                                                                  SHA-512:00FC5A88AB965B5A16D7CA33CFEF247ECE3185560F2C778CFBDD0353FE73505638E300B35F447713D26A5001AB29F6F969622BCEAEF1C100E80913F7430CC085
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:0a

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1360
                                                                  Entropy (8bit):5.4135884505161025
                                                                  Encrypted:false
                                                                  SSDEEP:24:3qWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:6WSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                                  MD5:D5028397D86F34AC9543E7AD0AB2F82A
                                                                  SHA1:31F69F656AF7E694A2A7B05120FAA7BB30C01A2D
                                                                  SHA-256:813419B3AD480024DCB4ED8D247B5FB1E5F540A2A3ECAC795713BCD417363375
                                                                  SHA-512:D98692209EC0A7E7F3656923A5110DC0BD3C5F6ED2D3E2183019A814F7CFAD8C7D946AE288F56E24F0D63DCD0BB9780F74300C974B0504FA952B8C3778A8AC6F
                                                                  Malicious:false
                                                                  Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjv4i1t2.r1c.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbpr5wcz.1d1.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\msiADB3.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):120
                                                                  Entropy (8bit):3.114265262861381
                                                                  Encrypted:false
                                                                  SSDEEP:3:QtFKYpjKjKDiAl35Yplf8fp0lfflbYplf955:Q6mfDj0LkS3ELN
                                                                  MD5:DF174504EEAED47D591D6E99A2817A15
                                                                  SHA1:1F57BA0AA32EC1E9F8F991CEA40ECE29B6BE65E0
                                                                  SHA-256:34AAF9D28904E1D6CB3625757A1A489D90FDCBC7A93300D5752CDDAF10CEC1AB
                                                                  SHA-512:99F17721EC39515667D4D2CEFC26C54D22109070F20F10AA3013D3325AABEFB2DE848B95B42B9890BE95C096C0C8F749BE15197234D2908D2B04A7241FC558D5
                                                                  Malicious:true
                                                                  Preview:..H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e. .:.<.-.>.:. .0.a. .<.<.:.>.>. .Q.u.o.t.a.Q. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                  C:\Users\user\AppData\Local\Temp\pssADC5.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):6668
                                                                  Entropy (8bit):3.5127462716425657
                                                                  Encrypted:false
                                                                  SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                  MD5:30C30EF2CB47E35101D13402B5661179
                                                                  SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                  SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                  SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                  Malicious:true
                                                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                  C:\Users\user\AppData\Local\Temp\scrADB4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):266
                                                                  Entropy (8bit):3.566480950588478
                                                                  Encrypted:false
                                                                  SSDEEP:6:Qlfk79idK3fgmfDjl+KiV6QerMTl0x1LlG7JidK3fOlbX:QwElQrMT9NKh
                                                                  MD5:673120B53D3EFBCF19B365330F545E47
                                                                  SHA1:DD051A8F68FEA474284694620F0FC3A07ED3C8FA
                                                                  SHA-256:F688602F60CAA720932287DD3E70C93779C89C30DB3589B884B852F2CD8ABBD6
                                                                  SHA-512:6177A404580A6CF9189CA4CF7AF52B37B839620A6321EAE88C7748318229000B1FCA4A1EE22D199900EEE1BC4F269D82954D174C2961ED021D357BA29F6566FE
                                                                  Malicious:true
                                                                  Preview:..$.s.d.j.h.f. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".H.t.t.p.P.o.s.t.S.e.r.v.e.r.R.e.s.p.o.n.s.e.".....$.f.u.i.f.w.o. .=. .[.u.i.n.t.3.2.].(.$.s.d.j.h.f. .-.r.e.p.l.a.c.e. .'.a.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".Q.u.o.t.a.Q.". .$.f.u.i.f.w.o.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\71da1f76509d9c721d84655251014c87_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):59
                                                                  Entropy (8bit):2.219411074181711
                                                                  Encrypted:false
                                                                  SSDEEP:3:/lGlle2QwXln:8A2ZXln
                                                                  MD5:62E024FE2476732F71542D38DDF3F263
                                                                  SHA1:304A79B7904E2E1017AF6BC24461D2D7B4EDBDE2
                                                                  SHA-256:A05BE7F1BA1635E6CB5A46F778B93A0CA8FDDCD60C0E91BE3A9E86040DB067A5
                                                                  SHA-512:33162E2CA0135E03436491349B6DA65660B5D0F295B97E5243F4A4E380B51D7D6F00AE51CD48894B4149B6771C8E193E70061A190B6ABFC8B1FCAD3AFE084A7D
                                                                  Malicious:false
                                                                  Preview:........................................Advanced Installer.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Installer\{2F276CDE-219F-4225-94D5-04B7DB2F9854}\icon_27.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                  Category:dropped
                                                                  Size (bytes):175255
                                                                  Entropy (8bit):3.85622158771748
                                                                  Encrypted:false
                                                                  SSDEEP:1536:45DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPU:45Dt+e7GVBFvvMg0Vj5Ho4CIDPU
                                                                  MD5:333EE8442C6101D0CD9C874D0AD83EAE
                                                                  SHA1:22278A01E88B826B16D4936FA254E457B9ACA059
                                                                  SHA-256:B5FDF4A4143964A46B7F2BBD1357D075C786F7AFBBA0BE3DD7B2623F379271BF
                                                                  SHA-512:04F3BE053ECB44B11FE9ABDE941BFD367B17C0532B2C634FC42AF85CF1BE68C0F495B13F4B3CA35A4DD9E4535629EE1A615001A244DC1B68C871AB364A0A704F
                                                                  Malicious:false
                                                                  Preview:............ .A4............ .(....4..``.... ......<..HH.... ..T......@@.... .(B../&..00.... ..%..Wh.. .... ............... ............... .h.../....PNG........IHDR.............\r.f....pHYs..........o.d.. .IDATx..yt..}.....8....H$EI<$Q$%..:.Hv,.Rly.......#..N6...v...dm.....%.2e.<.."-.$x..A.$@..\=.w...68.....`..}..7.X.U...[..U....A..A..A..A..A..A..A..A..A..A..A..A..A..A..)Q.l7...MM/.Q..J)[Q.0........e..u;l...q...X"....v.nj.hV2.j.IR.CS<..C!.O..iY`..f4j.....Y..w.....c$........HB!.....e.A.h...+L...4{i,f,QU.A..D.Z`...R..b..B-B..qd<.b.D...$......E...NQd:..D-..S)..5..Q......e..Y...E.....Y.LZ.E"..D.\5>..4MZG....RJ9..WW..C!....=....y..*.I$...HX..w..E..A.(....E..pl8....F]....16......M. .v..D.......Xm-.,..{.Lw,.+.e.u.z.....,......$Q.......?u..E.h#..".^.P<....K...4..D4..;..g.q....<--/.55....FF.?..K}<..n.....e.UQ.._......y.e....zj..[.....@.hn..,Z.....48.}..%...b/..v..>..t.ow}.......=..A.A.(.MM/.p....~.......R....r..g.]w..7........Y....3(.(.y...7lM.S.(..;:.......

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\SecureProp.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):256864
                                                                  Entropy (8bit):6.8622477797553
                                                                  Encrypted:false
                                                                  SSDEEP:3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
                                                                  MD5:E0BFA64EEFA440859C8525DFEC1962D0
                                                                  SHA1:4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
                                                                  SHA-256:8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
                                                                  SHA-512:04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\UnRar.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):506008
                                                                  Entropy (8bit):6.4284173495366845
                                                                  Encrypted:false
                                                                  SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                  MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                  SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                  SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                  SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: v.1.6.3__x64__.msi, Detection: malicious, Browse
                                                                  • Filename: v.1.5.4__x64__.msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (21).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (22).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (17).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (13).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (14).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (15).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (10).msi, Detection: malicious, Browse
                                                                  • Filename: LegionLoader (11).msi, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\VCRUNTIME140.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):97152
                                                                  Entropy (8bit):6.423207912198565
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yOHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1lLN:yOr/Z+jPYNV9H0Q8ecbjt1j
                                                                  MD5:5797D2A762227F35CDD581EC648693A8
                                                                  SHA1:E587B804DB5E95833CBD2229AF54C755EE0393B9
                                                                  SHA-256:C51C64DFB7C445ECF0001F69C27E13299DDCFBA0780EFA72B866A7487B7491C7
                                                                  SHA-512:5C4DE4F65C0338F9A63B853DB356175CAE15C2DDC6B727F473726D69EE0D07545AC64B313C380548211216EA667CAF32C5A0FD86F7ABE75FC60086822BC4C92E
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p...............................................'J....`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14272
                                                                  Entropy (8bit):6.519411559704781
                                                                  Encrypted:false
                                                                  SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                  MD5:E173F3AB46096482C4361378F6DCB261
                                                                  SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                  SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                  SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-processthreads-l1-1-1.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.659079053710614
                                                                  Encrypted:false
                                                                  SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                  MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                  SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                  SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                  SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-profile-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11200
                                                                  Entropy (8bit):6.7627840671368835
                                                                  Encrypted:false
                                                                  SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                  MD5:0233F97324AAAA048F705D999244BC71
                                                                  SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                  SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                  SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12224
                                                                  Entropy (8bit):6.590253878523919
                                                                  Encrypted:false
                                                                  SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                  MD5:E1BA66696901CF9B456559861F92786E
                                                                  SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                  SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                  SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-string-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.672720452347989
                                                                  Encrypted:false
                                                                  SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                  MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                  SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                  SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                  SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13760
                                                                  Entropy (8bit):6.575688560984027
                                                                  Encrypted:false
                                                                  SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                  MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                  SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                  SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                  SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-synch-l1-2-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.70261983917014
                                                                  Encrypted:false
                                                                  SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                  MD5:D175430EFF058838CEE2E334951F6C9C
                                                                  SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                  SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                  SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.599515320379107
                                                                  Encrypted:false
                                                                  SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                  MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                  SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                  SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                  SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-timezone-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.690164913578267
                                                                  Encrypted:false
                                                                  SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                  MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                  SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                  SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                  SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-core-util-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11720
                                                                  Entropy (8bit):6.615761482304143
                                                                  Encrypted:false
                                                                  SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                  MD5:735636096B86B761DA49EF26A1C7F779
                                                                  SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                  SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                  SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-conio-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.627282858694643
                                                                  Encrypted:false
                                                                  SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                  MD5:031DC390780AC08F498E82A5604EF1EB
                                                                  SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                  SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                  SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-convert-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):15816
                                                                  Entropy (8bit):6.435326465651674
                                                                  Encrypted:false
                                                                  SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                  MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                  SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                  SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                  SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-environment-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.5874576656353145
                                                                  Encrypted:false
                                                                  SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                  MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                  SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                  SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                  SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):13768
                                                                  Entropy (8bit):6.645869978118917
                                                                  Encrypted:false
                                                                  SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                  MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                  SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                  SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                  SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-heap-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12744
                                                                  Entropy (8bit):6.564006501134889
                                                                  Encrypted:false
                                                                  SSDEEP:192:8a9aY17aFBRAWYhWYWWFYg7VWQ4eWbr0tJSUtpwBqnajrmaaG:8ad9WYhW4F/qlQG
                                                                  MD5:212D58CEFB2347BD694B214A27828C83
                                                                  SHA1:F0E98E2D594054E8A836BD9C6F68C3FE5048F870
                                                                  SHA-256:8166321F14D5804CE76F172F290A6F39CE81373257887D9897A6CF3925D47989
                                                                  SHA-512:637C215ED3E781F824AE93A0E04A7B6C0A6B1694D489E9058203630DCFC0B8152F2EB452177EA9FD2872A8A1F29C539F85A2F2824CF50B1D7496FA3FEBE27DFE
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...h{............" .........................................................0......J(....`.........................................0................ ...................!..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-locale-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12232
                                                                  Entropy (8bit):6.678162783983714
                                                                  Encrypted:false
                                                                  SSDEEP:192:+WYhWoWWFYg7VWQ4eWSoV7jjT6iBTqnajbQwr1:+WYhWIiVTTXZl3QC
                                                                  MD5:242829C7BE4190564BECEE51C7A43A7E
                                                                  SHA1:663154C1437ACF66480518068FBC756F5CABB72F
                                                                  SHA-256:EDC1699E9995F98826DF06D2C45BEB9E02AA7817BAE3E61373096AE7F6FA06E0
                                                                  SHA-512:3529FDE428AFFC3663C5C69BAEE60367A083841B49583080F0C4C7E72EAA63CABBF8B9DA8CCFC473B3C552A0453405A4A68FCD7888D143529D53E5EEC9A91A34
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...+P............" .........................................................0......@.....`.........................................0...e............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-math-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):20928
                                                                  Entropy (8bit):6.2047011292890195
                                                                  Encrypted:false
                                                                  SSDEEP:192:8JIDSM4Oe59rmkUALQe1hgmL44WYhWWWWFYg7VWQ4yWARgKZRqnajl6umA:8JI2M4Oe59Ckb1hgmLhWYhW2v2yRlwQ
                                                                  MD5:FB79420EC05AA715FE76D9B89111F3E2
                                                                  SHA1:15C6D65837C9979AF7EC143E034923884C3B0DBD
                                                                  SHA-256:F6A93FE6B57A54AAC46229F2ED14A0A979BF60416ADB2B2CFC672386CCB2B42E
                                                                  SHA-512:C40884C80F7921ADDCED37B1BF282BB5CB47608E53D4F4127EF1C6CE7E6BB9A4ADC7401389BC8504BF24751C402342693B11CEF8D06862677A63159A04DA544E
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...IV............" .........,...............................................P.......e....`.........................................0....%...........@...............0...!..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):19904
                                                                  Entropy (8bit):6.189411151090302
                                                                  Encrypted:false
                                                                  SSDEEP:384:4SrxLPmIHJI6/CpG3t2G3t4odXLhWYhWfgy6l9ne:4iPmIHJI6vZO
                                                                  MD5:A5B920F24AEA5C2528FE539CD7D20105
                                                                  SHA1:3FAE25B81DC65923C1911649ED19F193ADC7BDDE
                                                                  SHA-256:5B3E29116383BA48A2F46594402246264B4CB001023237EBBF28E7E9292CDB92
                                                                  SHA-512:F77F83C7FAD442A9A915ABCBC2AF36198A56A1BC93D1423FC22E6016D5CC53E47DE712E07C118DD85E72D4750CA450D90FDB6F9544D097AFC170AEECC5863158
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.../..N.........." .........(...............................................P......C.....`.........................................0.... ...........@...............,...!..............T............................................................................rdata..$".......$..................@..@.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-private-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):64456
                                                                  Entropy (8bit):5.53593950821058
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Se6De5c4bFe2JyhcvxXWpD7d3334BkZn+PI5c:Se6De5c4bFe2JyhcvxXWpD7d3334BkZU
                                                                  MD5:5C2004DAF398620211F0AD9781FF4EC2
                                                                  SHA1:E43DD814E90330880EE75259809EEE7B91B4FFA6
                                                                  SHA-256:55BC91A549D22B160AE4704485E19DEE955C7C2534E7447AFB84801EE629639B
                                                                  SHA-512:11EDBBC662584BB1DEA37D1B23C56426B970D127F290F3BE21CD1BA0A80D1F202047ABB80D8460D17A7CACF095DE90B78A54F7C7EC395043D54B49FFE688DF51
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......F.........." ......................................................................`.........................................0...T................................!..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-process-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12736
                                                                  Entropy (8bit):6.592404054572702
                                                                  Encrypted:false
                                                                  SSDEEP:192:+nqjd7dWYhWDWWFYg7VWQ4yWMJ5HKZRqnajl6b:+nsWYhWxp5HyRlwb
                                                                  MD5:DD899C6FFECCE1DCA3E1C3B9BA2C8DA2
                                                                  SHA1:2914B84226F5996161EB3646E62973B1E6C9E596
                                                                  SHA-256:191F53988C7F02DD888C4FBF7C1D3351570F3B641146FAE6D60ACDAE544771AE
                                                                  SHA-512:2DB47FAA025C797D8B9B82DE4254EE80E499203DE8C6738BD17DDF6A77149020857F95D0B145128681A3084B95C7D14EB678C0A607C58B76137403C80FE8F856
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...P..D.........." .........................................................0......N.....`.........................................0...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-runtime-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16328
                                                                  Entropy (8bit):6.449442433945565
                                                                  Encrypted:false
                                                                  SSDEEP:192:maajPrpJhhf4AN5/KixWYhW4XWWFYg7VWQ4eWvppXjxceXqnajLJhrdCq:mlbr7nWYhW41MXjmAlnJhUq
                                                                  MD5:883120F9C25633B6C688577D024EFD12
                                                                  SHA1:E4FA6254623A2B4CDEA61712CDFA9C91AA905F18
                                                                  SHA-256:4390C389BBBF9EC7215D12D22723EFD77BEB4CD83311C75FFE215725ECFD55DC
                                                                  SHA-512:F17D3B667CC8002F4B6E6B96B630913FA1CB4083D855DB5B7269518F6FF6EEBF835544FA3B737F4FC0EB46CCB368778C4AE8B11EBCF9274CE1E5A0BA331A0E2F
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...9..b.........." .........................................................@......^%....`.........................................0...4............0...................!..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\api-ms-win-crt-stdio-l1-1-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):17864
                                                                  Entropy (8bit):6.393000322519701
                                                                  Encrypted:false
                                                                  SSDEEP:192:WpPLNPjFuWYFxEpahTWYhWHWWFYg7VWQ4eW9M3u57ZqnajgnLSuRCz:W19OFVhTWYhWlBu5llk2
                                                                  MD5:29680D7B1105171116A137450C8BB452
                                                                  SHA1:492BB8C231AAE9D5F5AF565ABB208A706FB2B130
                                                                  SHA-256:6F6F6E857B347F70ECC669B4DF73C32E42199B834FE009641D7B41A0B1C210AF
                                                                  SHA-512:87DCF131E21041B06ED84C3A510FE360048DE46F1975155B4B12E4BBF120F2DD0CB74CCD2E8691A39EEE0DA7F82AD39BC65C81F530FC0572A726F0A6661524F5
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....v..........." ......... ...............................................@............`.........................................0...a............0...............$...!..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\dictionaries\en_US.aff

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3246
                                                                  Entropy (8bit):4.313391741874073
                                                                  Encrypted:false
                                                                  SSDEEP:48:T7emiglihmWpRlH61/98BuY3SZQU3uD4Vg1lwsbJ0EcWiOr5NSr5NK3WuhYljrHN:RigQLsAiOUoeFTQUydYVrF31pwhwoe
                                                                  MD5:D329845E5D86AFEBE0DB82B3422C70C2
                                                                  SHA1:E432BEE2397B8573444ECAE348300F06AA5DF032
                                                                  SHA-256:56E2090475E1CE11A1885CE8ECE4D4B1F1E863F69A7233CC00BAF56CDAAA9096
                                                                  SHA-512:137202D74C374EC168BC64BBD0039BE2A77DC052842367550EB8E31C9C95B58585F4D3F46F72F80D4A22229C64B8600629B3FAB4F1E9E681446635E0A7524892
                                                                  Malicious:false
                                                                  Preview:SET ISO8859-1..TRY esianrtolcdugmphbyfvkwzESIANRTOLCDUGMPHBYFVKWZ'..NOSUGGEST !....# ordinal numbers..COMPOUNDMIN 1..# only in compounds: 1th, 2th, 3th..ONLYINCOMPOUND c..# compound rules:..# 1. [0-9]*1[0-9]th (10th, 11th, 12th, 56714th, etc.)..# 2. [0-9]*[02-9](1st|2nd|3rd|[4-9]th) (21st, 22nd, 123rd, 1234th, etc.)..COMPOUNDRULE 2..COMPOUNDRULE n*1t..COMPOUNDRULE n*mp..WORDCHARS 0123456789....PFX A Y 1..PFX A 0 re .....PFX I Y 1..PFX I 0 in .....PFX U Y 1..PFX U 0 un .....PFX C Y 1..PFX C 0 de .....PFX E Y 1..PFX E 0 dis .....PFX F Y 1..PFX F 0 con .....PFX K Y 1..PFX K 0 pro .....SFX V N 2..SFX V e ive e..SFX V 0 ive [^e]....SFX N Y 3..SFX N e ion e..SFX N y ication y ..SFX N 0 en [^ey] ....SFX X Y 3..SFX X e ions e..SFX X y ications y..SFX X 0 ens [^ey]....SFX H N 2..SFX H y ieth

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\dictionaries\en_US.dic

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:ISO-8859 text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):758251
                                                                  Entropy (8bit):4.79038751246559
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ja/Jivuk9SBJTgI6ecuunMM9J2QX6aCYyV9KdrbHzQnkzDBfcbEwoiiJQC:IJivGTvcuc36FK9m0i1C
                                                                  MD5:3D51E0A789AD7B97307DC64229EFE5BA
                                                                  SHA1:A8665D0D492D85B3A4F903C9C4D43CC42D416516
                                                                  SHA-256:800EA3988CE7707858D97DA15228A30A7C0C0EECDC560EACE14BC0F0965A338E
                                                                  SHA-512:86BC40B7B87E15A36498F2BE31E1C05D6CBE2F4C8290FD5DC6A5D561E3F6AC8500D5F56585760582DE89518A23C4219EBB5D53BDC9FFAD121AFF9057E95668F8
                                                                  Malicious:false
                                                                  Preview:62118..0/nm..1/n1..2/nm..3/nm..4/nm..5/nm..6/nm..7/nm..8/nm..9/nm..0th/pt..1st/p..1th/tc..2nd/p..2th/tc..3rd/p..3th/tc..4th/pt..5th/pt..6th/pt..7th/pt..8th/pt..9th/pt..a..A..AA..AAA..Aachen/M..aardvark/SM..Aaren/M..Aarhus/M..Aarika/M..Aaron/M..AB..aback..abacus/SM..abaft..Abagael/M..Abagail/M..abalone/SM..abandoner/M..abandon/LGDRS..abandonment/SM..abase/LGDSR..abasement/S..abaser/M..abashed/UY..abashment/MS..abash/SDLG..abate/DSRLG..abated/U..abatement/MS..abater/M..abattoir/SM..Abba/M..Abbe/M..abb./S..abbess/SM..Abbey/M..abbey/MS..Abbie/M..Abbi/M..Abbot/M..abbot/MS..Abbott/M..abbr..abbrev..abbreviated/UA..abbreviates/A..abbreviate/XDSNG..abbreviating/A..abbreviation/M..Abbye/M..Abby/M..ABC/M..Abdel/M..abdicate/NGDSX..abdication/M..abdomen/SM..abdominal/YS..abduct/DGS..abduction/SM..abductor/SM..Abdul/M..ab/DY..abeam..Abelard/M..Abel/M..Abelson/M..Abe/M..Aberdeen/M..Abernathy/M..aberrant/YS..aberrational..aberration/SM..abet/S..abetted..abetting..abettor/SM..Abeu/M..abeyance/MS..abeya

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\clipboard-40-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):280
                                                                  Entropy (8bit):6.328040373865125
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKEk/2wqNmEyvsYEE3r7UXGEoW7yR/bp:6v/78nMtIj9yx/6cl1
                                                                  MD5:C58286125E5CB909DAE9107DFD8F2006
                                                                  SHA1:21380AE4E18FC176759885416684A0B19C7F7C82
                                                                  SHA-256:A65F53D774AFC38308625E6C165B2EAD4F1DD03D25896548B42F2F21CF901D2B
                                                                  SHA-512:4E00ED5AC90F78C62BE0507A2DB2ECD57F4505DD79870AA4C1BF485B13E076D5CC29BF4EC9FB0625FEA9F186BF0C21C5F5D7D40BBD6A14C4CC9C6D840800FE1C
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`......%..w..v&&&A\..N...ey........&.-..... 6L.++..... 9...Z......|......n..Tl..1..PO...!...../.O".o.....j..x..g..3.4..033K..2.!R S..,H.....l.......IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\documents-folders-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):6.181656360209844
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKahknMBpLYoTn40eWuD1hidlYfelDblbp:6v/78nMtehFBpsWnLuDWvYQf
                                                                  MD5:09C1CB2C3931F1E4FA7039678026BFAC
                                                                  SHA1:72526E215BA70B6C0C53A14E30177B3C9C9B3AC7
                                                                  SHA-256:10E4A6EB6992319CA1EB35C7366E3B7A6F1ECA743456282DCF64E76528705D23
                                                                  SHA-512:79C273D66BC3D650643EE84C9C3BE4438848F23DFAB09EF345F93E45EE440147B858E4556B281F166A0640F6EA65A3D8F8D660B2466C9F7CE63DA42035C50E30
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$.... -!y.....e.L......5......Ib.8I........ddg.4...d@.J...@......W...N.r....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\download-folder-9-32.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):658
                                                                  Entropy (8bit):7.2752538251619265
                                                                  Encrypted:false
                                                                  SSDEEP:12:6v/7iwnMtI5NdBM926zd5296hYRSOGdZret7SnP4BZKPw2n:ckANbMH2OASOG/retb6
                                                                  MD5:CBECFA8E3A39AD187D0B5B611E8530D3
                                                                  SHA1:1F98EC988EB2326A7905EA0CB0DADB11DFF98456
                                                                  SHA-256:9B54F74F911E5F78A187B52EC94F2049180BF2FBFD043B3E56E5F1D4BF6654A0
                                                                  SHA-512:F68AFB9275F37AA3FB42879D0147B30367A8CE15DEDBC967557D9DEBE12F649665D6E86F32BE3E66640FE95243F7A275656CB5A440A6676BEC74DD2041F5C8CC
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDATX.c`..P...)!&.IIN......\XQN..H.H=U-W.....b....gee...@>".r.....H....v|.A...c9)....2.Rg.......9...d,+%u...Ev...s.JH... ...W8.....3.9@NZ.6/.O<..O....CR....w...,..a.9..-.1.l....r".%(.:@^F.)zV......YI........O3.(......,."....+%.....2....Q...N.....H...PjeeaQ.......:d%..$...r.....L....b.HKH.G.........@1.t1`H...@_.cbb.G7....Q..{C.4 &"..T....,.j.....$.r>..t.gC%y...\\A.,.....&..Tw.4G.....e9..w.(+.k.\#.h%V...........Hv3...4......De.j....0..agg7gcc..f.c..DT.....P.Q.$....L.......F...P..#.v\baFk."..(h@.%P"... .@f....,.....Hp.3E$.....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\employee-id-1-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):329
                                                                  Entropy (8bit):6.420308355307663
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyK2z8phbkbsxZG9leYdylfqCJ+k3iIp:6v/78nMtqYPoNl8fqCJlii
                                                                  MD5:0674729E929FD791FC0D0AEF5B2FB5D9
                                                                  SHA1:0A321E40FEA01E9FF341BAF78FCEE0D81963D84C
                                                                  SHA-256:CF909DDCDF9BAD76EC0640275CE54B73F20EAE0A5E80ED7DC9F48AE982ACA8DF
                                                                  SHA-512:59A317D283E2638593A82E149BDC3B8BC7E9FF0F5A575F3BC51845FCDF01174EB1E4B498C9B21897B73A461A1B2F9E068168920EF7A98F593DA61A99A83F15CE
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..........A....'P.W...io.;.....@...2.&.R..YAV.5.bl. .Az.6cS...".fcc..f(P.).Y.. ,)..KH@...Allj....q.@..k....%X..II.$..B.J..F.F..fFFF...P..{.3...@.......^.F..V.@qIl..L.l&XS"1XA.......I.`p....^..>.......IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\eraser-16-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):324
                                                                  Entropy (8bit):6.491766680808101
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKll8n/sk3c7jBQxWgqbrTSMHmxHuESGmO2+vi8A9hN/sup:6v/78nMtboUKcuWgqbf5EHLSGmS6jD/N
                                                                  MD5:59CE25E2011AC621D8C76D5EBC98E421
                                                                  SHA1:27D9D254EDE7482CCBAE645E52CBB2BFB14EAB74
                                                                  SHA-256:5BE77F5B2BB5A057E27733A28E36E535076D2EF12A6263B13D2EAA6ED9E59B09
                                                                  SHA-512:3934D94EBC886D6386272D33782E8A7833945725AB227F3CB854FB2185A0539F2E43E9EC9E85A595C73F73E6BB57B289200A7E15F02240536ABF24CEA752603D
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c` ....9.........DD.*.+..a.I.sdk&..l...9K.f......!.h.ax..4K.K.$..`.s0012r.8..2.A.qqr...YLXd..vfff1.. .@-..o.4......!.5....L.!85.0..$&-!q.(......#d.@C...........4.Y3.e.@.<........37..H3.:........n....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\fonts-folder-3-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):267
                                                                  Entropy (8bit):6.19077973468042
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKzEj/0GGou28UK+L+WVmMFntkDqnXEuOp:6v/78nMtih228RnumMV+DqXEu8
                                                                  MD5:4E4AB21E8FDEE3C90C277F6EC23BF8CD
                                                                  SHA1:2CA13EA94FE3CAEDAB3A2BE44FC18CD2A523CECA
                                                                  SHA-256:956D447717A91521D4A0B48486189795B0F0E83F11C05E32F8FE666529D040C3
                                                                  SHA-512:EC6CA34F6D975D1E3E433D3B8BA9CCE9FB6742D3F17B2DCC27B7201A98EA23479C33FD209B2584A8F5C633B97802D757E4D2BC1397FA7BFA3D802291D699C78D
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.........0.:>^....011.......f.V...3.*..h..c...p1.....$A.#clj.z...@TB..P..%O..2.......sET....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\list-document-32.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):460
                                                                  Entropy (8bit):6.83761150187215
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPKwnMRtyKIj7eaYGwoGn9iGUl/nf+wB417DbsLRtAJNfEYopHnt41dSoEs4:6v/7iwnMt8jsoi9lkwDsAsYopOdt7SaY
                                                                  MD5:09EFF4F4D770599A874BC2D94065A8CC
                                                                  SHA1:265B40063ED9EE376C5991AA39E5772AD68C406F
                                                                  SHA-256:A9238998CC2DCF53933685F7D92686C81F9433167087AD4820E121FAAEA460B5
                                                                  SHA-512:C3E01B97D92C5AF4F6A023374D4EF8A23BACA485DF82A2ADAE753650062FE857CA2FECF5AC33E720F8B92C2AFAD0C2FCD5B141475C11FD451C6DB82A9D26A349
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR... ... .....szz.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<...JIDATX.c`.L...+PAF......J....Gq..lll.$9.....?B..-@...r..-.c.Q......4w....=.....!A..@_......}lj...Zh..i...0s..].+M...>M..L..@...........M.0w..Y....M...r.0$....C?...@....."..-M...0G.B...@4]......y.[.....a.. *$<....MLXd... +%u.9=.S.]......`..4.....MRL|.....s.0{.%....9...3.y......$..&B.(.M...p4..&.....t.00..8........r...8.0....;zg..(....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\safe-31-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):374
                                                                  Entropy (8bit):6.671134871061204
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKKy/nDjX8HfN2qmvwKliLbUpyfp1HZAp8TFEWdp:6v/78nMtOybjsHfN2ikinU6p15dKWz
                                                                  MD5:4A4930AE3498DCE09DDD80775E1FD7E4
                                                                  SHA1:548E0FCCD0C382778F26D2DE411560B30BF23ED4
                                                                  SHA-256:C21F5FC164884D7AE90D306B8098CA4A4FDDC028D63B04E75E06823293960D3E
                                                                  SHA-512:68ED2585AB02E9B3ECBC481C55FF3B42721D9689502A9E0FBDA162FF8C9AF78FCD98B0DDA683EE1224A14C5543271DC953CF788F5DF8AF38AD757CD81B88A6FE
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..&F&^A~.z!...b0H-H..X3.......r0.##...4r...c.9..Q..}.r..3.,.............@.s.s.r..[.K.<.i...4#.%$.1...Q..D...$'......B........I2...Y.$.......b...j..X@......b.....>+..}...PC&)..&)..r....y....N...}J.f....A....Cu::...p.I.0.<..P.=L.............IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\star-folder-1-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):301
                                                                  Entropy (8bit):6.433970126002673
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyK9Ej/0GGou28UKwrQdo/0ek1kCjFO75gD5NhUmuVp:6v/78nMtsh228RwrQq/Vk5O+Dimu7
                                                                  MD5:6212A7A0F72777E1702FF69655C11014
                                                                  SHA1:340F31181297EEFD1E7C710A53D34812F3FE5586
                                                                  SHA-256:5E0D0CC1E5A7CCDF0754A131C00FDEFB345E763047D00CF458B485A660F8C961
                                                                  SHA-512:819DCB658A57907C700366518E19814D2FF57DBC0902843FD1E5C0D140AEF9163A5EA0370A98EF93EC4D997DA362A96B9D204B30C2F45249B00BB2E92AD05FE8
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....xy3....D3V...\....x.......h...#.+.....r.P!....$y.]7Ia '-s...Y).KX..FE&.....|nN.?....+PDHh..h..<...8t....<.J.......sr......IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\swatch-1-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):275
                                                                  Entropy (8bit):6.241760254713669
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKxWuGoM+kPJzlX8jjbnbbvkLV+Vm+p:6v/78nMttpM36H8LV+Vms
                                                                  MD5:F7515A8ECBF2AA3AA9C57DFF3B05753E
                                                                  SHA1:F51571132ADA200E233E5279014F6E396800C8C4
                                                                  SHA-256:5BEBE21F8829533D8118E9B47DD49E2317C735A472477B583211670782312665
                                                                  SHA-512:9AE9D82588858A39C6B56B99AD2703CA2652EB99358B234A632D47C38E1FE48E1548DB7CC763352FA1AF4E49B0A4CF3DDA9B8425BBFC94FAC4B7D1E957294988
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`@........B.....$..CW...e.*.+...j.`..2..f...U.0..D..!..V.....`.@~... ....."....5.....(6...m...$F......^@NHD....(N. ..(dg&$....... 1l6..Lc..:.qo....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\sync-folder-1-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):358
                                                                  Entropy (8bit):6.674957154010901
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKaX2j/0GGou28UKztI9ohN9y6EHnqywm1jgWHopHbp:6v/78nMte0h228R5mvHnRwpWHopV
                                                                  MD5:D0301F65CE574CFB8601F381A04FC2DC
                                                                  SHA1:B970384F7B4D11280A41498CD99B73FFA8EED575
                                                                  SHA-256:D1E2AA31652F8CCD1F8C6BE5F7DBE5056407DA790EA8604BA776FD9856546BCD
                                                                  SHA-512:17CE1CA8593D575544EFDE570A30BD5D78DD7D35FF03C25D990ED11A5521D95BB6FCB7FAE899D93B7C46C8F5CC7C2533763A1D4DF31D7CFEDB8256801D0AEE56
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@.....E..&..... 1.Q.5.j.xy3.......U..,...N._....9).[ ...2.ab....0... #)u.......d..4@DHx*0j...{.."V..l..$.(..WL...LL.r...ar...I...p.....n...,.*0.XYY.y....L&)!...L...BrR......=f.Y....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\text-document-10-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):6.2049316386300095
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKOhknMBpLYoTn40eWus7vrGVr3gWndp:6v/78nMtKhFBpsWnLusHGVrgWz
                                                                  MD5:0943B8C4B397211B1C73B2288D2B0655
                                                                  SHA1:2437C95E1CBDD6240D84EEB88C57CAFDFA5AE792
                                                                  SHA-256:4221BB09453A0ED7183FB675B374F17B5F28BA7097AFBABBCCEBBB05EC557911
                                                                  SHA-512:DF7BF3F6DEF5CA7E227EB2BF3F1E313F066C3AFE178D584860D6D6325B03DBFE6949C0C72643C3E0D8748767182892D7FAB4D090C1E86FC7D1911D58EF13FC3E
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..A~.Z!...\.(_.......4+.+.'....,.0.d.>MR..{..%....F3...<..Q.LL..b(.!d........s.....6..h$..I5...4@BTl-r....W.d..]...>....... %3!.P..?...T"1\3.t..Wn%.....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\icons\upload-folder-5-16.png

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                  Category:dropped
                                                                  Size (bytes):325
                                                                  Entropy (8bit):6.5022763903385785
                                                                  Encrypted:false
                                                                  SSDEEP:6:6v/lhPUnMRtyKFEj/0GGou28UKs/5Ln9R/ZVfFMXqfXMsnM2Sup:6v/78nMtkh228Rs/550yMshSc
                                                                  MD5:ACFF953EC211AF6260069114D88B5D5E
                                                                  SHA1:DBCCE1D8B99F2AAF2411FAEE55885CE4B0C87343
                                                                  SHA-256:67D52CE987D7BB34817359BB689C69DD769FB3D147D136C65F16F94FDA16E2EF
                                                                  SHA-512:6C069BA0EB35774A23A3FB8B46119069F510AD7F0B3F9FB5B98E3667C91EDA0E4D5508E79480010B829C86E35B7A62CBAB6B0350169AFF8FA58CDD5D7869D650
                                                                  Malicious:false
                                                                  Preview:.PNG........IHDR................a....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....IDAT8.c`..P..}.,...............M3..4@H@....8.?fffqJ.@......Q..}.K...7...|<.i0o....cS#./P...n.......I&..i....\VR..A.8..A.....`....;A4.7w$Q^.%,.. ....W...=.......L\.XXX.XYX..F#>..JH .J...IVR..........4.....IEND.B`.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libassuan-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):158192
                                                                  Entropy (8bit):6.276215721465373
                                                                  Encrypted:false
                                                                  SSDEEP:3072:CHpTY9D4S6S8AFezF9bqtdf1i+PTHnlLee0cw1XbCzoll1e+Asrm+P0w:CHpTnF+qe3yCzolfe2rm7w
                                                                  MD5:04932B84E5CD4EA826840EE8EDE549B0
                                                                  SHA1:6FE6F09021D4341537EA0C9010048D37462A0782
                                                                  SHA-256:74DF283D6DDE5FC5DB3073619F712A80C9DEBE38291D3EF91EDCD3C220601407
                                                                  SHA-512:35E5C73E59785DF4E30BBE0B8B27960C9F38E3CF4944E0470622DF20424B421387648172427C17AD3502FAC3E2DF4D1C21F2B9B1E5261B6707A528D79F9F3C00
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....:......P..........e.............................................. ......................................`.......p.......... ............>...+......................................(...................(t...............................text...............................`.P`.data... ...........................@.`..rdata...*.......,..................@.`@.pdata..............................@.0@.xdata.......0......................@.0@.bss....p....P........................`..edata.......`......................@.0@.idata.......p......."..............@.0..CRT....X............2..............@.@..tls.................4..............@.@..rsrc... ............6..............@.0..reloc...............<..............@.0B................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libcrypto-3-x64.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4700448
                                                                  Entropy (8bit):6.762778198451197
                                                                  Encrypted:false
                                                                  SSDEEP:98304:GF+qQZELs+X7bVqGoFkzfwnxPhSVM1CPwDvt3uFGCCLh:a98Ks+rbVqGoFkzInx11CPwDvt3uFGCq
                                                                  MD5:D1229452CA48896B048BDB0D12A5C505
                                                                  SHA1:D2B73383DDADE5BBD42669049BFB6265892572B7
                                                                  SHA-256:D9E31123FB00BA631FCCD9E697CD5F4DA4A4D09CB62F5B6F2F4C49EED8A8E27E
                                                                  SHA-512:5401A94C8E998A6259AFE7AD930E914CA3F5AAAED4F706EF6151136E568B06BA8C3BB27AB04F95CBBB40FC879A75C0B7C442A586D54816E7109F8FB2755BC6CA
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............vI..vI..vI..I..vI;DwH..vI;DsH..vI;DrH..vI;DuH..vI..wI*.vI..wH..vI..vI..vI.GrHl.vI.GvH..vI.G.I..vI.GtH..vIRich..vI........PE..d.....f.........." ...'..4...........4.......................................G.....G.G...`...........................................A. ....TD.@....@G.......D.HI....G. )...PG.\.....?.T.............................?.@.............4..............................text.....4.......4................. ..`.rdata.......4.......4.............@..@.data....t...pD..J...^D.............@....pdata..HI....D..J....D.............@..@.rsrc........@G.......F.............@..@.reloc..\....PG.......F.............@..B................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libgpg-error-0.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):252912
                                                                  Entropy (8bit):6.26449546686269
                                                                  Encrypted:false
                                                                  SSDEEP:6144:azN0KgZEaVmFI2qmDsHVf1JJKDo7wv52DP3dBrmSF:m0KgZcFIHmJU1BrR
                                                                  MD5:EFE675C00C0543DD08AD96E4D7DD022C
                                                                  SHA1:539A1724C5DB6279D239E28BF0BC1D06751CDF02
                                                                  SHA-256:EF3A3677540AA47F1543C475E4531CE8BE0C70FBE3B75957C0AD6A0993A4ECA5
                                                                  SHA-512:9E35D053D2C2CD5B3A70ECB88023B3854A7837D4FD0498622C9238A5D8EC0E2DDD51070A8525E2ED066B76E67FFB4602BBE7BBF1057D23373A71287AE7B2C126
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#............P.........(k.............................0............... ..............................................................P..p .......+... ...............................B..(....................................................text...H...........................`.P`.data...............................@.`..rdata..............................@.`@.pdata..p ...P..."...6..............@.0@.xdata........... ...X..............@.0@.bss..................................`..edata...............x..............@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libpkcs11-helper-1.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1396736
                                                                  Entropy (8bit):6.735401999676938
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ofcrcqxscK9J+jARFtUGRPIsTywaHC/Vm4sXCYl7Ks5mehO3y/7Q31jfMYgk/yJh:ErzGD+mfXCYVKjLxM
                                                                  MD5:923F2B061C22B2DE64F2B228F676FE95
                                                                  SHA1:40830C37101ED4F779955C8D0E1718D51714EB83
                                                                  SHA-256:5D15CA989ACD53DE9E458BCA2AC226ECE6C3E1CF97B070C930A9F3F4B6144A21
                                                                  SHA-512:C74840D5D5DA8E7B5BEFDD5DD4FDFF5BBD96D0E4D244CD69672C665CF490B7936347B66AC505FD3D1E7F75104281CFCB0702022274FA40EE71D6F08E672E896D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 24%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Cg.........." ...).x...$......P.....................................................`..........................................]..X...8m...................{..............(...`...........................(... ...@............................................text...lw.......x.................. ..`.data...<............|..............@....pdata...{.......|..................@..@.hdata..z...........................@..@.reloc..(............<..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):829216
                                                                  Entropy (8bit):6.300815379570505
                                                                  Encrypted:false
                                                                  SSDEEP:12288:/qxOwtce9UEE1KK2+SwtLde4UE8b35Vv8RAmpdEVB3SP:/It9BE1XYZJyxdEVB3SP
                                                                  MD5:18232E66F7998529421B051E678C38A4
                                                                  SHA1:3C040DA458F9231D3077193AC4A1F68144B8E2C2
                                                                  SHA-256:B9E15674A3DC28D604F3A03398F2F421C3654C1376D5AAD3A4835538E1C61F1A
                                                                  SHA-512:31258C52357B648093AD9AEC5760F0012202F596DD14F6C3A50DAC37286CB811F0CCE3BC418502767686FC199679DDC8D1F3DC790F19B8040D0229BC5DB636A2
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.'.c...O..s...O..|...O..y...O..u..:...u...L..r..q..*...L......L..p...LK.p...L..p..Richq..................PE..d.....f.........." ...'..................................................................`.........................................`0...K...{...................r...~.. )......X.......T...........................`...@............................................text...(........................... ..`.rdata..............................@..@.data...8=.......8..................@....pdata...r.......t..................@..@.rsrc................b..............@..@.reloc..X............f..............@..B........................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libwinpthread-1.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):66544
                                                                  Entropy (8bit):6.309954882128114
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Xoun2j59yXrmGv5jqGcZJt7im3YtQrmEKP0m:XUyhAJt7im3YtQrmEKP0m
                                                                  MD5:4F8C576F1515282FF03306B01DE7F75D
                                                                  SHA1:52CECE362F99E1B65732F54275F9CA984338882D
                                                                  SHA-256:C27F1770F0648A3FEB826C6D480CECC37D8D807F193F45B721EB466688FF3998
                                                                  SHA-512:7DDE6F439314C79C485A3B2EB7213FE17FC822377984B77CFA4012E2AB0BAC4C0A5B2951727497D2017DBA2140646E71A169BFA720E0C19D54FE4FF81552E59A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...#.....L......P..........d.............................`................ ......................................................@..P.......P........+...P..T...............................(....................................................text...P........................... .P`.data...............................@.P..rdata..............................@.`@.pdata..P...........................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....`.... ......................@.@..tls.........0......................@.@..rsrc...P....@......................@.0..reloc..T....P......................@.0B................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.base.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):18367853
                                                                  Entropy (8bit):7.968497771189572
                                                                  Encrypted:false
                                                                  SSDEEP:393216:BLz4LssSDaG2WEXljHcVPZBfJgPWFp93OKqNZNJyXgjrHKzMR:CLJSuCCVHaiPWFpkNzcXgnHKgR
                                                                  MD5:C6C96A3F5AC8A949A7F920D83D4C8B3F
                                                                  SHA1:2D6B7E5973DA5B3A469C4D6B426A02B7AA4FF9E2
                                                                  SHA-256:753BA6FDC8F9C1DE1627D0ABBD03E97E2E97AEF3E5823A6C8C036B68D48C301E
                                                                  SHA-512:EE9FFC7C6B996B9DD9421E23444F9F3D72E002E6CD50E7816325DE7392E49240D6B239139D5C2C7F7FF01EDE0F35077B95C77C60995E94405A38E1E8F5B263AB
                                                                  Malicious:false
                                                                  Preview:JM..PK.........o/Q................classes/module-info.class.9.\...o....@.(D...= ..hP....n...yw4.`.Q..5v.^.+..#.b.b.Fc..!...=.....~7.;3.y3.f..K..&.t.....3..\.F.6...R..!Oa.Y ...<.5sRR.H.m.!.@.(.:.9M.P......h2.kT.IF\.xY.fN.f.X..z.V'#....)4...)N...$.q."+.T.z...Z4......Q......-2.....}.!.....VPHF....&N-#u.x8....g..N.[4:...UZ.kI...@..O=.c...e.R.....-..6.._.e2*.i.2.*...7.j!.Lf~..V..a..@.~<E..U..Mr@)X..IL. Qa/.%.iZZ..n....Z.t/...ei...#^..p&5..P..2..FN)#..f.p.8I'.z.. B.R.j....?Qg.A...w...&......J..Ng4.X.....f.6.q..e.,.d.e.,....Jm.x/...~y...A.A....).AkP..)..JE..4.Rp.~V.)>.......2qI\...t.6.lU_@YL...5.q..(#_...).......q...W...M...L...:.....|....*.o6...$ ..!(..V..*SeD..^y.ZC....Z*.#..A'..31.mH.....%..(.*.TAu=.!f....`.h..H...e...q.$./..]{....M....x.2M...q.1@..KR.X....,.B.ed\ys..rBy$!.&.G..<.Y....M.h...S.A..0..M....s*...\.^e.kg...,j..........%$%......6..ZcF...<.5.....`0%)..)..3.D.k.`Y.....P.....@..........p....[..........0.Y.j....d...Z..U|`83f.0W..Q.8..U..i....[.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.compiler.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):124409
                                                                  Entropy (8bit):7.718272830707501
                                                                  Encrypted:false
                                                                  SSDEEP:3072:1i6Z6wsvoYmg/SeP7rXuLU20fGqZLdlC8IvgvGR:7XsAySk7rXu+fGqZLdlWvCGR
                                                                  MD5:5A4FE8E78A6C9254B36919DA9CE7799F
                                                                  SHA1:27276BC48C907C856F0EB72CF6F3A48FA3A92E44
                                                                  SHA-256:44E1E786291E335C6E4DCC9B2EACA365F06EEB8534A0CF8912DAC550091C4F46
                                                                  SHA-512:5C8B22AFC7B07B8DC595E6998819A4544603B6A8B3100EA653F42826B340C5930A872C01BA90269A783FC955C7024DB26088D4333D22DE5A632B0EF4734D7CD8
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmP.N.0..-....P(...P.. q.q@BB.?`R................av=3^.....;.3...e....A[ Bg.p.. 4..x:....{(.*...........t*.@+w.kO&I.|...+..P..eh.J..f]..H..F......si.......l.(..j.&6..U...Hd.=.hMw/.......LY...UX.9.X.ma.P..Y..+&x.7fO.V....I.2!4.b*b_...E.fz..E4;=^.%|.2...7.........%L.e\5...-....U..v0.84z.......80...PK....mp2.......PK.........n/Q............;...classes/javax/annotation/processing/AbstractProcessor.class.Xit.....%{$y...N..e ....&.....8.1.N........D..3#..-;..JI..RJ..6l.F...ZJY....t.....R...l......9>.....w.}W........J.P.TQ.2..;.a.1.[..[.w..O...Lo.@ ^..F.a....P...#..e...v..&...w=GOx[.K.#P.Y.z..H..>)}..J.....^kJw].y..".b...@.L.3..xFrKZn....j..U,.B..".....~.....$..z.H.j..",Vp...p2y....L5v..^..C.j..u.....T.&P:..2.@u....q.C..CX*..I.O...d.n..!.U.V .;.....Uh.O..o...b....K..A.C=...\..F...2..B..W}.W+U..U...k.....I..Bb..!..m....Qq.V..8n..*...u}. r..N.d..9...Q.V.yX'.8{......,......M..+..o.j.:_....%.7.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.datatransfer.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):51389
                                                                  Entropy (8bit):7.916683616123071
                                                                  Encrypted:false
                                                                  SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                  MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                  SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                  SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                  SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.desktop.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):12133334
                                                                  Entropy (8bit):7.944474086295981
                                                                  Encrypted:false
                                                                  SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                                  MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                                  SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                                  SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                                  SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.instrument.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):41127
                                                                  Entropy (8bit):7.961466748192397
                                                                  Encrypted:false
                                                                  SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                  MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                  SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                  SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                  SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.logging.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):113725
                                                                  Entropy (8bit):7.928841651831531
                                                                  Encrypted:false
                                                                  SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                  MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                  SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                  SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                  SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.management.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):896846
                                                                  Entropy (8bit):7.923431656723031
                                                                  Encrypted:false
                                                                  SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                  MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                  SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                  SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                  SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.management.rmi.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):92135
                                                                  Entropy (8bit):7.945919597257173
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Jxw6Uq67COVGkuLH5Sr6DPHoXsUJWLgUpDYC+ZJk3kJoPUFX:Jxw6v67bXr2g/WRVtwi0Jw+X
                                                                  MD5:22F603FFB69D73089DDE462D567E88C9
                                                                  SHA1:7ACF3CADC41F208280B8F115C2EE58FE16FDB538
                                                                  SHA-256:27047E3D872637D62DD251A1E7CBE0AE5F1DD1F0F275A06405E6C673421681C6
                                                                  SHA-512:AA7ACDB5DD69CE5C8C62E4A89F65F94DD9316F9364E30EBEB66A542FC418FC586EC41B0D13D41548EB05B4B96E22113B879D20B9F146B935D8B6CB3826E78A51
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.Q.N.0.}C..............J..*U..W...%....G.....G!.......g.o..=.o./...qH(I...~,..... .>#.Y.$S..%Wi`..1M....'A...i.v{*..ah..)..J.Q,.-....'.S..OR...i../.1..J..3s.....I..>*..7.>.....m.P....9.-..~S.n.5.R<J.i...17y...?..6.a...Y#..G.>........-B.F.L.D...5....GE.E..B.P....yJ.....A.........xMc..9.]..1c.E.n.q.]..b.e...&..\^v..Vm..M...g...=.-c...>.PK......a.......PK.........n/Q............6...classes/com/sun/jmx/remote/internal/rmi/ProxyRef.class.UmS.U.~n.YI......j.$@.VZ...k.64%.4V@.\aqs7nv).........?8~.G9.{.$1....{..y.9.9.....O.E<O#.!.I..H1.90.M.6.Q.=.u.!u...w.a(....5.hH..@g......q.<2\.t<nX..0m.mZ...}..&mW./V..y...!w.u.E"....pF.Y.c...d.]n6..:....:...x].-.+.k...L2..p-...........c....%..o8..\..%...KRi.a.O.#T..%"l2g<...(nW.9/...{....+.d..\n...M\c..q..).f..P....u.s-..P....r.../d0.[q...l...-..b...h.....9.,...o}.&.g....oI..:...0..|d..KN...,K..:..bW`....p>..=.;..L...69......P.....L..L...?........?.k...?.%..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.naming.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):460349
                                                                  Entropy (8bit):7.928980735357845
                                                                  Encrypted:false
                                                                  SSDEEP:12288:y8d3lQXYWlLLH56T4J+1hdWvHBmgmhhs+RGJ1:y8d3RWlXeMqdWvHczs6o1
                                                                  MD5:B396D42998F877CBDE5B93A1B238B5C5
                                                                  SHA1:ED864130A63A807EFC16CE9F97F8C24750A14C35
                                                                  SHA-256:734130C3E9D7A12A75BBB194C9FD29DFC85FD802B42B3CCD2C617C86FC905473
                                                                  SHA-512:8E44D12F37DE7A1F7453299FA0A3ACC566C2959A1C482DA936108BFB6514650AA3E2400AC090B65F2FE3FA53BCFF4F676D129695B10334B4160B45EF3B440043
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.Sio.1.}..KO.f{p.Hi8J.-..DU.T...3..5.9...........G!f...$..J...g...........3L............ ..CA{2.h.R.V.(...V..l0...M[..oF"..1...\v..q..a*...s9#.q..K}..#.eyh;>.^.F*.Q..m...8(..<..AA=..XdX.q.p..L........ur....u......[.s}.<..ju...wU.%.C07..B.......42l....$..U$S...&...#.g.w....,.a.+....^...0S...u."m...ciK...J.B..H.A.|.&........U.OZY%..c*j...W+.O.V.M...dG.j......y.r.....$.s....P...ab?n...UMI...{#.uwR.aC...w....e.>R:..LE.......z.(..l=....2.1Z?:...n...t~..;..-;{..Y...|./.:..<.&...N.%....8.)..9..%\..,S...e<.[...?PK..._./....$...PK.........n/Q............=...classes/com/sun/jndi/ldap/AbstractLdapNamingEnumeration.class.Y.x..u........S.,a....JF..."#.h.$.X...v....5.1....PB...Ml -N...%...i.;.>..WhC.I...G..A....h..d.M.o.....s.....]..W^..........A.)..a.[bv|{...N.U(j..n.BaC......B.F..BK81.J.[v.#.X..j..O.I;.v.e.=..o.....F.q.+.s..QP[E.,...f..w.Q'.0...v..... .l..s5.a.B0...R-.Nz+5.Jo`(..KG..".pX...K..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.net.http.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):718964
                                                                  Entropy (8bit):7.932673218886782
                                                                  Encrypted:false
                                                                  SSDEEP:12288:i0TENWrWZbbneYeeZXg4ao0K/3JCypyudOQjsDv+X/A4zEs6HtZrvZ:AA6Z/teKX50K/ZPov+Xo4zEV/7Z
                                                                  MD5:5A11C4A6D94E1C67F84D2D22B7012B11
                                                                  SHA1:273C3A253F6845441C6B4D0AA000BD0860574EA8
                                                                  SHA-256:AF1946B6683575D724430220DB7C948AF2598E69091F74459CCA1F97A15C2A54
                                                                  SHA-512:841460A10900517CEB80F734F1492AEEE83287ECB521BB5107BECA3684189521D56F9CD2B17A136C521884124CD1F307CE51F63DABCAC60247960BBBFAC046BA
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classu.MN.0...@..K!...8A.*......n2m.$v....b..8..IAt.F..x.gKo>..?.<..It..y...n........I...Ul.1+.5B}r.....Y..L.A.......T.x....J..:I........T&,..W.XI?.8&.T.r.f.....Z.....Ch..u..S....\n...5/.g9.....d:gc...t..e.<.m...F.C..C..:.=. .mA.M....M......(__~.PK............PK.........n/Q................classes/java/net/http/HttpClient$Builder.class.T[O.A...(..r..Q...^X....E....%D..vw..e...b.Y....?..e<;.(......w.7...?....(c....Z.+ .~..]..s#..........b...sN.._..!.=...@.8..T/......|..P`(...h}..P.....D.........F.....n....F..z.7...%.a.rO.U/..Tk.#.J'.p.L..C.."....\&.....i.]N.....i..8..H...,..L..n.Qm....)..)o.k.b..K...l.6oq?1'^i.h....~..9........e....<..v....t.;u.m.R]...+Whn.8e..@...>b.v.2......g.;5.iz..).{f.;.:.lr.fj2L8...z..PDB/0.:3[.}..p:....z...j.k.4.o.D.|E.?.."..zzcy.We.-..K.mI...]'U..8...V;e...&.....i..Uo..ioXm.^7....1....B......:n...[.oc.....,b..]L.......dp...>..)..cZ...%..../...~......s.^....)..|.Y.q...v.....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.prefs.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):54624
                                                                  Entropy (8bit):7.943156238505704
                                                                  Encrypted:false
                                                                  SSDEEP:1536:QAcQb2JQBFv0vQ1ffh80OUisaBL00Yfcfd8tjsH5:QqjcY1fJIUXCQx0lr
                                                                  MD5:224D8C26B9454FFE244D354BC030CAB9
                                                                  SHA1:E531A7BAF213D72964CE4DD83A11AEEAE5713F00
                                                                  SHA-256:43622935A7EF06E30D1BDA7E77CB76488DA9E721728AE0B8ACDB1F9C7B91C943
                                                                  SHA-512:E0754FFF5801CEB2B1512AD0DDDF0D74C4C2AE97EE70A467E7D83E3AE5870A6ECC6F250B849108923AA8CA94EA3505C4CC7C9BEEBFC192B2DFF1E99A943DCBB4
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class]N.N.@.=W..K....--$.=;.......J.!3....r...Q.;.&.Y.;.qs....'.9..N..:.qV.u."....zS.......h...h.M.}g.u..w...-.~Q.C.....<D.p.o#^...2a.PI..{..T>..$..r...?.ps..T.U....YxVf......T..X.....\..5......J.).}tn.g...T...=......PK..t?u.....9...PK.........n/Q............3...classes/java/util/prefs/AbstractPreferences$1.class.S]O.A.=.nYZ.(....Rd[.._/%D$..R.h.x..C.\w..,..H_1A%>...Q..M.iL7...;.;g...?~...q..dmX.r.c.;...k.W."....-.#...4...<.J+.}.@..2..=0j..#o..`..C.p|....C.i.\...k.Y...c..6..F.M.......P.p.c6..L.*......X.....f..%#..\.u.S.n.&....a...0.....>...... ..f...mr..D.w..l.2L...^.I..."../.bo..2$...t..&..F.'...2...CKDoy..h=....L.i.J..a....J.apGs...?J.....\0..;..p.G.y~.P.......F...0.<.)..].........C%.......x@t..Q.4..Q..RU4../BEU....m.\)...2T..w.......R.@..s4Z#D..Be.+X.;./4.......k..4.....Q...8R.W.a..r.v..3.~.m}..=...}..dt..#.P.!3...Ix!...D.T.......R.......L_.2.....<4.!<2...E..PK..]5\.H...`...PK.........n/Q.........

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.rmi.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):385108
                                                                  Entropy (8bit):7.9135425794114935
                                                                  Encrypted:false
                                                                  SSDEEP:6144:WLo6BW4jXxBTXH4nfLyHInEmCC+Z/GTdy6ixx7KoLUTzROUBczZoUDYbwyKdlO5k:YvxhBDHauHIEDC+ZOTKL1IzCzZoUDYbK
                                                                  MD5:C4BF3C85D5A2B5A2482D29682F937339
                                                                  SHA1:2ACCDEEAD4904C6EC919771CE49943C9D6E8A9E9
                                                                  SHA-256:25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
                                                                  SHA-512:51908DB9F980EAABB144C3BBD38563DF0DE3AD9AD286FD4D4F5C41B4F2D70CF278395E123D8C26A64742858A4B629902532C0AF097D020EDA92A7031AF586B66
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classeR.N.1..*......E....ogX.n.411.../Pg..L.i....\^..>..Lwg.b'=?...z.........8eX.M6*dO.K..cX.......J.T.....'.Q...).7..E..q...+.c.!..D.^..WFs,3.4.,O9V.....\9o.pt.....K..Z..'.+8"j...09.&.....g.......q<...H{UJ......Kx../6K.......z.].....C.g.Ka........\.<.!..dWq)..e)..Ik...t...T.+.J..F;S.m.a..4..g.>...Fd..U..C.<..Q....,..4...E.Wt.#..p!l.=....v=Qf..7...k.}T..........n..p.M_.V......F.<.E.............b...U..;.;.R^..;.AL.(...({....8Tw..PK..{;\l........PK.........n/Q............R...classes/com/sun/rmi/rmid/ExecOptionPermission$ExecOptionPermissionCollection.class.V.S.W..]..aY.....hQI".UAJ.V....*..k.\..f7f7......K_./}.C....L.38..8...C..7.........#.:.>d.....;...9y......|!....n...2.^R...g3.=.>.3).4..6u..mZ1.vh.fw1...#.....kY[....5i..:.!A.j.....H.*P)a..*ld....5.dB....i..J...v...W.)O/.-..X.$.ay......K?.2O0.1.[.v........U#........$.)n..q...Qh..lG=..:.M#..g4{.V...6Amn....H .le..hF2"c+v.p............e40.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.scripting.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):44965
                                                                  Entropy (8bit):7.9310029341229376
                                                                  Encrypted:false
                                                                  SSDEEP:768:T/6WAhx73PjgF6wN1l861Z/T6dKl4U1mQUva+qD160eYG3ichd66N3LgRBG:+73PjgTaK4U85i++1bmi+66N38RBG
                                                                  MD5:A64194B2F7AD00E12C9E5AE260B57B3E
                                                                  SHA1:2617AE8B733B5E7B31180A3EED1DDFFD1B5CF631
                                                                  SHA-256:BC08974AF0D13B1B362A651329036C24CC54028F1D0B3EB327350B51E2270FA5
                                                                  SHA-512:68FE47540C844FE28B92C0AE4E8FF5C77F60A4AD0C5F1F3857412DF36E11A6053697B823E7C3D653E012F1923502DBBAAA9B03803A24344DC5C384853A3D44F8
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMNAN.@....PJK!9q@|.Y*Q......|`.,a!.E......x.....>x.....o.7H...eM.g.>..D....|..I..W.y...c....".L.3.J..+j../:...(.D..v.c.'......:.p.+....67V/..]..aL8\..Rzi...w.G..+.z.........uM.......d.]_m.....c........<._.S6....I..p..i...PK..=..+....F...PK.........n/Q............*...classes/com/sun/tools/script/shell/init.js.<.s....@47.]+.......K.......];i&CK.."u$e[.......AYI{.6.....]...<....^=.V.:.Z.*..G...>....0Q.u6-....AU..mT6..E...I..P..Z7.....}....z.............W'/^.~w..4U.4Z.j....Um..|.Kx..z. .?....{....>.....U?g.....\.E. /.|]N.*.\..h64....X.`.U..Z5.... .R..j...QU.p9-.]h5......^UI...k]vx....e....^.f.U....'.Z?./.j...s...V.c.O.<...ROTV_5{.|p..i.~....-........v..v..+.).a......<T2....H.,t....6..l..9>X/u.64..n.O...s......Q.R.Z...j.g.r..G.....^O.&V.%.e."X.=\F..u].e>.e+........n?~T..,...,]..].-.:.0..................L.K..^...$..B..:........p...~.H.l:.M....5.u1k./-.7B.^.%.f.. ...w?....8...\g.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.se.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):2207
                                                                  Entropy (8bit):7.650310282866788
                                                                  Encrypted:false
                                                                  SSDEEP:48:pEEdhj3vrYL8RjLRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DjGqt:+EdhdKvJX/Agxo7RA1LZZAL4Gqt
                                                                  MD5:3B4DCB7D28ED3DA5F09ADE9FDE137D3B
                                                                  SHA1:0EEDA129FA837E4D5E54F678249C7265C96BE4FA
                                                                  SHA-256:4BD4726EB7772FD1A202DF3EEF6367ED66688E0603C4B970D22AC8EB560F2A04
                                                                  SHA-512:BBC8165555B54BCE7E2342CEE798F93245B0F5A4B6E9CD9CCBB28F7EF42E8B4E3DD729DB95E7B027CE955DB27FA3B8555D8015B568CF8672A4BEC9DC6028EC1E
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classe..V.1....2.!.xC.&...A7.....=.68.4IF`..gr...P..k.9...K.OU.........p"0_..hh...|.B..@P....h5..FbJ`..A....,..t....9,|U........:.....F..X..&.H..X.Xf...2.I,./K.J.NN.....I....Be%...o8]q...Bg....].D`..:.A.x&0.1..B`i...N|.K...^..`.:/#U..O.:.%v...."..e4..uv.-.E..+-q.k.*.}.k)RE...../~...zN_s._G../..P.D./...}]].?.....c.Gh.I.......X..M.;.-..s..f.0W.....S.s.&s....e.3..o...G._...PK..U.FO........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQ*gHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S|t0...:..6x.}.;..i..D..Ye|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld.....H.........H/a.(.sa?E...oR'G.!3......j...A..'.....V2..m..5H.....ex.z...m..........a.l.6..7{........v.3]..(..g.|E.fg"^d..zc".-.dJ.[..M.6*t.uS.BKy...Ys`./.k.......yaZ..........U'.....&.n.&...P....F9..J.1bo.6..I.]%....x..../.1...[.u....ey...-.Ag$H@.BD....xHL.>..V...>

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.security.jgss.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):698330
                                                                  Entropy (8bit):7.957481640793777
                                                                  Encrypted:false
                                                                  SSDEEP:12288:vSE51vUGc5P3jM18B7OcsnbmTk2baTrPxLLu3S6qj8fM7vX:qE5t9UPzI4OjbmTk2GPxvu3SXj8e
                                                                  MD5:372B6F9949895C86164FDF3A1E99CAC6
                                                                  SHA1:B9D3ECAFAE368E7ACDADCC347DE6FFC08D031CE8
                                                                  SHA-256:934114BA650D81262CFE3CFBA0D5A190520C05CDDDCD9A7A875E3E1D951AD71D
                                                                  SHA-512:2DB6F0FEAAD1DD724447CE6E1E1CE92C5293AAB8A661031BB4B343564703BA033410EB0BE56B223F2F8901CDF158530503C0F5B6459D7918253C3AC7CF99F029
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.R[O.A..."."..........P..w.LH..d.;l...lfgYy.w....G.g/.i.L2sn.d.......>.#aq..t$.At.j ..?.g(..a%.N".T.....I...a....;....._".H..R..V.C......iNy..@.I.G..,.x..Q...11O.H..a...Q....K..)7.u..p..:.K.IX._..."lLG3-.Xj...Q.v...)7."#u$F.......u.;...o..........a......3...}...]u5.jW...R#....;.&...P../...K...8...^._.z.$...`-p.<...Vg.'u...[..<I.+.[B.D......t.R0..(.c....^..*./.%s.D....{G...-\.9...qd.7........S..B..a/..r!..^.v..\.v.B.+.7....;h.zu.m..+`X.5...#.........S}..PK..CU\.........PK.........n/Q............?...classes/javax/security/auth/kerberos/DelegationPermission.class.V[s.......,.....".f-a!..+.Ip.M.q....0...x..h...,s..Il..vl.v..0.I..B.L.-....C^...<'...T.....8..;.}.w...............`...$L$...}.Z...Y.|;\.>f.v.9.W. .=W .....a...qm.X...T.........l c.].=.L..pV....?+}/.>..9g..m..P.TV.*.-..ZDj..@.@.^.B...{...K?......[.r....B.Qeub....W`.+.C.*.up.~..vb...&.......$Q^.,'XG...+......xD...0.(....\T.nxb.(...,;.ob/..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.security.sasl.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):81698
                                                                  Entropy (8bit):7.940663737798511
                                                                  Encrypted:false
                                                                  SSDEEP:1536:PNkjPGGpYd4vOGnXOTbAuy88LVeMdC/FEM9ZndTL8kSCXWO5o4HMSKSg63WiWdYG:Jd4mIXpHdAVgkuO2GXKuHVWlZlV8i
                                                                  MD5:BDD7FCA80A0E7436DC46FADE0C8CD511
                                                                  SHA1:C491F4A649B8DB593F26D25133DD104D8985AE60
                                                                  SHA-256:F783A14F1FD9E804553F54E8B97E38A5BEB8C25ADF096FD380FC1BEE391153AA
                                                                  SHA-512:6DD0A97BC791E78C28E1D1D949911B94DB3E2B08E5055283AD0195E0897E7984FACB517FF8E6C7B6E78E310819AFCBEAC9876B0FF35370AD96539C3E8B28C134
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuP.N.@.=..r.h...-$........,..t[.7...?..2N....Mf.\....O...&4...C9V.kR..:...\,..W.....*{w...2.2.u&......y.n9n..Q%...\_.Rg6j..~F......<S<.E..uo.G..jF....B..4a........;............{o.&K...S.h....P.J...*..G..;..3..B..g.x.i 3Bk.b?Y....5P...q.">..q.C.+...E.6..:..l....gl.\...#.........PK..... *.......PK.........n/Q............5...classes/com/sun/security/sasl/ClientFactoryImpl.class.W.w.......,lc.hB.b._.@.C...&26.6.nH..X.UV+.$i..6....> }.m }..b....9.9.I=).7...-.9m.W3........[.n.h.....G.7..*....HJ5."..Gu....0L..).ij....U..AT#(.f.#....Z.6..HV."....N..9.=.....d...g.....$..0....A... V..6/...B.9.....).......5A..:.`...Y)C3t*T.u.....l..O`Ky.s....z...R.Z......o..o......`.@cy{.'..6.T....GX......4...?vpW..=..... ..a.1.;.Y..6G-..2.wX91.s.#..J...D$V..U..n.7.-EUA..Cw`.V.t2...V......U..M`}.'.v. .....wu.W.C.....R.a........W...GR.d.O.i.7j.HE!..n*..CK.-#..../..u7.G..M.8.e...."...<.a....p.+.".G2j6{.G.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.smartcardio.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):58645
                                                                  Entropy (8bit):7.913344050895434
                                                                  Encrypted:false
                                                                  SSDEEP:1536:r6aikQmg/FHrHESArP6j+qjHQT3K4n5pBCZ9xkQ8AgIDAJ4WY8gOY5nIlSjI:e7mqECMbnVAXDq
                                                                  MD5:4C54BF6DD5C142E6C8C1A360C985167C
                                                                  SHA1:7449C89D087ADC871E26218F6AD82FD1FF5BC01D
                                                                  SHA-256:0AF33A68F7B71F12FA3B7F27BC69B80A86633F25EB82830076ACFC3170538EC0
                                                                  SHA-512:2C5050F04B4F7AD373CDD33B3874A38AA317C996DF27630D4AFCD6F2ACCEC6A5ACEE3ABADFCF8D0182104651BA68239FA13E4658398F9F92D0E1C6D4B4F4568A
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classu..N.1.E.Cd.D.A..gF.t...$...i%Ef..S...........6i_.=..........B;W..H..*...GB.b..$_".3]fLs.B....}t...=._.#.G@..[.FdV.../m..U....M....h..\......Aqj.d...\.Z..:..r-...O.....e/l)... .^..........?Lv@....|..+Woq...\..S...].f.a.9.B.:{..PK..F......k...PK.........n/Q............#...classes/javax/smartcardio/ATR.class.Vko.e.~.t......R,....V.j..m.ta.e......v;....%..5.D.D..1A0.....\B..o..'..A.wf...J.0...y.s.s......2.."...P.a4...jOY5&z.....#.G7tg.@.+..".F............e....t%sK.3.X.f...V!*....{...r..U.....V.+J..1..<...5.6.uX/.l;...m...Z..Yy..C.<o2..\.Ql.s.:c.......h3...e..E.2+..Z.=[g+..P..1l....f.im.4..sZw&9#M..iWv..#.....(..T..!..5RUG/..I..k...eN.......t....D&U.AJT;..d6...`g..d=Z]<..........lc.J..{R....WY....f.jY....D...2.Y.n....(.a.....j......[..b.>..@.#....hu..Y..`K.dQ.*Q..7C..,...vD...0aa...M.............YG#J.+);..;.]....M..+....."....16.Y...,;d.3.Y...D...;..G.W...*.3..g.....VqX.[....5......

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.sql.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):76011
                                                                  Entropy (8bit):7.806124696487568
                                                                  Encrypted:false
                                                                  SSDEEP:1536:WwNmF73X9Xw+OM8661csaSLwEqv4RO8zIYaHlrez:NYlpBj866taSLwEqB3DrA
                                                                  MD5:E910C6B0413AB8D4CD0A5EBCCDA387EF
                                                                  SHA1:6782B1D03ED398C4AA558C219294C6367F7C8479
                                                                  SHA-256:2A24C132034F0894A0AA38A2DFA546F6D20113783B791EDCC9831DFC144256FA
                                                                  SHA-512:A729C0449FD21D633E5F70B8FE98876E96FE7559DE0E4E137A55B329403B624D6F298B2D4BBA061AD4049DE224CC2A2C3B6FA2BDCB13430BE78E84992D537B2B
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classM.MN.0...../....@]*A7l.;$$..I.eHb..m.=........Hx..........p.K.05.&......D....]l.._.n?........|...s..A......_...C....(.3.0&0O.\dVD.6./..M+S.vD..!..\oe....g..#.....y...&..ID.BI.Bk."r%..x.....B...f.t..NP.........}.........~/l..s.g~..8.S..PK...p......k...PK.........n/Q................classes/java/sql/Array.class...N.0.."2............FH.h..Dg...,#s.3.j^..>..[1@....dY{.''_...O.0.P.....Q#|u.. .....*Bs.g.....p.e..........#P..9g...l.@..}.|.P....,...<...@.+z.C ..h!.O[`..>U#.F.....Y..Q...|+.h%K/(.....i.l....MGi...j...\."....-..~.T<......\o.q.y...d....d....a.......5....v\......2....)._....k.K.7.J...R...R..\.2.RP..z..P...T.&.U.+.-.4...Ag...Y|..w..PK...?mb...&...PK.........n/Q............+...classes/java/sql/BatchUpdateException.class.W.s.W...+.k..8vl)..$N#._q.I.7qS.i.(vR...).F..JdI.V.(.|5..|.xf.....q2..2.e.7...x.7.x...sw..m..0c.....w..s..OO....$~.C.....-.=...X.......K..f...s.-.er..@,.R&Y#.26o.3....3..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.sql.rowset.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):190817
                                                                  Entropy (8bit):7.967262446791647
                                                                  Encrypted:false
                                                                  SSDEEP:3072:SiFe3M5fvodBY6aFvCLY3HQgZlTlJtlGwNa+Uk3/+y9L:o85XoHaRMCHQelhHlZVlGy9L
                                                                  MD5:435A6696E8BABB8D66B3D838FAED2BF9
                                                                  SHA1:4EB408C7D7E6A347CC6F331CAEC10DE7F55FBC57
                                                                  SHA-256:3F55459BE1A9E300D872F712039F975A3C5BCCFDC498CD0A603A465DE8633300
                                                                  SHA-512:D3D8D34400230FDDBBCDF469786869FCDF50491CDDF70B58ADCB33E959A5ED8649E374E714FFFFA7AA2D4884042F09B0FCB7963402B65BD48E1634D099E2B2BA
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0.......hy.......{CB..0...I\...[.....G!6.E.Z...v......W8e.F.../.GU.ch.!.'>...,8.K.h5KDj!.P.\8g....M&...m....9W..1.m..:+.X...NlTi~6..i..u2\e.Dh..6..uq,ml1....x",X.5S.*.d.X...&.!...._-.1t...l$.!.R..8`...D{b(CA[.1..,.[.=.@$4{A.s....>..O.}....s`.....:...kl.......a.......ep....n..K..FY...q?..PK....:.:.......PK.........n/Q............/...classes/com/sun/rowset/CachedRowSetImpl$1.class...N.1.....K..RN=.(.$.e.R.....AE.....Wt.X.h.....V.D..E...UuvI..Ua%....o<...??..X.4....B/a.....RN..ja.....vpZ.f....-.z..y.W...3.C.B.F?lB..=q..UMgs.@x.aKRI.L....i.`.B..}..............jiwk{...Z.&.U.=.L(U..2.Q.c6..!a"..9...G.G..+o..L......Fi.*O...o3...R...D6D.~.xl...r.aK...w.g.9a&v.....9w.By"}....'........|..(...R..`.+R.j.pO.;./.......PF.1..4a..:..H.\.I[.!..e.JO.i..fmp....k..}.&..5..........t.{X.B.....k2J.hg.s..sZV..h...a.....*.y.h.s{])..|Wk.1.5...3P6.=<~.=..1....-.".}.8..T........./k@./x<v...r@<J......E.............

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.transaction.xa.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):4035
                                                                  Entropy (8bit):7.63515724105447
                                                                  Encrypted:false
                                                                  SSDEEP:96:Yq0GYT9RMGlLOkhw8KvJX/Agxo7RA1LZZALaGXDHHs:f0GjlkhDKdNsAlsnI
                                                                  MD5:FF54FAF2ABD3B1BD2B868FEC043BB19D
                                                                  SHA1:C6EBE8364D84B85478C164A6A6A09FEB4394F6A6
                                                                  SHA-256:D73340591C1D956650175CDF0B12F5523EE5D5644ECDAF663DD7F44EBC28290E
                                                                  SHA-512:F6225B4F0FD673226F20D8BFC9A99851FE230C7DF59472FE07269B83A52F52E5878A39B9B2C55D8435E98C140F16BC383AEA01D4AEDED5BC4531084D491A3B37
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMMI..@..v..x......7A....(.L.....>.G....:tuWWQ....`.....z.C..u.Dp..q...<K".84..J."a..Bm2.c1!..#..YF..Q'4....$.6...r..2...*B.X... ..S.[..2&8w...n.|....(...w.....f...(._B.?8..j.<...PK..Z...........PK.........n/Q................classes/javax/transaction/xa/XAException.class..MS.P.....R.a@.?...(U....&..4a...7L(...:iq...p.q..?.?.7........>....;..r......J.....o.t=p+5.\....^S.....c......$..Q?.O...I...9.....E&&K.#....L...b=.+...81:..n.a.....d.[.#.3.y......U].^By.Z...J....{....}..ZG...ag2JQ..X[....#.d.C.Z.BN..^.R.....\.`.-.n:..;..n3J.k9y..f'4+..X.....8zA.V..v.4.V....d.).f..&.*......ym..+..l....X......:Z%.}....[4..g.6/I.LC..h.....nf#...G....ms.G4....p.;,..bp.+4.......#...GX....*7...apUE]...(.....x...M/p..=.>.Z.<...pSF.;~.......x.?c...}..(..,..'......|..^)e.w...6....a..>P..c.Y.z..... ..)>/..>..../H|.|I...Q....._._.....).!..xR..xJ..[.O........xF.{...?.?......O.....J<.^...X.8..J.R.k.m.[....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\java.xml.crypto.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):670979
                                                                  Entropy (8bit):7.887042011821685
                                                                  Encrypted:false
                                                                  SSDEEP:12288:aXgXoXuXOLj7awadMRn6HG46P4IN8mvyHswk596dQLreo7Z6AAb1yRvuASgS5Mey:aXgYMOLj7awadMRn6HG4y4IN8mvyHswi
                                                                  MD5:895377EEDFDE160D01971E53C5657F7C
                                                                  SHA1:8A3E4A11683A7F406DF57277921A9B5E49DCA185
                                                                  SHA-256:026D61591C17B3ACBF900F3EA676452CC668062116C5B823709AEABBF77AC7B6
                                                                  SHA-512:D73AB337D179B07DB5F01D58243578687A9E4323BCF6ADE8137E31D882099966EBC8C132CC3A5391A4C77D532B54C5354C6C0279CC24AC0970375B0EEA0EBEF4
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.UYW.P..F...6.....K..-.&(.((.*...6......7~.......[.....9'..............9..:].Prx...~.D.`..Y..z.^q...'A..Bh...q=K.3}..K....`.3..!....q.1...Y.vt.!E.lt....?.n............"..'.:.....l...M.%........KXH....z.........$......'..A..v/.p....4V..)q...0..I%?>..6a&.^..C.).5L.h.^.r...f...Y\..a.)h}......bJ..<&L4..m.cQIH.(a>9N..r..8..$.>.........I....~.2I.......'b....v$F^...0Fm.N....W.'.]$..b..G...q;.(.j?.0C.......0G....@...UE.../w.-.w'..e.....njX..."..@.P.Z-.2.?..$....}c!Oc..T.,..xOh;k.il..b.6.../...R.H..o4c.kse.v6R.D..U.q.v..[.+.z.?..<..>..T.{LX<"t..^.?.3.-L.N.+8{Z..X..=...5)[....J.......J.W.KJ.Qr..-..|V.....].A.n@..na.wpW.>.#<.....t.c.9L.4/#,I....-......PK..v.G........PK.........n/Q............K...classes/com/sun/org/apache/xml/internal/security/algorithms/Algorithm.class...O.P..w.+t...(...0.I%&j2...@.F.._..M.v-io..+}....}..2.{W+HM4.Y.=..|...s.o.?.........*....F.'IC'.=..qwW8....C)..N".4..J?H...\..X..@.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.accessibility.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):517331
                                                                  Entropy (8bit):7.932914811977659
                                                                  Encrypted:false
                                                                  SSDEEP:12288:3Jcwf4nlwkOnw0dGfGf2NNdGGF56ZwDcBy:3Jcy4nlenRGuf+NdPFke+y
                                                                  MD5:1BF162783EC1B1DE6BF846275CB30304
                                                                  SHA1:DAED3EAFA8D19CA690F8A46B55DEFB0FD5F55387
                                                                  SHA-256:BE8A7293DEADFF4410281D93A0B6E8CAF2ABD08486000F933E2B7794998B0AAA
                                                                  SHA-512:71000CFDE3B33D7E1DE2BE8F34D1A4451CA37DB7C7CA28B59A6F6C00A730E974EE9F0AE4868659B9BD47970FE70CD83A4F523AD0D03F70362C5C7BD7FD99AC95
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class...N.@....HA>....M............}..].B.%....sy..|(..S=.....g~3.;...o..qL...O..S..@.V!.L.\..........T.b.D(....3 .y:tM....~.].%2.D.E8..L..P....*.......6..z.}i.....!.g...}n.j...el.M.../......l...NcO.@.\.....+g(...K.[..E<....P....'B..b.l`.J.C.7..g.[l...,..)[...'.......WU8W.a....PK..a.-.........PK.........n/Q............@...classes/com/sun/java/accessibility/internal/AccessBridge$1.class.SMo.@.}..q..............RU....i..rA ......v......~.?.1v".R.QK..}.7..3......}..QC.C#.....1?.a.U...c.8..T..2..Q.-...c;.R}.>|.x.........:1aX.5O#..n.....B.3Re...G.k.:..`..q.'.-TX..$...X..MC..0......fb...3.b.t{..FZ.}...6*..0e..F..\d".$Nj"6.t*.V#..~1..y..N.......}.6...O..+.3...9.../.e..+..x~: .w.;...K)...L"^.R....e4..B%..Qfo.;..;.....Ck_X.J[..R....Za.I....O.V....n....g%r.+.g:.p.l....*.`..k.N...1'?............g...>...f)..Jq.T./X=...K.YEm.V.7q.|.[d.+d.w+..#.z~.PK...G.'....h...PK.........n/Q............A...classes/com/sun/java/acces

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.aot.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):286933
                                                                  Entropy (8bit):7.911348853312728
                                                                  Encrypted:false
                                                                  SSDEEP:6144:vlan58OL1oHDUV6c+45ksJuLWjNAN3ZtjV5OyaFQWIWdB8VimLL:vZHDezuqcjOjQWIySs6
                                                                  MD5:CB1CFBA8201EE222C2D69845FC055F84
                                                                  SHA1:8C448B58260790B6B10231F0153FC7438B41F4D8
                                                                  SHA-256:DE900FCC734F2CE46175DFBAA4C26368452C6049EA96A35F1E27F5CD988C9D3A
                                                                  SHA-512:2B69DD8B25F2549C4BCD4F2F3E3FB21F0EB66FD8BCAD4CEC0F7B731317041BC01B8329644109C0823839F3BA78BE48CEB227C5CB958CA3101E24035C24FD15C2
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class}..N.0.E.c*...1.(.y..H..=;$$...b..IA..],..>..BB.`..G..~..|{.p..P.&.*..)...?...9....}nR.#...3..?!L95H.QI.q.`(...s+..O....S..U!,.....)C..Rh.R.........0....')L.....0JI.R.#....P<Ib.%C..,....}eX$4......B...a.w.J.V....O..u.lV.(N..../".......HI.a.P.\.c~/...7.%L.....A.O\..8........a./.r{/SB.%.C.....!|...#.....{.u.S7z...3;.......eT1..L..i.a..Xrz.k8...PK....h.x.......PK.........n/Q............>...classes/jdk/tools/jaotc/aarch64/AArch64ELFMacroAssembler.class.U]W.E.~...tm....b-.MBe...HK..l0..4j..a...M6.nPZ..z..^z.7............n.ml)x<........;......FPH...q....U`.S+..]/..W,;..L..M)..:t......i)o.....=.Z.8%'...If...M..0C.6..Z....o)..8^i$.oG...H.8.C._..........m2;..x.(e...R!..)...X:.... ...a.E..8.......j`...k..W.?..H..=j..:..e..l..-...W...T>..p"...^.).s...E...,e.......6Wr7......}..%.b.4^%.n...&3......6t.xMs.V,k....8+.V.|'..d*.M).i...H.Y.>..D9.4......|.c.N..x......:.tc+-...Li.SE......_...:]).s.....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.attach.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):38562
                                                                  Entropy (8bit):7.938691448340528
                                                                  Encrypted:false
                                                                  SSDEEP:768:YFL2bxkq9mFS8C+9OwdExG3rjwo6LkgHVOImnz3E2/ElTMst5G:Qalkq9ktCCOwHwo6L91Dmnz3E6ElTltQ
                                                                  MD5:B1ECA358F4D3525178F96244F11344FD
                                                                  SHA1:EA84D813907BA33FB66E54FC0A8272230F7F6FCB
                                                                  SHA-256:178B1246FA90169F75CC8DED648A88276DD252A28A85F26676777D75D290BB64
                                                                  SHA-512:985D19030C00EAF12E088184745739ACA59797D6E354FD41B1483A231E66479DAC0260E1BA9A3A5FFE4954CD69EC8FF49ECAF7D14DF0C4333BC77B2790EAE410
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuP.J.@.=..&M.V..>v.\5..".r#.....c2.I.d&........TA....9.........1....L.(...".~4..U..$..gJ...E..._.g....".d..J.T.+...0....<.....3.B.V...zzy....9K...b......$."........N.Q../,...5.o.]6O-...DY..6N.>......J&,..).....)W..".#..#.E..K`...}.u.C....}K..e......D...6.....@.a:.qhv.}.PK...4..........PK.........n/Q............?...classes/com/sun/tools/attach/AgentInitializationException.class..KO.A..O..y........1.c\..b...6.. .qU...LSm....7.!...p..v.....TO.H....7.~...>.s..@..u.P...D....W.]z.4#..~..Y....6..(.-.k..Z..&.h.<..=/I.g.(L<i..v..#e.."-C} .....+..f(.T....1.&h.....f..6...P`&Q1aC.'dl..,|'0.Lb.......k....(../........?...;.( G..8O..N.....M.s$.zcj.../.3.{...[Q...v.,...S.."o..g+..fp..Em~|..K.....2Zg^p.wO!...T.2}..4.\WX....p.Qs.&.>wGj..r...'....zEy.....3..(wz.9..t>.n._..:?....nf.........9......1....J..|.p...L../PK..............PK.........n/Q............5...classes/com/sun/tools/attach/AgentLoadException.cl

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.cryptoki.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):351274
                                                                  Entropy (8bit):7.9627246365800355
                                                                  Encrypted:false
                                                                  SSDEEP:6144:ulMVIrmuMtJv/bpPkLG9zDEUa9NcHCwegOkCh0Tmj3/pxk3UKFZW7dc:ul6tltM6xDja9CCuOkChC0BxkkKFZwc
                                                                  MD5:1327D707FBB8DF3EE0D70D15A9C0D040
                                                                  SHA1:C4659E3754C6FA51E043AF8154AF8A9EE18A6F48
                                                                  SHA-256:EF9D8D43781AF4C7A1952014806FD3E36036DF92D62E79A3C0AF021CAB6EDA50
                                                                  SHA-512:E67C3E11EA5E962345CAC9682BE0F66E21CEB754AAAB2B48EC504D5EC50462BE5A96F59E28F046F9D3565E6C27214BD1793D8354DFA13FD99A2783EC44AA3AB5
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmP.N.@.=W...G+..7.)N.n\..1&M......N3...\..~.q..Xp..>........W..L'.T.U..=..t'.N....I...,.BoT.|4.M....!l.....Q.b...2..#\.I.*..\..-B...~p+}t...QR....5b.#2z..i<..n....,z}...pFh.4B...t....#..F.E.......;7cY.=*.%..C>K.............[.9.t~wYg..{..s\l..hc.....PK..gz"J........PK.........n/Q............*...classes/sun/security/pkcs11/Config$1.class.SkO.@.=...}T..P...q..u...%$H @.G....t....!3S....(.?..e.....tn...s.....w.5.-".....>.3...'...Q...?.a._..0...re/.<.....<..0....@W.....SCD........).q.u.E..Q1/..-..6.1.W..6.....fG.c..).r.R.Q.^.E*.P...%...Gi...(....W..t....%....6&..a ......dPF.0.]..XW...-~!W+b.....x.......k..,......8bp.=2..0L...{G.....o..FH".e.3..E..}.v.......?..H.]0g.B.j..=.....|.+...ok..v/.i.\.u...u&^.....K*..2V._...J...$..Y..Pj...-..^1._.l....fM&..^."..C_k.1M......,.t.h6K_.E. s_.>.G.Oi.O..(.hw.P..E....J..$...u,.p..3|......{v!6Fd`.9...u.`..4.#>....r..-Q..=.~....:...DM.KT).0O.......EbM!}~.PK....8.H....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.ec.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):201772
                                                                  Entropy (8bit):7.9524710852936815
                                                                  Encrypted:false
                                                                  SSDEEP:6144:9qVHcUYpfJbKNaLV2ppHAVxWHj+f/ehKAqW:9icZp0yVOxA30j+f/eJqW
                                                                  MD5:263F17CDB67CA9DC7704B373ED4FFE6C
                                                                  SHA1:6F8E27D98F9187BF6A19A6C048E4C1E8AD43D2B1
                                                                  SHA-256:C35E8D06078F41B89D152DF528C0F577A65BEE1235379B17E0C5BC54867B80FE
                                                                  SHA-512:6C3689F290F6FAC4A090B6F01B7C2E70390F158F548D2E3F3F04F5383C895DA6F2D0092A254FE85D3FE0FA9BDA8F50DA72173ACC9A0AC99F590A22D6E370D3B3
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmOIN.A.}_.f...t....D.4.3!...U_R.]....s.....X.q..'.x/.O...'..\..s....M.n...........DO.r.Ef...%Byp'n..J.$NY..d.U...9"c.....1..&."...b.x.).h.z.....]...@.).<yz.pA..l..?...._......P...sJh..W....V&.v...\..n..|[.!.|...k..X.....x...A........z.../PK...I......l...PK.........n/Q................classes/sun/security/ec/ECDHKeyAgreement.class.Z.|...?.$_2....`F.F..9. ^...@.!.. .:.|IF&.s......wW.j.-.....El..V..n...]{............f&a2.....3..{<...?....}.k.....9.5.2..|..+......h_$n7\`.-.ZV...."AA..`8../....@..JMh.Y.D4..kX......'.p.N:.iK....v.....+.......)...$bqo....cq.8`y.N..rn..D.9NPY.....]..x4..;c..e(70.D.*.I,.....4,n.2K.......q[w.NO.....32...........\.....f....x.'.......-Z:...w$=Yp..D..e..f../N..F..`@.~...qT.d..Y..0.e.{w.....cq...M#...1o.S.H...7...M..M.@....]...B..fg3|F.O5......g..\.`..[B!.....i..2...k. ..Aj.E.R.....LX..Y^.(j.;...fnAY.p..qy8..o....4....|2.S.7..5R..G.....S....8S0c$....C.&...%-.].\.98.D#...]V\.;F.V

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.crypto.mscapi.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):78196
                                                                  Entropy (8bit):7.92845847050618
                                                                  Encrypted:false
                                                                  SSDEEP:1536:k2Na/LNYo4Z/rkUG3FVnJP1Uufitv3eQccdatnKdknGFe3mUsGwzMOpOICSCSKPm:Z4CQls2igDGFiCgtIVjqSi4Hh
                                                                  MD5:6F42045F475CC7E5AFCE90B03AA6ECE0
                                                                  SHA1:51D26AA2154B906A29A931151887E9EA5C11962C
                                                                  SHA-256:F35CBD067FA654E4782847D60E27BC6BB19329C144CE724836E11ED3024885BE
                                                                  SHA-512:630781278A0BD196D38765E37566E8704CD09EFB48E267EAF541AFF60D0B3585884F4F27E5F6C4A0E5AA1536B5CB1F84DCA65E02FD80D22F5AFF296D2E6DC396
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmN.N.0....P..%.'..:T.......J.....Tn....V...8..|..I...J.....~|........+5...@...[..'..r..K.r'.Z.h....v...."qJx..].0...J.^.S1:.....Sk6Z*..K...F..b.=.O.....x+.^.`>..$..!.b....z...*............8.w.p...b....Bm#...(..B.0...c....PK.........E...PK.........n/Q............4...classes/sun/security/mscapi/CKey$NativeHandles.class.R.O.P...V.v..(.. ..6..#AQ3!8.4...xW..P......#.A.y.O.A=....@b....{.......o...`.@.I.......vy....?....R.].W....V.idt.&..dX.z...........u..+1.o......x"b0:.p..A...%......K.d`..:.&.c.a."r......v.F*..RK..)y..{...Y0h.`. .p}...E....}.h...Z<t....w\.....C.0d.b..m.b.Qf.......Cjc.#........:b...$.#.h.. ".../..H..G.e./A.'_...'.0........C.V@...fe.@.!k.d6K.j..8.....PE..0....!Y..3T)......+...f*..I.$..M...J#.Z..?.#R;B..c.3,.. ..|z.f.r..)...b.A....U.....T.Z0(>.]......g.......T..&..55.p....EuV..%..i]:.....:A..A..%R.....q.$4...|..PK...S;W*...E...PK.........n/Q............&...classes/

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.dynalink.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):164226
                                                                  Entropy (8bit):7.892034326519069
                                                                  Encrypted:false
                                                                  SSDEEP:3072:WduPEhfhy9SH8Y4zuTV/9nrPcTYxt7qnbN6LjTjAW6+w0ghchJK44kupSzOxGwQJ:WduchfIgHAzuTdR4TYxt7qnbN63TjAWN
                                                                  MD5:5F943224E4AF329272D7FDC2066583CF
                                                                  SHA1:895810831A50558AEA8DE45E121E5166030B9E54
                                                                  SHA-256:AE6BB704E5073B9A0A72E767E7621077E78905799EA24493D23F11E41B6D8E83
                                                                  SHA-512:BDFC9110CE85062532C583920D2AB6D4EEF9345E87FE5C68264C3E83020705E3AD3C4ABFA248C4C3C59FA9718EFD288B19DAA78C684A856F847D5F6864C24015
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmP.N.A..V..Fv.....J.^..........e...7....G.g.1.0...JM...>..\.P.'a...T.I.Dh.....qBu....C.X..........B...C..Ze...*e(..k.TS.M.P!xk....j...!H..$.S.......]B...y*<xvO;.I.I.yh.z...3.C.1.X...{.nS..b.P~N2=.w2.....V...y...Dj.[./\GbJ....Y.....|.la.r8...qd.5...ffs..9O.;.....6...R...;N-.w.U.5.~..O~.PK...?.y).......PK.........n/Q............5...classes/jdk/dynalink/beans/AbstractJavaLinker$1.class.S]O.P.~.6.m...0......B.7.b37.n]B..p...'.PZ.v3..o.V.c.......i0.....y.~....ur.`.k%d.U.S1.<..{.......@......G.p.`.:<.........m.............3.....U|..Q@QAI.(T...83zq.q'y..I...U.-...%N..42...i..v.j2.f..3.b.e...;.....m3l^.<..I..1.......b.T0.0.O5.>..t+..N....GQ..**n.)...1.Z..nH..../.v...6.K.{..Ym...>C..{../..,6...K6.$vH.....j....=.ux.'f.I..;<.$>#..;...3\..A.'...Z....z..a..{-..CW......5.l.8y...j...j>.c.+x.|..0._.Oy....=.V...(O.<.C.......h|.;.Q......Z....7).!8r.g......J.?#.".0...P.G$...g$...K.Y.S....9!....hM..V!...|..ZU<

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.editpad.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):7108
                                                                  Entropy (8bit):7.811258404475187
                                                                  Encrypted:false
                                                                  SSDEEP:192:Q8DM/XTGw6L+YSUUgagGBdzubltchdvvWKdNsAlsB46c:Q8DM/jGNx7agGKblGDGLAD
                                                                  MD5:AA734D758967C9CC99D97CADAF2CF600
                                                                  SHA1:C11F74087C937E8A29C7B8E9E796896D0D9359CA
                                                                  SHA-256:614B6DAD2877EAC8D0E1F7D29F2067356C3ACC3CAA40DC6DCA23953F416D79DE
                                                                  SHA-512:959EDABC1255EF215CD76F949FCD6B1809D9A8E01BB320165AF0E9462EBFE62646A6DDE9017FE55944B5B9036C2FAAD87064C2EE64B46EE80511A0C6761CE988
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMOKN.0..WJK...|/.&....;$.X E....Tn.8..v.s......8T..y3.y.~~...<...[)^$..j.....,.Y...2....$.fw.M0....M..P...=.f...S......=B.\.8W...aT..i.t..;.....;.9+..L...L.K..H...B.qL..g(....#t.\.g.....0.>...l!.MX..L/DN.ld....l..o.@..jb..?..}.qh.....:..."..3...5p......PK..5^..........PK.........n/Q............#...classes/jdk/editpad/EditPad$1.class}RmO.0.~..........o.J....i..:mR.&@E..4.......].@.......vv.m.E..r~...{....@.[S......J..W.u(b.oy...~.q..P.2... *@4...)x.^.'A7Is.1.EW.......?OD....O|.QaX..>........t...[m(Jo.....x}.3.*j..|.....z.a.^..H.v..i.1.#..A..\d.C.j.vy..4...c...iQ.`..03.M.....`X.G.]..o.0.]...n.(.e].A.....I!.m....,.e....j...&.D.?..&.OJ....<.9V..}...J.<%@...Dh...j......i...k...m|..W.|F{..@.../.....`..{N....=Y...wp.c....gONI.._|.o>...L...79.X#.`.5l..:6-nX.._PK.....m........PK.........n/Q............!...classes/jdk/editpad/EditPad.class.X.\.....e..,.X....&..B ...l,`b...CD...@6,3.;.....n....nz7..$.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.httpserver.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):102118
                                                                  Entropy (8bit):7.881915775504197
                                                                  Encrypted:false
                                                                  SSDEEP:1536:hA2EjV4dImyeS82MzTdgErULKjFp4Fm1CMfe1ChqmxrMylQEnEfc6o3zqZ1o:+2Ej5mlP5rUGjFp4FbMfe18r2TYMZm
                                                                  MD5:F4F26CF1AABC52F9C792551E45F971CD
                                                                  SHA1:98F52335B802EDE4918EBE4725E79BF59BD48029
                                                                  SHA-256:AFDA7A68032E31314698D506E38EE63682A506BB72D6620DAFEA6DA1578585A6
                                                                  SHA-512:820ACBB8CAC8E19383B5B5D93AA475E83186148022EFCC125001ED2A3CDE96B9F131D083300D62167687442865ACC79644E169553A4C749FDF0E43203C938124
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuP.N.0..../.M.3.8T......J..Lb..&..$...8..|.b..PV...xv...w.w..z...Jt.b.....!...y...U.r.6.Fh....q%.Qf...eZ.*........R..1:.....}W<K."....m...S.'.4:W6...;5...^*......%..-.L9B.G<I;S.a..en...E~{....c-.a..1...G.....x>.....1b.."d......PK..D.......}...PK.........n/Q............:...classes/com/sun/net/httpserver/Authenticator$Failure.class.R.N.@.}..R.............CbH.$....n...dw.Wy1.x...(.tA.nx..7;....~}.|.h.$...&...d..h..8tB...R3....&V..*.sU$.C..@1d...Wm.t.>...e"oc.6..ZL]..b..l..,.%.D..Y.....#r.L..|.O.\..2.~....~..ICM|.....}......H..HD.......r....]..Ku.Ie..N_....\t.WJNr...5..pJ.L..1..O.R.g.Iv.P.pr.o..5*o0_tM....d/`.....M.........VZ4v...t4.2.W...tY.lk.{Q..Ic_W.p.}.G.ZZ..#..e....PK..1P..g...p...PK.........n/Q............9...classes/com/sun/net/httpserver/Authenticator$Result.class.P.J.1.=i...Zm...B....*..D.TP.{..n.6.$.......G..[_|....9..I........).h&..h!../.J.B..y?_P...Kmt..h......N3...4.P.y.......CN&.L....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.incubator.foreign.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):67990
                                                                  Entropy (8bit):7.946352945303167
                                                                  Encrypted:false
                                                                  SSDEEP:1536:bUJtgSL6NznTI0AE1ZSxiubggeSqtx0xp/2hQ9rW76B93ap:bytF6NbBz1ZS3bggeSqtxq5/rW76vKp
                                                                  MD5:E9CBB864F1F0780B15F40963C426E6F3
                                                                  SHA1:F910917052336D532732647BCDB73D80DF612C62
                                                                  SHA-256:FEEEBA790ABE0CD4A36BBC68FE29185B4A152663ED5FC6B6261FB40E729D3B21
                                                                  SHA-512:DE83F8F52040E862A495881C59A5FAD444A012DCDCFE65B56896A079D6DE1B4668138F48C9E50E091BD2F83E11F090CDBC38E47FAD52186DC6ACCE6994027535
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMNAR.@..A...h...X.J.p.F..~`H..B..$r.].|....dE...t.t....'..bBog.*..6k........w&.m..&.V\Z....L.sB{....4x&...g..a..R....D...W+.$F..]..%.s....a..WN..I...b!..R[C.....LJB..Mj..w....h...Q.g..y.o...p.U.%N.n....6_.n.y..PK..%an.....C...PK.........n/Q............2...classes/jdk/incubator/foreign/AbstractLayout.class.Yy\\.......p.0d5. faI..!b.!.D.".Db.w...I......R..6.Q[M\....kB..4..>.Zkm.Z.V...^.....s.af...o.....9.w.s~..._...PO.9..\.6.y.'.l.....ZpS][.f..%./.....BnUuW..(P.PQ...`.oK.?..j.P../.....u...hX.F[..P.I."..t....z,....F....h..7...i*.QB(..Lb@.2..s..2..U..L...M.@..c".Bq,8.....Zo@o....UI..L}u..9[...Aph.h.....B+.P......m..B.!SL;.....s]P....C..J.'.m.G......34....../K..Q.R.X(.?.]...T,."Q..U.6..`...*..LX.jP.`...8.P..h...mZX?/....P........4..[&O9...Uq..'.i...!..M.-.Ia./.4,_..z`.O.W....d.BpN...w@..C...B,.+f...D....a......G...b...hb.....d:.4.z..F...X.Q.E...9FJ..ay..\X....-hM..@.g......LsV.....b.Z..eu..3%U...'E

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.incubator.jpackage.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):944571
                                                                  Entropy (8bit):7.993019507850888
                                                                  Encrypted:true
                                                                  SSDEEP:24576:o/LKQfuCSkRb5ZBlZQQILYqwjypRJ0lqmAp:4LKQmCj1lZQvLYqweh2Wp
                                                                  MD5:D202B393A656A5E8C68687B4D33F55C4
                                                                  SHA1:9B41A22AD8105D3CF3961AD8F4D6E750BCF291B4
                                                                  SHA-256:5619F01649B53255A0A3E68CFEC3A4AD2DE6200F83E347DFFE083F0839AC467D
                                                                  SHA-512:01CE53A2C06BCA793DB0AA9E7011A3D4C734EC1B4DEB289CF3E57973514DFE25D325C3C401798EE22CA06FEB47D643CCD73880F064AFF27449691C189C7D7AEA
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class...N.0...a+-;-...C....\@.....$.1.mjGq...\.x...1Ii..j}...G...|{.p.2a.a.....M.D..%85.,..5..(]..DdB...j]<.".......OXa.. .....P.......rCiM.V.-!OX..o..K."....a...$.Bk..."...i........N...b..2.H....9L....8R.k....._..Yy.m3..N.]^....9B...^.. .J_..r.*3.Rw.+.2.J..3aU.........<;W..F[....<.-.../5....D.$#...y.......@....H.^l.~.10..h3...dF...i..{..^,b....... k.(`..)..N..~.PK..-O..~...H...PK.........n/Q............N...classes/jdk/incubator/jpackage/internal/AbstractAppImageBuilder$IconType.class.TmO.A.~.^{.yH..K._....."j.)..M.H,6!~..G.r.k......h..2..%"U?..d.3..>..........#........Y...x.z.F....nR(0=.....x...Z.R.2.eo..x.p...-3..EG.1...s..v..6}7..s....a.|Q..`..H.&......9...C...{.....I.u..T~.Za(.....)\W.....Q.v...?.-7......6j....;.!..:.I.~.V..I......;.s.3.E..~.L..x.S.e....Gu..m:...X.".@........).q$.....:.`B.G...V3.K..i9.P).......a.fz..fS......N.]..U.Y...8.i.\.'.w.)MT....#\$...-.v......pq..D.U..Y.....L.jR.n

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.ed.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):7519
                                                                  Entropy (8bit):7.847897535550514
                                                                  Encrypted:false
                                                                  SSDEEP:192:5IDZZqI952/n+g5u2ssRZZl3ewqKdNsAls7+B:2DZP9HgAuHZo1LAR
                                                                  MD5:C8936F98B9091974AE938C3DA77A2F25
                                                                  SHA1:F5A9C8C0883DE8EA79C3BD9D8AC3F80C11320157
                                                                  SHA-256:138B3AEDC0F46E2CAC688CDB36B78E9B06D102E8DC9C3E6F8A7CC8ACAC993263
                                                                  SHA-512:BB4BB7268C81DD734DE01977AA2AFD1CB4301C09EDA7D1D6E396EB7E24034520F52AB4111B9722EC32FE2DAB158D21B5DDD4EC579FB29125BBA3BD91089AAC4C
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmP.N.0..-..)}@.\...u..\.sCB..0.R..I...c.....G!...8..zgv.3....'.[......Ol.RtA...Be.M.F.Y(..\..)61...Z].).\..n...uQ.....]....je...=.u.1...{y.J...y".^..#.....u,!.CX.i..l..\....I.s.....M..&zin..@.....<........E.P...@:...8.Z.FH....PK..........Y...PK.........n/Q............;...classes/jdk/internal/editor/external/ExternalEditor$1.class.T[O.A......R..!.U[n......5@J1....``.%.[..JM.....h.Oj.5...P 5n..g....sf..y..@..a...._A...c..MU....MWyY8...]o....'.Z.ua.'(0.Dd*...AD..Aa...v4....*t.......X...O<3..N...H."..#.N...c.:.....Q.:w8C_"{.....0...D..>.f.?.".p..;......B.i.......,C.0i.j}^A?..y....PX.D.|..0..T.....v.i..'..r.*..E...kp=...P.t..X.Xq..@.E...S.'R3L$...d..?g.)...0x..U..Vt..e...4K.kO.w.Am.&>I..We.....!.n...D=."...A.{.y.c..~......z....=.h..%m....5]3........X0<;..?..k..T,.|:{..i..[.Y.J.:.].{9...d..n..X[..Y.b.a...P.v..]Qw.C9n;.tD........6.1H.*DW'..toL........$...B....k.....U....|./.B....".H)

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.jvmstat.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):90538
                                                                  Entropy (8bit):7.8478943536932055
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3fa+mzmuYgDlJR3aOy11mrrGFHz6FH2TD8YR7IactS5HK/6YVGz2OMPCzn3/PQPr:v1mzh9vX/az6FH2TDjIStA6gODz3/P2
                                                                  MD5:2F1AED1638554EC6D6479CCFECE4F6FE
                                                                  SHA1:767011B093A860A269947435B42A0918A031DBCB
                                                                  SHA-256:1CD4ED9D066D1C5D2B8E179DED7024F2B52FCF9364F1C0765C5D579FF73CB2BA
                                                                  SHA-512:987952BF02E87A4011B77A25CF3811BBB91FA0C166F3F7BD31C83A705A821685252F4F9C280AC77834EF6AE8BD57D96A467E8D2873BE1B8ED898F18AA72B195E
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.R.N.@.}..a....`..`l..\rAB . !.;j.......c.|..> .....2H#.K.U...k..........a8Ua+..(k...0..x.(....K/..3.xq.j#..>B.c....,.[...qQ!8....,2*w1H....e!3..&.v..d....O.#.....U...T.7.D..#.....@$.&../....M...-K.$..r.U+..v1E..>{gBK..!.0F...f.....4t0G..+.i.0..=?..0c.....v....D.E......o...>#.B+..w..\..B.R...NJw...dG.F.F......lE..#.si.#.Q..k].i........?`.^.q.....A.rc...*9..a......g...G{/.....uFx.1..Uf..#.....l.?PK....vR....d...PK.........n/Q............1...classes/sun/jvmstat/monitor/AbstractMonitor.class.TKS.P..n....$(".".G}"BE..3u.8V..F..J..&I;:...n....3....(.sob[..7.'..{.s..._...X..|.......w.W.xA/..[..#.0t%..,3...L.....).Ca..+..A.h;../.).l.W..c.9g.}g.Jz.`.H5..e..K..GA/....J..FR.H.....Pp....n.z.,.......L#E`..\.%..JG+[)..w..X.o^V0.+.A.rxX..c.vvB.s.Wg.!.m?._....N2..a..dL*...3.p....v..].....3..%9.(b../.HUi...i*k'3....w.E.).dlV.Y.z.g..i.^pM.........li....].X.A......h.3S.(aM..7)..P....v..a.%..N.z(5.<g.......ig..[

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.le.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):424947
                                                                  Entropy (8bit):7.938896145421226
                                                                  Encrypted:false
                                                                  SSDEEP:6144:kDK++kib1+dsmo6Asyn7XP8VClZe/vgPpHH8qUINO2QEnPyf2rQ5ASe:UrwbQno6AB7XPgCn/Bn8NMfQIy6Ke
                                                                  MD5:4A46A0B3A85C592A5CD1A875C466E386
                                                                  SHA1:9863CCC4CEF7FE3A46FB9A99CB367346B8872D3F
                                                                  SHA-256:05EB47739AC18826EA713F68E0611EB59950255AB002FE3CC7CDED75A9CC2464
                                                                  SHA-512:9D1B7EF66CD98A22C3A6E160F315263643F444A86F8C237C98E1FA6101A3A607B49266E085D45AF9F8A1FB232DB85248C046DA22FF2B6B679656EF6CD8C71DCD
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.R.N.@.=S(n......P...E.%R/.}..J.*.?..7a..E.....C?..B.a.VBib.sv.3......?.>.P..`j...G.."l.C..:W.f.L|..:....na.......}.6g.,+.l,Ckb-'.2R..7_.i..L.B..W"M.Z...x.N....(+..GK8.L^$.@..3G.Dd...$.....[..e.2......{...&.xN.-r..xI...N.cs.W.J9n...y..j9.0?...C.......4M.....i...5~e.C...$.l......}........N.X..{... .....E~.....+..f.*.P.W..q....@x}Uf+x...U.....7.n9....;...u...y..5.^......g..qp...-PK.....i........PK.........n/Q............9...classes/jdk/internal/org/jline/keymap/BindingReader.class.X.xTW...,y.......)....iM..2.......\x.yI.&..Y..wk.j.R7.......m.. ....k.k......of2Y@.~....}.....s......j...k.g.2..Vk..NX...v4.P..O.3.....~.....7.eR..PW6.....x+P..@..sP..5.-.Of.T.J...Pxk"......#.h.+....sl.....hWvpP.s{N#.....Yz5..'.+S)k...Y;....,.!.(....p.......sF.8.&h..sL..<...kqa.i...t..Iv%.....r.5....*.K.,...t...x..c.5.~v.65.L......yXL..+.).>w.....\``....^a..HeT..L..M....0......Q.}s.4..".M4...M....Q.,,3......@Z.......

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.opt.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):81856
                                                                  Entropy (8bit):7.846420334642564
                                                                  Encrypted:false
                                                                  SSDEEP:1536:11nsYEHYbC3DfjgQb6r1sPX2ShUVu4J6FI8pn2aGZsUpCi7Lre7jDZXG3tQ9D:1BsYiQqDMriX2PVuM6SGrOLsK3UDZXMM
                                                                  MD5:E47B28481EE70BB515D1ACFC17C9D84F
                                                                  SHA1:5BD36C3121AD501400D8A92546DA6A72FCDC271F
                                                                  SHA-256:545BFD82162D6262FE190F86F86DD497E1665235EE2D1129CD5D5E1AEA908C2F
                                                                  SHA-512:2AEA39B26710427B528BBEBAF3A88DD9D6CC8ECF350E99E99FFD7437729CC234D958601FAD30AB844077FC190190E2DDD3E90528B56FEAC451065F459CE18800
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classu.MN.0...Ai.?($P.,z..T.n.g....0.)N...........R....od.......&t3..F..}s-.a......l%q*.-Tn..nU.h...{q+..!...O..^g+.".......&..J...D....W.U.~%.Rb.MC..:......]./.6..>.?"...Or.....x..R...Z...Xf..n..a...Q.cD<G8..~rSQBP...~..N.......PK.....S....x...PK.........n/Q............8...classes/jdk/internal/joptsimple/AbstractOptionSpec.class.W.........N...X 4....d..,.......$..V..N..vg..Y.......-.m..j[j.-..V.O~>../....{g&.}.6~..{...|..s..|.........@.B.x.a..mj.....:F....\.0....)..P.(.qA;...]#.......kX.#..P8...9f8....1O2...........[.,.....@.*Z...X........:......9U....A.4.!...*....]..I ...6HS...VB.h..Q.I`...a..NI...a}..nV.....U.._[i^z.UE'..h....'...W..z.T..;..3....O\ Y.<..*.F.M...1..m6....Z.5..z.......m+E=..N..'.\Qw&...[o...6.[.=..c.i...X..RB..Uq/.9.~T.......>..U.}P..\?...Tf..yR..#....X........Z|.F..\..<./.u/.....]...|....:...|1..n....cD&...D.)UG.de:k[.I....x..*8...xL`g}Q.P=...\)*......=.b...M.....

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.ci.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):441292
                                                                  Entropy (8bit):7.904078584539265
                                                                  Encrypted:false
                                                                  SSDEEP:12288:xL9PUt54BixmIWVjQgCjiub1RU53P8tP9:xLhJgxmIUcWuxv9
                                                                  MD5:E46EA1F70112D65C273DEF5E61194944
                                                                  SHA1:A0545A8DE36BD509813D6E0D0A0FAB9C400494F4
                                                                  SHA-256:08738A27A0B852F2F928066F40F28B0ECF3B7AE383BE8670BE40EC51E3F322DC
                                                                  SHA-512:E7486E285DDA9376342303901C2C97216071E1512A7AA9E6D1AEDF3DF8D0639FD2F74F0B00028E9B2B186633C4FFB04B0D02ED25B7573903E114F052E8253C2D
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class}R.r.0.=.mC...z.PJ..h........t.I.w!..mdul%...]<..|....4!.~.........?....a...2.8..* .\. OUG..N.3.'..j..:.0B....{.F..cC..J....s..a...Q...f.@."#0I...0.=..../.>..e.........r.|v.@@X...t.&,........+..1i;.e.wK..pf.N.M&p.0..(....X#,....y.2i.u..0VZ..ccM..l.6....>7.o...N+.....v.o...&..5.j..@in.V..a..ea.^....!..bjXo....)a...6.|o~f..E.(.O\.Fd...8R...8..EV-.].7...A...&$.C..:.......}.GX...pF.Mu.....6..=..B.V...&x.........].....oPK....V....x...PK.........n/Q............)...classes/jdk/vm/ci/aarch64/AArch64$1.classu..N.@..a...:.(G..r.@.....c\Y..%x..C;a...i.k.3..01>..jb.1<.....?#I....../........c..X,....Y.v..z..C..p\.i.D8.EKl...k..)c.....9....(X(r\.g.HsBDn}v.YZ2jO1...~..7.MA..].....m....x...%.kY.@....."...8....*..P..........t...;UUk..u_..Z..H....g...I.6.8...^..(..u..&.R...M.amd.....L...}m.q.k#..w ]...q....(a.{..&...{..p......+C~....O..vt.....?..fcOF..3tU.+.....O.Z".C.....T3r........\..@.~..)...,...

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.compiler.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):6393414
                                                                  Entropy (8bit):7.903376019710367
                                                                  Encrypted:false
                                                                  SSDEEP:98304:6owraaSV2UUIicONZ4L/LgvXXtasDSECRrs+b5Fr4zvFTTJNzH8mQ:6oWbSPCeL/svX9Nwxs+b7r4zNplG
                                                                  MD5:9F834ABEAAC75525F0FCF228B7A60574
                                                                  SHA1:179F4A4E8E30686AD80582F3A0A1E1F178E50BA3
                                                                  SHA-256:8B66F9D8245ACAA5E2EF406C443E33D1FA9D3ACDCB6FC93A439C4EA1FCB15442
                                                                  SHA-512:81976CB0DC4FDAEF67BCE6276123DEF0ACDFA98B6ADDE9EF4350A018D03C57E3B3F0F8FEC5451AA34AACEF802476FF6561E8161DC9AB1F8FCDC077FB7C872035
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.\.x.V..ym.6mS.^...m.&e0.N....I......X+m%...L...|.....zL=f..]...yz.5..n.}+.v....Q.}..G..l. .e.P....r:...l...1...^..4m_..au.;.N.bZ.].;".X......G.X6.......aY2..e...pV.2'..aX....`Vl.q.....D..Y.....G:n1. 7...3[0]..$..@8..te.2.,m.D.B8....Y..XM.....x......K.O......R....+39..S U.D.?VD.|0..K?.J...\..p.C...Gr.....cg.h.c...e9.....[.l.H.x.i..T1.'.#.U...i...|..mG....\...EI6:5..e..2......).(..nQ..8..X........~.....\...Y.......9.c.....pP.L..C..p..%...X.,..!M... g.H.2..\.U$U........d...g..2.E.'.![q.).2mz...m..D..bn$..oK....J_......./E8>.Is\.<....Z.m........y.2..cQ...)....N...4z.<Z.b.J..0.$.Px.#:.Zw.2......G..L..\R.*.2.Y.#a/....\T....:..:C..C....S ...k..Q.y..|.B......xsC...Sd....6..eY6*..%.(.:.%.8...p...7)..wqD...'I....K....i.r..i.p.U....L.',.!+=....\{..r.Q.R...x>.1..B.:.....AB!U...X.4z9.ZJ....H...Lz5/[$.^.pb..J.U.*H..>...&...F..h....K...\.o.....+=2.-...oMVO.'.ir......1]...@..h

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.internal.vm.compiler.management.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):12298
                                                                  Entropy (8bit):7.8734358073542
                                                                  Encrypted:false
                                                                  SSDEEP:384:4sWbgcyF3vE5ImBmW6oJ4+cbE3Rcfd8wxmy6zvXLAD:4s/cs3vEGmBmCKBP9Z6rQ
                                                                  MD5:34DFDC94E39761FC9E046893E561D671
                                                                  SHA1:A15D2FDDC81E8055E85289E409EEDD31B73DEF4B
                                                                  SHA-256:05334CBAC51A75673F23943BA026B79672440C477A0E69608FEA456C02A36834
                                                                  SHA-512:CA394A70EFE1AA102B2C01DD1CA6749009953B66FF5F426A50CFC9FEEB1452C756A72654A839D01F202A4BBBECD54CF6B4638EFC1F5AE0CDA1E41D7D0B3C1983
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.P.N.@.=W...)*>v.\1....N....F:.B.C..l...~..e.. $..M...s.._....qJ(I.O"...W...5...)'.....c#t.#6.l..8..f..<.R..E...\...!.+.x..<.Jo..)....VUM8.B...D.(.j...\"T...}.B..X.....i\.{..?G{P.o.}....{.A...M.b.....m.s.O(..D..-...eW...>.|0.....p<s..C....W......[XJ..H.m...b.b.bq.F.YN5.z.......G..a.....7PK..../.+...,...PK.........n/Q............Y...classes/META-INF/providers/org.graalvm.compiler.hotspot.management.HotSpotGraalManagement./J.K/JL.)..K..-..I-.../)../.../.... y................<^..PK...:.Y?...A...PK.........n/Q............_...classes/org/graalvm/compiler/hotspot/management/HotSpotGraalManagement$RegistrationThread.class.V.S.W.....C+..4..&.\.1......b..0.$...f.0..t..A..jn.....MQ...>.U..T.%y.C..}IYK....C...x...|..v.......t...X%.?..#E/xL.v~.v.,H7.<*m.sX..?Pv.xn..h0...F.u..I;...\z...vV`...u...mqk.t$P...N...C.......x.S.tN{.,.3^...J....h...tm..Wc[@.....r<.......u&.A.@.......l.p..6..4......xb....Ml...Y9!..4..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jartool.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):194472
                                                                  Entropy (8bit):7.970641034460952
                                                                  Encrypted:false
                                                                  SSDEEP:3072:MgedXNLqa3FbTV5vUwRraR677wbxsv1EGo76TIObRkax7vJk4VsDkT9hym9oAlzK:bIXFH31fvYRe7wbY1pH/7vS4okT9IAZ6
                                                                  MD5:325C9BAC6B43ED148BFAB975BA7EC749
                                                                  SHA1:112602CC92CB5706740FE8E470245CE5131ADD46
                                                                  SHA-256:0DD5B5ECAB1D3C4227330FF96B2CD0782BFF4C1DA082DD5BC667C693143454CB
                                                                  SHA-512:15DD1150F5BA2634EE32016FF470C5BDB6F51FFDE32E7A94265CC2298ADB1777526C907310086B5940762F78D317A051C927DF2D69D03F0CF2B35EA68B3BF61E
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classU..N.1..Qd./...x..V........@...lM....sy..|(....4i;.}..L.......CB}i.,V#....Dh...\.$3.h..M...(.....6..:.Y..%.].g..><B...Safu...U....yyK.O.....>....$.r&..r>N..|..M:.E.0.S..:..C.)WM.Y.HY.]..a.gi..sB.h..c.})>........L9Bc+L.....^.$2k7....n......G.......Y..l.B..Tm..|.=\r.`..^.-.1(..?PK.....k........PK.........n/Q............-...classes/com/sun/jarsigner/ContentSigner.class.QMo.1.}.l.%..Z(....h{...J..R....N..&.v...V.8!.....U1kPKO.....{......9..6.X@#G..&Z..\.JQH;...V..zo......a.E.r....s.Z.E..m......D......k.M..FV.N.b(....`.g&......~.. .N.d_FIx.}.....Q....v..$.?.P.$.gC.....U.M.)..R..b.8..W.....or..Q..c.....k..D6N|9.......J.6.)7j}S....O...M..G....C...l.Z.e*......{...*NO.8..G.t..h..).B......=.;........+]......l......2.},3.al..<.*.....O...y..g.=.x..#l..PK..aHL.........PK.........n/Q............7...classes/com/sun/jarsigner/ContentSignerParameters.class.R]O.A..C..Zi..T...i..`B..n5.4...x.n..4.3..,..*.}.....w

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.javadoc.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):1211177
                                                                  Entropy (8bit):7.944554747269419
                                                                  Encrypted:false
                                                                  SSDEEP:24576:c4xHrlw1+43XYwN5YYB8d9PBEJAqxM6EClnYCRwQz:t5B69YYOrPeJfMrypz
                                                                  MD5:038AEACBF82A840FB86C19767F657F72
                                                                  SHA1:7883E63F46B7CB0847ECA59BEF4DF7D8A3EC8D72
                                                                  SHA-256:1430B8D1685F5DE76F26C54B56C81D5C1069358CD4709BC3DCB6FFCCB0913264
                                                                  SHA-512:154779EDA97F99703796A169D00BB37FBF46C4D1ED87F9954943860828FEA6DE3CBC0D282511977C0E5C56C084E801C5E736CD35A41AFC448E2B192F2EF5DA95
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.S.R.@.=-H..J........E..^|.|..*....dX.\f+........,;..X..IUz.O..3.3....o...-a:1a...NO.."t...&.%s...NC...'L...=..0...+"..U..!xM\...R.{.$,...9....[C.u.\..,.<~).N6K..DfQ9.p...^...Y.r.w.........]B..S..:.U.....V.....[i..|...k.,47..A...X....LX.*...V.k#.....&+.."s.b.p..I..)a.z.I.:V....LuM. [...To/.hq.k.f.\s....uLv+.j.oI..\./-'..LP&*-d.MZQ..Q..x3..~>.f...%L..&|.2..}..0WO.e.....8.Y_......"..$<..n....>*...<..M...._U.g...U...^..a.}.=./.g.+..a.YS..yx...,.!GV....o~.PK..~.AI....k...PK.........n/Q............3...classes/jdk/javadoc/doclet/Doclet$Option$Kind.class.T.O.P.=o..t2'.CP.!.(u**l.....l.....V.XZ.u|.b..@F"D..o?..GQ..l..}.s.=..u_.}.. ...!....+}..1.^C..c.zQ.L..o{n..6.`.TD.e....J.b..0Y..........Jqi..}*T..Tk+.5.9...I.9S_*?-......(H....\$.....-s...^...>a.pIFZ.0.S......;.../.f.S.e.l..........\@...........v......Q..Gc.......M.6..SZ..6P.....5...e.*....U37.....$.~..5L.n.l..HJ..m.3...N.7]...

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jcmd.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):148116
                                                                  Entropy (8bit):7.957089717075174
                                                                  Encrypted:false
                                                                  SSDEEP:3072:ep6J8WzaQPEnQilSKrKbu4orXtAw8BEI6KyVmX632j:c6eiOPObu4OAw8B7B/N
                                                                  MD5:7FE2728D9C5445BD2E8BCE58C8EB596B
                                                                  SHA1:DC5E88F003CE98F92BBC47558BEB041FD42316E9
                                                                  SHA-256:6E07BA1C7EF067AF05AAA9B6C5EBA558C9B7C110BE19A4B8CA92750718FFD195
                                                                  SHA-512:55694DC5A5F13F82C5E2E411BB17A5CF46B350A0CB4C25952CD35B57E98B6B9AF0652DEE4F4B365401E0DCB4AB6F2C873E6F8FF015D178E211B6655F025C5040
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class]P.N.0..C.A.RvzoB%.......ILI..U...~..>..B<.B$<...c...?>..c..Q:.c9..7..c...7.K......*pPc.Oo.kwJJ.'^.ul<_+....C...G8Z...g}9:U.....C..-..rKd2..9v...f........<.%9.3.l..U.....mS..,......a..4...-..ppB....!.%..,...Y<..L...x..Lf.e.&.^..P......o.p...qN..;4......q.9E....I.......8.e.s..PK....Z.........PK.........n/Q............1...classes/sun/tools/common/PrintStreamPrinter.class.T.s.U...vwo.l.Q..V .....BM.R..`.Bkg:}q...b...l.8.....o<..Kp.w..c....%..f.3.{..|.9.g....O..q..1...S..=....p.;..{......0H....u...T..D.+..m?....NV..ww,HX.l...|..9.QV,.....m..q..../.g.,.8..&.fF...J.I..a..{.F.o.../.Y)T-..#.)..o.....R...-..E..m.I@..Y.p.'$r6N.......`.^.do.]/K....3JQ.kD-_..>4.t.n..w....i.l....[......o....~..=...s..Z.DQ.U....(.,+].1%.Du_.@-....;[~....&k..6..8P.....(........c7.y[......a.......6+\.|.....z.F....&..R....f.......r.l.9....P.v..)X..j.z_.t..8....0.)qQ.....7. .[.7..W..0j5j...(...W.9.....T?.B}.|..+..Zc...o..}.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jconsole.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):471595
                                                                  Entropy (8bit):7.927361107640658
                                                                  Encrypted:false
                                                                  SSDEEP:12288:5l1yr1oJ6u/7xwGw5eHlUisCEtfyyVTJtfp:dI1oJb/7xwG4WlUibry/D
                                                                  MD5:8154E711D750D204E5358034800D4FCB
                                                                  SHA1:1ABD5BEC7F082B1A9183D36A298173A28BA37B40
                                                                  SHA-256:A00EAFECFB99C1C63FB7B33A5EE330680888215F55698B03CCAA340D74F2FA97
                                                                  SHA-512:20EF0B9A80EA8FC122EB5E5800E6CF0FCA70E95C08567675D8E46A37926B9D11C835CABCB7874F553092D34CF93CA2021DD671A437780D028A32461C736AA7DF
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classm....A....j.T1...o7.%..K......cw..3.3..s....J.L....o.|...y.x}.p.}.D..~&..W..a..#..'N..&...+.U&.J...qx......#..Q*..wR..av..JX..R..ElT.`bxF!.......S..qm.4..9..#r!MX.)..a.....5..n........SiD!y.v.rm.a.'L..O=..._=..".n@.K"t.G.UB. .u...aE.g..u.......?.<.......jp..q.....q..0..s*....<ON.^..|.....Ql...c.eT1..>'.lz.x.y.x..e....K...f{.[Nb.....'PK..>..e...i...PK.........n/Q............D...classes/com/sun/tools/jconsole/JConsoleContext$ConnectionState.class.S.O.P.=.u.V.2'. ...6P.T.X..1ud...%.O.V,..d....D.F.g.(.}..0.1[.w{.=.....~......CE...4....Q.x..k.~.x..^>y!.9..I..cGn....9.0(.I..2.z.R..1,.z.g..i..h...iO....EB....K...1.,.:.x^{S1.....!..*........w.....g......TC.a\W1.1..$.....g.....{.....g..q&`F-..1.2....8.M.bH-....0../VV..4...b<.L.\........2..B.s!...(....d...N...vZ..G.._..z'......V...c.....]`.\..%}....."\"_h.B-.^<...!/..o..53h.l.+..vU..".;a.*.#...S..F._%..\.1...."}.a....}..Ll...Qq)...x../.7AV

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdeps.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):747316
                                                                  Entropy (8bit):7.912940714319912
                                                                  Encrypted:false
                                                                  SSDEEP:12288:C73JYuZSRMmg+2l8ZUAKJUUvF9MnHczIf+z71M5Ns9ey:wZS5g+JUAOtrMni571Wsv
                                                                  MD5:29D0A4D06C197F265501AAD6BAF45E62
                                                                  SHA1:83E71B0BEF3DFCB56F3E2476B1CA53A16ACEF850
                                                                  SHA-256:A9775CF5EC65239428BB5C55BDC058BB60B8CBB4F5C0B4B070D413708EAD81E6
                                                                  SHA-512:F58B00D9D151AF763B8FCB95008E154D8506023C82490714E1D23228177283643C5B1A1EF2BC52565A651A87BA9200899F2ADEF02D8BEA7E5916CA7ACFE03595
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuR.N.0......-..... ..G..HHH..&1(m.Tq..|..|...X..-..d{wgf.#.....8..a....H...!.@.B[..'A.U..[.d]..#......s....f.5.$R......H:..vgQ+........T....R9......E.`....1F...k......:....B......v.6..#&dZ....!.i...o..0..X .j..l....w.n..).dja...O.".KW.._....-.9.;.k..n.....L.,..-...M..c...!.a..Xx...3.6..0.:...*.5,.J..Q6...0..gU..........]^.9...l".......4..e.....p4..Y..;oV.Y...e.U.kt...B..(p.`......PK..f`......C...PK.........n/Q............6...classes/com/sun/tools/classfile/AccessFlags$Kind.class.SmO.P.~.{.V/n...A.P.M....9!."q...O..Q....d$B4.>....^j...&.....y..._..0.Z...f.-=..z..^....{.....g5.......C.#.4CjM..J.A.....vu.......+.\.n..'u.r.D%....Y..Q...2__.}X7....WW1.q.#..q..l/...Q.X;..-.....s...a'qS...4n......i..C..8.{..ZO.<..S0...7.^.A .g8.`..Xq}7.2.k....z.)..?.A6..ANdE...b...}...x.a.....Z.Ks..\...v..{k.J..~...(.....V...1k.Z....h.%GY.m.V.i.....tk*..O...,+.;...j....l..K...(hIi...7A.).0...../....[Y..4I?Yj

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdi.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):873528
                                                                  Entropy (8bit):7.899120036221473
                                                                  Encrypted:false
                                                                  SSDEEP:12288:va0YbDnpUDzGiOkyBcWLuexX9B5QjTQyJ9S38DMZz6zb2lPT6kax8uMCIJuTNDt2:i0wzMzrOpCWLgXSMYOzUPTtZVC71c
                                                                  MD5:70EE207E89DDCAEBBDBFE57B7274DB71
                                                                  SHA1:CBAEAC1512A8ED53D391BDF008E3490B5B19455E
                                                                  SHA-256:35C6FA0FF16DE8D51DD51448BBA85A3B43CE32E7553779B30A3AD71EEF8F3353
                                                                  SHA-512:61E299B33D34239DF362591CD2A5D37EA94F1811C80D44733CF9D536089431443FB19911D7B608D3F1B48C597CD4FB559A88A1D07B26B751168194B54E7F0E2B
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.SMS.A.}..J...(*"..`v....,.<.*.P..6.$;.gv...<...Q.....Yq.=...........7..p(...8.S-Q...!.Z..]9..^7...8.1+0.8..A...NC...3Ux.~!.FZ)..*...K...0kQ`...!).,.U...,'n.l_%2..6./2..)..<o.70U..l]...*..' w.;..Sa.`un".U..,....KK>..T..Y&......I.F.@..:>6.6.Zp49..%.....F*;.&k..&.yx,.7-..hVh.;%.j..?-..M.(GG:M.......U.!F?..F.t.....k...f...*U..U..=.z..#...jsQ..._V.....r......c..<....z<T+.4..J.L`y..X.lM....%0..g.....x........r.}.0....MwV.]rv..._.f..'.%..gx....5....l\....f.f...a...~.PK..............PK.........n/Q............4...classes/com/sun/jdi/AbsentInformationException.class...N.A...... ..Jclt........`66....8d.5.c.Q.}.+......-l.w.....b..........MT.H ...C.i...r..jlu..&..bH...a.!i...X..e..i..../.Ys2Xa..zS+..5.I.x......O.f~.....u..P}.;a`g.........n$R.V........x#.P.....t ..>p.S..!q8.^4..Z......4ix.Q....{.?..Rsw.f.j/v...0T.C..*U...0.l..sD.QL.g`O..H....&J..."l..Ci..@..Z..7f..$4Hy..*s....6..[.g..PK.....LM.......PK.........

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jdwp.agent.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):127873
                                                                  Entropy (8bit):7.995171911648754
                                                                  Encrypted:true
                                                                  SSDEEP:3072:BJ/WTQagxB70gu3KeURn3xm1aJr2lUdrwEfNQT0:XWSBzean3xm4JcAr3Y0
                                                                  MD5:62D094CAED8190D1752D97C6EF9DF7A5
                                                                  SHA1:6351CB0057606D2B44B8AED4AF01DB32FA9079D1
                                                                  SHA-256:27CC1468B8BA7A78E5DEB2560CAD5D6CEA1D4FE63EED380C80D90A3481F30BB0
                                                                  SHA-512:EEE33F1B646AEFDD6F52DA3CB8CEEDBCBD26091BE328A8BB441DB94846CBF25BF163DC478B562CCAAE923EDDAC5583F8ADE8E09FA7B84DCBD9A3B190AA8BA7D1
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classM.K..@.D.EA~..[0.D.w.J/08#..1|d.\x..e...o.].y.......K.3%.T.q~U.....X....H.%..3...0%....Y@0{.......uRuq..8..t.~.._8."...m.\...y&v.......}.`u{.Y7u..-F..|.PK..b..C........PK.........n/Q................include/jdwpTransport.h.Yms.F....q>....'nR<...C..G.g./.C:..qRu'.O...{w.....i....s.......h...0z......{....3..{w......<3.....r..>..w`....q.)..z.ioj..c....=.....9.N.GW.d>..;..S.9.d.H]."..w).QA.5.F~..l.L...dC...........P.n..<&.Ga,`......=..!.%qiG[z./.G........LfwS{.|h..A....8..A.Q8yd~gu.jQ......k.}o..t.........n......^..k=_*....Q.p...q..N.'...e..l......G.[.o....C.e;.9...YlS.I<ET....r.+.p..pC..4!.F.-.(0.".B..8.cL.O.M..@..|...>...G&.....+.7$..3.+......p,.\^.'.4#2.Q.l{j;.......F..c.f0v...[<......O?..sk.N./...g|2...`.p{.f$f..\..s..<.o...7..Z.V.......6...`4..1....K.#.....u..%..u#=.......)..R.[:L.......L.....M.D8D..$.....X..h.]a..+..`....v^{.o..^......#....z...=..;.{~.....G`/^`.........G...FD.T@@.0%SiE.}

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jfr.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):534760
                                                                  Entropy (8bit):7.936953895862843
                                                                  Encrypted:false
                                                                  SSDEEP:12288:vtLqgAzEIiaPQ0NSuKWTdJLwUa3RPM71yj9aAP4E4:5qis+QdFw93RSyI8w
                                                                  MD5:6687450EE0EFC3CF002A404A31F0CF0B
                                                                  SHA1:2A3AF738821E03C7CB80D73F0051775D6A2DFC60
                                                                  SHA-256:BF4CE18BC133EECB6E0D7607553C0B911D780A430948B804F3BC9040ED0AE73D
                                                                  SHA-512:BA8E24DAB000C7A8C5777481679470C620486A1E394AA234B1B3E5F15A08C68FE210B489205736BC17CB642BA52BD0DEA46C1D3AA32EA278C7E23838E74AAB50
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmQ.N.@.=W.d......Q$Q_|...D.`l.l.S...o|..~..e....t...r.d......{\.r.k...i.....Js.n.. .m......$!...v....f...2\....h.P..r(U.k..)-.HO........+.J.......oB.}.q....@[..<....U.. .;...8.#....Z.k.. .T.[7...H......O..j......L...*|Y.!......(.cB...x.|....z...aD.'a.......".......Lw.7.c...%.F.......~.e^S ..C6...*;Y7y.N..s.;(.".<.%......m1........PK....^.W.......PK.........n/Q............'...classes/jdk/jfr/AnnotationElement.class.Z.xT.~.I&gfr.....EFD...EAL...".b.H.........o..[.V..l.w..Z...d..u.n.v.[....^.vw...Z.....dnA..<...?.............h..>.Pd...%..[C.Bu.PlK..[....d~$.I-..UO_..^.>..0.#5yo*.u...uUo$a5.c..`juS....[^......#..........[...S.T$.[.....U*N...c..4.X.J.B.5|...(T..mb.....R..[.....Si......).L5.b....`b"N.Y..D2r....h (.=D.JDb[..#1+..d...`..6x0._.}..j......Y..J...V..j...O_.t.51.3..........e]..O..p...M..9.A>....%...)mh.:1..\.G.cz{Tu.X.8..I.}](.k-....H...0..&....g..C.V.....O.....)?...f..L.3.@&....R..pqV..d

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jlink.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):410728
                                                                  Entropy (8bit):7.940858294306596
                                                                  Encrypted:false
                                                                  SSDEEP:6144:Q0N3mgGVIQyaTOMi93AcpXpRfT+JjHS4W6dTL/doNBnUCNllxPZ+6UOP15If:vHKPXOMozpjsHS47RLF2BUqlTZ9UOof
                                                                  MD5:6B537512C2F426FB7D0EA53B2C9B88F3
                                                                  SHA1:52648A05552B27E9F7E8FFE39EC12688DA901E16
                                                                  SHA-256:09E7D2A027BDDD185DF18CD8D7042B1C6464664B82F798FB7DD81205E16B8A98
                                                                  SHA-512:E51CAED2A7181D2A275F34093F45E1C727196B30DFB26B16BC0439E7C449F98CD65F257AE6E3DCDB1BF55390CC876EE644F6BB9C16E06052DB56F07AA297F2CD
                                                                  Malicious:false
                                                                  Preview:JM..PK.........o/Q................classes/module-info.class..YW.@....Be.heS\.W.vYTd....B}.6C.4............x...V<I.....s.;w~.....:.1..M...4N....`....g.i.JM..i.....Ye.\.:...jM.yU..`....M..;.n....S-.R..B/.X.4.a.\O.....f..V.A..e...jN.0.0.9..-.0..&.R........I...-..oJ..Y)f.I.~ .&.v.....'...G..<.)..:RW.T..9o.g.tJ...TGR9......=.1....x.v.9.J...8....K6vD...`..},C[..M.^.#. .+.%2.....j"`.0,.e..~....j\..(*.4..W..#.r..td._;`..-F...vD=...V...k.d>..<..f...../1,E...D!...}.g..A.6....U..Z.r...'..SY..C:}..q..!,.L6..s..7..#...5.4u..d...65..Rk..85\..fZ[n......8.5.R...S.....P........P#.lF...N.....?./m.....=E...SDWQ.TP.n..rJ7...5.G.....\.....^../...~.....2.,r..4...g...M..yD~@..M\x...}.B...>..L.x./..o.`..X.2V.....O...........;.A..0H\.#...v./PK...D..........PK.........o/Q............+...classes/jdk/tools/jimage/JImageTask$1.class.R]o.@..k.8..ICiCK!....5 .K....p..D).O...8q}.v...g@B.B...(...!..nwFs7......3..x...R:4..H3.'....#k....m..<..jaH.p.&"..J..u.~7..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jshell.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):663529
                                                                  Entropy (8bit):7.949945206904611
                                                                  Encrypted:false
                                                                  SSDEEP:12288:tLcJdcxVT6CFASpD7Qzw8EunjWLmxQ2jWE+6pyTACA4oqu:lcJdcn6KdY9iTop3CAvZ
                                                                  MD5:5914B236665D99E5E396D3C727ACCEB2
                                                                  SHA1:6610D9A8F450DAC3AEDB06306AA0F99224D13F8B
                                                                  SHA-256:3A73276654319554366BFB46AC82BC1D6F2C93989D9DB2104EDA519BA310D654
                                                                  SHA-512:A4ED568482BDDAE0A06A530555ABAAEA31987674693ED34FD460C8960CDD29615984174A85D60D324619844CB80CF86B9CC310132ED6D763311347B5149A7F75
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuS[S.@...*.\......*6)J............].m..I........(.M;m.&._.|g.e.......>.+.\[..u..i...6B....2....J...\T.f6.~..dX%G .L.$TA.#...{p.V&.3...*.Z.70".]....\Q........@\...I.xX......8.I;..4..M.......\..4L..U.yk*..2.]....*..T.._......w...RQ.....;..'....0.\....q..Xgp.|.t.a}....@.o:.VGF.$....C}l...L......Ov-3...]R.K+N...:..6J.......4tu.....sY..[.7..~.(T.qM....P..0..H.c;.=R.n..}.t...Q....Hi..q..Xd4...p}...6....0.*....G..\#.A.w.r.=...G..,>...r/,..X....,z.......>a.......m......:f1O.5.${.+.l....PK...`#I....!...PK.........n/Q............<...classes/jdk/internal/jshell/debug/InternalDebugControl.class.U]o.T.~..6..tM.....h7..#..6.R..k.I.5%]..p......i.BB.!n...._..n...@ .@.7!.{N..6.4.............~..@..:..!h.Z...e.I.,....[..1.NXe.dPc.|..h.A7...a|kc;i.=.M;..m'7.z..L...aMW.S....e..e8..\U...H......w.tK.....#.........*.R......3.*_.d....v........C..;e.[.d..2G+.j..]....s8O.s.Ne.3\.@;&...WD.Z..v..E\..Qu."3Y..N....#

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jsobject.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):3098
                                                                  Entropy (8bit):7.5832881194591995
                                                                  Encrypted:false
                                                                  SSDEEP:48:pCDh92jG/7jnZhQyhuW0KjhRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DVGOveUz:QDhLQ2XKvJX/Agxo7RA1LZZALCGOveI
                                                                  MD5:E495331A4B7EFC861687151B3647CCED
                                                                  SHA1:2EC5BE517CD31D9FBA085EBB432DAD9BC7D2186C
                                                                  SHA-256:04F7529F454B7B3DE70187C4B8457EB1F1F81B4F38F64B4509B5CB733AA80CC0
                                                                  SHA-512:C2A85AEB8B01FB37CD82235FF55D1E766FF3F45B6B4BA93A51A60D0D2A1DD19C2F95FA40B640BBA75D284175646CCCD3F5920DEF420BA7C4824829EFCFA54A39
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMM...A...~..._.A....D.......,......(1."....*.|.......G....G.NWA.. by..V..El.6f.y(.*...1.K83J.x.F..).J.;....:....T.":.M/..B.s.....m.........(.......&7../Jh.."Zv.P...[ts_B.?.s..:y...PK...5.........PK.........n/Q............-...classes/netscape/javascript/JSException.class...NB1.....DP..7.0..;1l.$..B..e96Z.=............d..H$.q.N.o.i..o.*.'.B8.H.Q..+..A..B./z..<yrd.(W.b.J+S%...M..Y.L....0...!1c.$ay.....G.jK..#.4.#..l!..T.k...)_zJ....y}uvL..a.....4E.'.[../..u..9ro$a...<.uZ......G.....S>a...=*\.......}....D..y.<U.XjL.cylb.[.p.1......!.0../<...>..s.4...$.c"H. ."..%.....H..F.*.......O.v.....!52.(.W......t.0Y........l|.PK..k1bUt.......PK.........n/Q............*...classes/netscape/javascript/JSObject.class}..N.@...@.XA....t....\..7F.L.....R'8.....[.......2..S..L./..............*.<2.2..........!.%C.-\!....VOE...r....:.}1..U7*P...P4..o&.>..C.lz...,_.....G.0....5HG...i....p.....h-".....c)<7PQf

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.jstatd.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):33913
                                                                  Entropy (8bit):7.925452325822178
                                                                  Encrypted:false
                                                                  SSDEEP:768:UBjs99RXqRNMZEJvWg/hm6LY15x/C0WcqutzJuUyS5m9u8ynj:F9EWoJYNC0F/z8UJITq
                                                                  MD5:C40DFD30EFE94EB2E213E0B12215B482
                                                                  SHA1:AC7B8037B7FBF1BEC19AA62E9792598E6CA6CF72
                                                                  SHA-256:A4D36A1A5112F9F3E793BBABC690255962ED8894519004E7EA28F17C3AC39A32
                                                                  SHA-512:0522C1A23A4CBBE4CEA61EAA443ACAF2FBEA09F1EC657CACF254489ABDB36DCD8617C586431304E25D51253A1625C088C36AC76EA0759E73F0720A82866958CC
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class.P.N.0.......^...C.V.... .....L.VN...........Q.')U.8`.;...h>..?....Hd..y_..Y...;.^..P...i.L.D(.o..7$.."..e...D..H.+.H.]T...9W....%.42.....fWgt#e..b..........Z.j.......I...*e..Y...p...Q.y.$..s.....!<.[.../..9.N..B..Q...4.$....36..,.^..rCh.D...$..Y.{.9%."..8.y.......Y..s..h..cw.\{Opn..WQG..|..7PK....`.5.......PK.........n/Q............3...classes/sun/jvmstat/monitor/remote/RemoteHost.class...N.0.E.i.#...@J6xO.TTj.D.lX.`.G..b7..X..|.b(.......^.g.....3..G1"._XQ5....qV.W.Z....^.K.C.6aP.F...3qu[....!Y...vBW. .......x.j.jmgy6.sgarB..T.A;.cl...mZ_..%..6t.Q..w.>..._ YA..2.'...f.tS..K5.s.r....s!..lq.-..F.U.U....ao...o......V....PK..&Q7.........PK.........n/Q............1...classes/sun/jvmstat/monitor/remote/RemoteVm.classe..N.A.....A>.....\........D..x....fg...".....e...i.k...<.....B.pSm...B.u...X...N?.....a....)..i.9..-..e......t."$....yx.n.>..B.p}..-..".7.c=....dN..{...i.....cc_.j*..q[Z7....\|{\!.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.agent.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):81621
                                                                  Entropy (8bit):7.930307384934393
                                                                  Encrypted:false
                                                                  SSDEEP:1536:b4z1HiSObJI7P6ahupea/dABbwU5wkwoKlzX6juezDDW6zrV+RZwOZjO2:b4z1HiS0OyCuEjchLoKlL6juofKxNz
                                                                  MD5:1A0F24297CFE2D15AAB00F31458640B6
                                                                  SHA1:5F4D91F26DCAE7AB0FB2B0FFE69C610E6B6AC273
                                                                  SHA-256:6BBE768A88034193C63670B2C037A7C229155C08275A69321A09715690422855
                                                                  SHA-512:27EBD97ED0E9C0BC9D29DCAE5837A0B478DFB7404233131E11AD46128FE110EF3D371AB5EAFF41EDC9D503BA6509FA61C8AB8D1536DAE7B5100087AD9233C1C7
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classmP.N.1.=W...2#..c.Rf$Q7..3!...L%3....%........A...{O.}......=...T....#.&......c6g./.'~.....7Vd...............,....C...............F......`.8...:....2....r>...4w.Oh.p.v.....Wi..P.w.GRh...C........*9.B....*.v..(..k..?..+g.F...M.....g.."..\.>K..%...S...x.=c..g.h..2....c.P..xl....(.bl.-..Z.?PK.....3.......PK.........n/Q............6...classes/jdk/internal/agent/Agent$StatusCollector.class.Xi`\U..nf.7..$.iH[.%.).L.L..@b.M[J....i.*.e.%....7mcQ6E@D...EE.VQ.@.).V.q..}.}......d..$..}..s..s.97O>w.1..EA.....H<i.fR3"..."k..^.+.P..'....k.CK.E....QK..#..[k.<..>.~.yy...'..e.FL7..Dy%.Q..VE.s.B..n.4+..L...L......i...1.u..PQ.y$,`.?......).*..t....L.u...B.jvxg.......@..h*..&..Z.Z&x.m$q...)Ko3RQ..L%...kc1S.d.h.B..T,....b..u.8;.5....K.....A....T4a.@%.....:.k.....U.8.F6w..i.P..j.P.B.@.....8>......$E..V......z2.2...$:#4.7..T%"*Va...J9.D#.<.ZJx....H.7E.&]....'...a.xT.qY....|..+%..U..C........K.g...q...;.[.n..L

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.jfr.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):35841
                                                                  Entropy (8bit):7.895920206921998
                                                                  Encrypted:false
                                                                  SSDEEP:768:01aLV2OeSrEWXZIj4RiHRdIuRK4jpg9I6app5uU8OIW8Gp9xwFJ2I6fJZdTX:01aLNLq88R7qRQuUT9jp
                                                                  MD5:2AF6A1F2D4FB1FA1AD0E8150892C4A12
                                                                  SHA1:2A1DFA6D16CE9ED226BB541AF3AD11E8466D205B
                                                                  SHA-256:3E223217F96935D6890A6E3BE53F90BE5E52CE6F691844AC53A40CD64481FCFB
                                                                  SHA-512:E0CEA8C7A25A86CB61512186D78564AD9CE08B3504D677BA4E797C7FE542B0DABB4C5DEB4F06702EDF449B7531AC4B665BC3B278E92E888E04EFD3CF41F0A982
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class}PMO.1.}...7.....^....7..H.z.Z....t...<...Q.n7....t.}..i?>.....P.T..yO.r@.V...l...y.."&.G\&.|.].....w..3..K.........B&\K.vP&.S....E..FV.Nhl..h.........R.].W.C.L..Fw..V+.p..%..3.?...%.........}@.<......y..~..5;..dadcB-.....P_...u.cQp=...|."...wpl...&..Z...ll..D..O/.c.!NlO.T*8.j./PK...}..'.......PK.........n/Q............2...classes/jdk/management/jfr/ConfigurationInfo.class.Vis.U.=/.Iw2M..... ..!!.F4A.........;3.....8......}.}..Xe.H.....7h.....U.o.$3i1V*.^.....=........O.P.j.!.a.(\4j..m);3.wh.I..5...oR.nj....Z.u."....&..F.sm]^f..).l..2.....w|.....45....M......|..YX...jI..3...v2...aO..O.._.Pp-................9../...R.PF.Eg{I.e....&...CNJB/..BB.).....V.[=.;.D...fq..B.8G..v.i..,!...7.&......".f.d.....;.......*..s.d4. .v\k`...p.B....Lj...I.9v....^....o.....4.....EAv..ia#nP.M...wX..UM.}+ko"f`K....Xa..D....v......);'.#..,tc..:n....rq..T.X.~...*r..Mv..aE....Y..}TNP,..w.:.$t.a7.........p..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.management.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):69486
                                                                  Entropy (8bit):7.914145548898423
                                                                  Encrypted:false
                                                                  SSDEEP:1536:wQk+DDx0BvxFbTf8sCDrGvo9SFOwliS7QWAfRbfjM/Rd3N8CkQdyyFKLpW:wcDSFbD8s+A54E6fMH3N8CkQ+W
                                                                  MD5:295ECFC1A63647735DE3918D7B61AD15
                                                                  SHA1:7EAD8158CC54073AD4B5594446FC1275989D750E
                                                                  SHA-256:032F0DF66BD529D7D9838C9A0A76B7B825430EA2089B9C732B86F25EBC99DEA0
                                                                  SHA-512:52EDEA1A5315D5110B9031A0BE23C3952311BAC1FBFEAB758C59F89F1BABD3256C19D713FB3473CBB9F3498B2634883E3E57E55B7679B9392570779971619DD7
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class}P.N.0.....]...c/M.D.p...C.H..&q+..]9I{.wq...(....a....v_._....:..>.j....x...l...E..%Sl.%W....:..W......\.......7...q.X.N.....K..&.[...m...A..A..l...N8S..k.s.K.....{.J................$d......xdf.3B{#T.7....z....T.....;...U.[..K.../.]..}.|.jh.t8{.PK..s...........PK.........n/Q............7...classes/com/sun/management/DiagnosticCommandMBean.class;.o.>...k.Nv.&F....\...<.........}........d..\.x..Sjb.;..#.@VbY.~Nb^...RVjr.;..#.,H.......d.FF......T..TF.i............ ....$..8.PK....`.........PK.........n/Q............B...classes/com/sun/management/GarbageCollectionNotificationInfo.class.U.S.U..nH..... ..6.6,.X...4....K../.fY..d.I6.u...h..>9...XGf..........7.....B..R.d..{..|.9.......0...|hQ.W.@+C......n..+..0..3-.ah..g....._JW..%...4wM76....1....y=.F..T....'...^vJ............U...T.....n.U....3..v1^.X.".x.(...O.R....P0$J.v.uS.b.`..$..!|7..._...>.KD..T1(.J..c*...."......i..1$<.e.,^h@]8'..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.naming.dns.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):60084
                                                                  Entropy (8bit):7.94170672965016
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Ko+W+rGMpEXYiqAD+gL24MrD9OYvVng1y3iX2r:L+r5pkYit8PJOAVntd
                                                                  MD5:29EA5E44B576D8EDC8334535ED8152BD
                                                                  SHA1:3D42D41A1E32054DE879F95D3E8D26EF2C7D0A66
                                                                  SHA-256:004819FB8B5C46995DEED0477F074CB15DB7862E4C4A83B5FFB891D4FAB700CC
                                                                  SHA-512:91546F0FE574F78CC02A7E285ED981129EEB5F2077AF970B6B620DB739CCF105ECE333DD6C9E13150CBAA54D710EF6FBAFD910EF68091D4F6D72DCAF9C4D8DAF
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class]OKN.0.}....C!.f...6...KP%.HHp....mb.8.e.s......$T.Z..Go<_.....qL.fV...i.b..a..`S.&....1#2m.&..."....?..w..S#5.r....c.<m...Se.g.T..._.&<D.pZ...0.j~gt.EzcM...D......N.g.[..}{..G[..T..........g"Q..k.'.'. ...H;w#...%...i!D.7..~.-_.....:.=~l]Wh..>.~..^=.3.~.PK..<..........PK.........n/Q............;...classes/com/sun/jndi/dns/BaseNameClassPairEnumeration.class.UMs.T.=.O.bYM.$v...i..v.......K...=a.NQ4..-e$.........`..S......f..;`.?0....M:YX...{.=....}....u.1p...8...[....6....-....%..U...'1...EE.*....h~...M[.t|..[u.c...m.^..v,..l..f..0_....e....@W0....*.b.a:d...v..[.........g....1.p. ;."..C.q7-.......aN.q.Y.`H..b.h.~...J..T........q.....TqJ.=....g.,..P..3...(...1.....1:6}..Ke........}.u..5[..~..<.x.Qq..CR4.lt}.....n.<..!.....<..(F..$........_.-si..bX...}Ug8.;p4.#fA...e.@..U.v6,.....k..u..{..M.....^...I.!.8...V..Qj6C..F..Z..<R_...G..a.W3.C62.0d...a.....U..+f.]gP..J....$.CJ..h..Q.-.>

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.naming.rmi.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):18962
                                                                  Entropy (8bit):7.879095599349228
                                                                  Encrypted:false
                                                                  SSDEEP:384:JEJj14/v6ubRBwV+mtm5VpVAlF+D+6XZsLA2:JE74/CMemx+lgS6XOt
                                                                  MD5:F11E5D65863146758D0650872CB3A164
                                                                  SHA1:0E5EA724EB4EC991DF4FC7626DDBFE77FF313EFB
                                                                  SHA-256:9EE120517DD4F711C5C3662ED77555059861291DC78CF349615F0A51BC79A7E7
                                                                  SHA-512:242A225DEB9A88FF208511F772F19BA691EAFE2CF42597FA29A9D27B07CD7F5C7C5D5CA1B1B1DE381D8705E9F4D6751E7084A17642A56CB1802E0B3C9CD0E962
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuPKN.0.}SJ.-..O9......%R%.H...IL.6....v.s......8 ...<3....?^..\..MuT$b,.n....D0./.0.G.@.T.80..P'4.g.$..F.NYV(6W.dVfF.2...G.......)>.v.x..3.k.q...Oh9...!..h.*.e.]+.K.\i..U>.a...].....W..#t.uaB1....._..W.-..<...W...."'..REz..y...n...O..(..........z.R.....5t....r.b.{..8tu5.up.G.PK..e:..".......PK.........n/Q............8...classes/com/sun/jndi/rmi/registry/AtomicNameParser.class.R.n.1.=.l..&..BJ..P.. ..R!P.O.RQT....*.v.....(<D....G!...6.<.s<>s.._.........TC.M,`..<._D..}....e....J+..P..:.Q#.z.$."W..|d.z.'rYG.F.f.7p....<..:..m.K......3.J}.....8.NL...41v*....I.,..B,{...;....g.Gw~..|..w...g..V...oWA..$a)QZ...D?.L+1....U.<K..*./....KX.yDx1g...5...Xz..'D.&..9et.....U....Bm7.f.....M.{.Gi..9......2X..0.;...G._T...3+.b..3.S.).....Q...yN`....!.2...A...g..v..>...+..R.s.ix..k|..8...5l\..(.@....)..Q?-[_..x.Z.z..PK..............PK.........n/Q............:...classes/com/sun/jndi/rmi/registry/BindingEnumeration

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.net.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):16691
                                                                  Entropy (8bit):7.835716025973249
                                                                  Encrypted:false
                                                                  SSDEEP:384:X35ZZ+W608/ykiL+E3OgSd2yDLDoWlgv6LA2/c:XpZZ+W6zzPn4y3Dn750
                                                                  MD5:7B3BE04EFC27E0560C20006170E899DD
                                                                  SHA1:8FE7D7B4A04DC3F1A31F97CC17BAB31A94EC42E7
                                                                  SHA-256:6DBF1422C48BA474C70426686229DF1AD32A20582EEEE1E5D79F288933CFF20D
                                                                  SHA-512:E64FD473691976F4DFAB2001D15C7D72F2E64FB6F126E41D906A11BDDF600D0E5ACF6ABA54B0535DFA12104EDAFBE4309CF22F4A64BCE3EAC33DE6D949A97B80
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classM.K..@.D..E.....g.D.wgb...a$(0..l=............z..O.k...X.y$.09I.Dp..;..'.g.....`...%..yE...a~.P.a....y*Fh......P.[.O.U.{......._....E...H].......+.].{.=.'h..J.C.v........=..PK...y[.........PK.........n/Q............-...classes/jdk/net/ExtendedSocketOptions$1.class.V[p.U...-M.n..-.r.R.....PR...46$..E@.....lw..Il._.~..8<..."......_}..~...Q....nz.I..3........k.>...>,@.......a..3........O.n.x*a&3\.B3....[34.....=.............j.........G..]}..{.....0-..yU.R.Um.=..a..)#....I....b.z.a...i.........9..J.K3....X..R...a.T..]aG.Phpt.p$4...`X....W1......p{LS..C.V)X-7.....U.q.e.P..7.........$3.;....K...v..`..^.7......!.6...1.Os..hW......!....#2........D.......]..A....|.D.d.).E&.L'........=7....=.i.\..Pp.4\<c......J..u!.7]gL.........uc">.....".......h.W..V.=.-..4..15.ER.q".....f....a.,h.=-.g........F....f.W3<d.IU...qZ.B5.!..V.O.K[...~0.y.%....U.[.i..4..0...fP.~..Z.K{..b..F....I.....c..._....Fdk..

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.nio.mapmode.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):2573
                                                                  Entropy (8bit):7.585716552925947
                                                                  Encrypted:false
                                                                  SSDEEP:48:pIVaWgvq2vIt8Fn3fjPRg2EJrb/cl3gxo7RA1LXn+q3JusEL/dv0DHGavq5:Kavqbkn3jKvJX/Agxo7RA1LZZAL8Gav4
                                                                  MD5:6580F1626A2C55DA21AC50143B4C92C0
                                                                  SHA1:A28A5BA9620948355E0CCC9637C740963D3EDA92
                                                                  SHA-256:624B5898A3FBCD11E6E6D681871B9E8B307684CB068C6F17E66B7A637D7531F5
                                                                  SHA-512:820BF4E3A1BFE0711F1D52FFF9755B0D16C36E0B50B5E2D11D1FE90F906DACDF3453084BD1EA0E776E3084386ED39CEBF9E1922B53F82B0E03FEF00B224DF3C5
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classM.M..P.......C[.&...I$l..GZ.'....,...kK...s.sr.........e....&{....."~..;..,.%..YQ1.Fh.S6f~M=E...B't.$..L....Z..N,.P.e..`.... 2.Y....../.$.E..8.Mn@...`...0....z......~...fU...PK..I..........PK.........n/Q............-...classes/jdk/nio/mapmode/ExtendedMapMode.class.Q.N.A.}...."......9y....d.D...i..6........L<..~......R.U.......7.e...B.A.......x.^(.w.h. !d..V.>!..u.G.y....p.+..t"#-B.....>&R7e.D.t..0|V=8.......u.B..-.V./..Z.0..T(+_.Z.g9.a.U$,...o..6.~..U%..FR..].._T-..R"d*VL.WZ...D#....Dx)"e.~2...... ..r{A._P...if!......1..UB..2v.HX..6.,..~...>.+<t....9..f.vl&e.......l...ly.m.&70....`...s.....C.pz..0f..mR..v.~.Y.|...`.U.?.PK..8.~M........PK.........n/Q................legal/COPYRIGHT.VMs.6...W..L.I{ir.$n....N...J.A..@).I..}...e.i{.@......C?F..f.....KC?.}.kCwQ*gHz.S.ds"..Y.MZ.K.X%.&..3z%..M.B..2.S|t0...:..6x.}.;..i..D..Ye|..&..wI..Xo....h.['..!..B.\HC.W.g.8.z$.q.....Kob...=.p.].>.Ld...

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.sctp.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):23570
                                                                  Entropy (8bit):7.699516108218091
                                                                  Encrypted:false
                                                                  SSDEEP:384:/FWdT63qGA2s74PPf+AfdgcirNa6hTbdJ3ZBR6ZhF62WmhSWDdulpLAEU:/c63qXDMvfLirFXd6Z2gDdufS
                                                                  MD5:7579F5E9191D26076513F0D62BA63763
                                                                  SHA1:A983D608C3087FFDE4E1A2F76C4072766CB52763
                                                                  SHA-256:6BE9DE8083B09B782B7520691C2B1B9CD8796ECCFA3101A205853CD3CE22FDF0
                                                                  SHA-512:EF643B3E4252448E6AB98CFC2F7309A0D41D53EABA8B3DB4AFA86BC09EDA1EDD49750AE5763E542073B142B40F9F541570655FDFB841709797D59433CB09997E
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classM.K..@...&.x-].D....S..... !.e..sY8.C).................B-T^|..?......,..N(..iq>va.....k^..::...WN".P"..../..*..[s-....K......i...BB..,........i+...<u...z....!...$s.MS.(.\.q.%.....S-gX...W..PK...0S[........PK.........n/Q............:...classes/com/sun/nio/sctp/AbstractNotificationHandler.class...n.@...M...J..CiS(4).....".@.R.V$...ico.....7.^...n....x(.....s.....g.ofl.........4b....`.I..c..k]n....0.C.$-....|.p..XH!...d.V....}K.....:.^p....p.]:<_.7_...3.j.....1l..*-W9.Pu[.#ip%mkp0.E.........m...5i.z...N......l.w..#....P..2..s....t^.......J.^&.l...`h.Zg#...G...z...A.0..\)ntz.R^..L.a.....l[\....i.....#d*.k..W.R..b....R.."g......TL.....+.L.]..3.*~3B.!,s..0g/uD..y.z.\...z.`..L..5{i.!..ja..WV..|...tM..CC0...!v.7Gs.....:..F....$..F.+...ed..}.E.Y?.s.q.....\.u.K.<.d.n.&.{roi.'.....!...Z...@.[..m.}.+.C:K>%6.Z.D.`.|k.....\..l.e...37B0..2.Gd>.!...2.........i,.aD....#..V..PK.....}[.......PK.........n/Q.......

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.security.auth.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):75417
                                                                  Entropy (8bit):7.957051837625358
                                                                  Encrypted:false
                                                                  SSDEEP:1536:rLd/gr4QC4zcxQiwrk+79xRDxqWXp4kE/eoBtAi939FMp0t0NmwELQxqbJs8hneK:ejouRxH9qWXFEZ0is85rgyn
                                                                  MD5:24AF92517AC1A65B436D2FA612EC7003
                                                                  SHA1:32F019F2D9057A52EE79A603637753918991E193
                                                                  SHA-256:8D2196DFD3096919F43852D654C99D3D52CA37A58A311A540CE6A14D367B1482
                                                                  SHA-512:D4FDC8A4300591297595A2B7051F9ABB41EB5A833E813508160779EDB45FA7C1BAADEEF81B768F74C457C719B7C2987C601C64AC920C8FC18F37685772C908D8
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class...N.P.......@.....b..D.w.hL..8..z....^v<.....2.."..@.............p.CB.....{.. B.O.h..F(..g#.V......)B...81N....6..3..3ft...-.b..d..YBi8....td.....:....F..\.......-'.5.......s4h.J\x.wn..f-.~....H8...y.4....8...o.cu.q.."a..'..........1nN.f...I8.i.5..6!S....W...7.7........!a._h...]....l.5...}q..&.{M..8..._cZ...[T..-E.,....9.%.`..(K~.{.....s.Ws.~.PK......n...#...PK.........n/Q............@...classes/com/sun/security/auth/callback/TextCallbackHandler.class...O.A........."...C).M./x.....F..&...uC....n.?.DC..?.?.8{-5.5.3.3..........XqQ@.A..-...C.E.PF.b.{..C(..6....j.....f.HU.%.....P..(.C.a...w2.*q.XA.....j.&<..#..@f./..R...!..........r..Wq.3.f=..=..M..~......;._..J.......]...v..L...%..)a.}.....e...$.}3...h.g....u,.w&.........4.....%|".C>.Y....>s./..p,..@.S.!;+<.6..u...(........O..|.{.W......Jx.z...y#...![.....b[`[m~..v.z..Qn..f.>..J...=.c.=a...X.h)./..PK.....`....`...PK.........n

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.security.jgss.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):25069
                                                                  Entropy (8bit):7.861186641428454
                                                                  Encrypted:false
                                                                  SSDEEP:768:dGve+SEzoJirQXHxGTjCsxc0T3iQCVSJqdSE7g8gGuICe772czgyO/CS:d0e9EzyirQ3xGTjrxViQ0kQg8gGuICeu
                                                                  MD5:0818A0480E8735784DF484F633893DAE
                                                                  SHA1:B210BB4F8C1DC9EACC0531D645CF77A5EF80E30F
                                                                  SHA-256:6193B8935293735A0E075950A43AC9C2FED9EBD333CBC5CA2ECF3508E550FBFF
                                                                  SHA-512:9F881002F03343453B7903B6471ADF42F4769E61D26F7AB4AC31524484FB201FE25A9FDCCB90D03B337C42EE8B3072EB2A845E3DC3ED854E39266EFF19E55D1C
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.class}P.N.@.=...S.........Wn\.MH......A'.P.;....G...&$N2g.s.g......=.......M. B..aGl....m.<...v.Hi.J.Mn..{B.xb..<u.9N.c. \.I...Qr...:.^...Lr.MBK....0.L..}.....L....aX..g.X.>.....~.'?v..g..B..y...0../.W...2c^.....xeY....:L}..c.........E|.SuNq.....P;:....k...]-.R{.3]SQJ.....PK..D... .......PK.........n/Q............:...classes/com/sun/security/jgss/AuthorizationDataEntry.class.T]O.A.=S...../.....RYQ...b..M.<@0..3......Yb.%...4.H0!>...wv.@.F.:sg..s.=.w..:>.....bh..O..M...|..6w6...0%C..Xr..A....-..I.".3.].....f.Y.jlo...*.[.g}..r.y...#.*C\V...+&.v..I\G.!.^`h4m...=S..E^.v%..B..b...C...@Z..$>...{...V..@/....-.0$E.P.66......S.H.r6.)..v.i.a...;b.uL..Zr.,_rG...^,..^.GB.E"Z.....d9.M.[..*/.t.*.&..g.s.2..,".-...D.m....M.\1:.wB.3J.f.F.]..4...x.X.T...3..8j...J_z|. ......<......S..3...wwD.).v...U].I/.9F.K....*..N...O..@..%.........bI.o.s.+..L..f....i..W..'....8....._..:.O.i.f...+uU.1....l.)5.d.........z.N

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.unsupported.desktop.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):13963
                                                                  Entropy (8bit):7.775458355384311
                                                                  Encrypted:false
                                                                  SSDEEP:384:xzRgcWBxiV8wXQMbX9Z0aIg40ED5rfPLAJmnhB:xnWBQLz9Z0aV40EFfPFnhB
                                                                  MD5:510CE41F524D16C86791C0064A589E7B
                                                                  SHA1:78ED6092E0F150A94460ADDEF8CAAD601AB5ABBC
                                                                  SHA-256:AF7E7BDA39FB3EA6A8C41669DBB86B41B6799E7EFF379CE757981E5B956BB24F
                                                                  SHA-512:20B6517378381D379A052997642BF23B5B057EA33C2E0BC962AB6B64E989FDAAA4CC3F02BFD7560D26189E55C7CDF13555BA272C476AD984CD0F913730BD16C0
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classuPKN.0......J..V,....a...R%...M.&.#;i.=......NR*....G3~..|{.p.3B7.H.8R.....~.l.W.0Z.....Y.M......|4...-.fS..&v..p..\........+..h..e.{.V...z......P[.Ym07z..i<........4K<...']..|....x..&.../b.J..R...2'.]..k;....{.^..(.>..p.j.......UBk.w...1N...:8..F_PK...E..........PK.........n/Q............A...classes/jdk/swing/interop/DispatcherWrapper$DispatcherProxy.class.R.n.Q.]....X.E...R.h"...&....i.m0..a.D...A.?......?..2.3PQ...k..._...h.QD...r.. Ox4p.6...izA"U.5w.8.....Q$Um.y.....|......Vg.|..b...%X..@..M_0.7.N...Kv.Y..5..R.e...B.\`..z.y....pS...U.p.Un....}y.HX.;S1..A z.l.%\.p..U...y$.0p.:.aDX..c..%..j....*.0Hk{..Z.m/.c..!..]I(u.@.....:...+...~W(O.dN...d.......*...`..C..=O...Gv_......0.eZ/.@../.X....4...4@..*....e.8.......c.2l...WP....9....y...2.`...;.`K.^&.......:..3......<....|.....gX..0.B.a.)Iu.8!..&j.x>..r.>...#'......v.v:.R...oPK..s...........PK.........n/Q............1...classes/jdk/swing/intero

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.unsupported.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):17477
                                                                  Entropy (8bit):7.858834131732098
                                                                  Encrypted:false
                                                                  SSDEEP:384:WssxVkcgUhibEPAZowuCxykS7ug+aM2xbWCwRNXkoYufro8LAC:cekAiwuCxyvugjMqCCwAuzo8p
                                                                  MD5:76B5BEB2F821D1CADF6FBC86B4AD3EA4
                                                                  SHA1:353EB41AD10248539929CA4D4E52099C2233798E
                                                                  SHA-256:E390AE217A83C38651EAAAE4BB00941F53C3E06C70F5F6E335713333432BEA27
                                                                  SHA-512:A48301D836C6865B210FDA8D5252611E39C9BCB30A0E328C96A6F934B169B5FD31CC3ACAF0438DF85F1F4B846F1A1FDC815043C885072396F88018BC6DDD212C
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classUNAn.0....!@.M..S$.K.!U*.0......\yW.}@.U.6......._.......&....K.+3.....v..0?.#s..........=.._(MSX...LQ.Z.....4.9....ZY..rL...v...3B.f\[....7........#.KK.^.-o..#..J.s.K........#.>..\....>..n.H.+.8....B..N.7..}.d?PK....q.....<...PK.........n/Q............1...classes/com/sun/nio/file/ExtendedCopyOption.class.T.O.P...^e...8......."......,....?...b..#._.$@4.~..2.....bc...{.w..........,..0$5....b...c......VY/..{..{.a[Q0.$..a.Z]..oll..\}U.3<,. .p...Q...X.ea+_d....X......n.0.5.t...\.U.U.T......k.a{..pKB.n3t...z...f]_.a.K.X..j..i..].*.V.....0.A.H..7.H.[..%.w0,`D.].c..-.R....K5..Q..q....F.T$G..$p.F....i).\.@8J...-I....)x...~.a.....R.d.y3...H....S.c...R..^0.V.2...`X.Z...;..I..kb.}.f..lM5K.cp.&a.R.:....hP0...^.*.......e[<.l....h.X.[w.....\...jfs".).x...f}.(..y...]w4.....n>.m..iDz.@`y._.@l...t.i.D..St...?....t.C.B'.....'|..4..xR1..g...q|..~.V...S.xz.zZ9.{......).......9.qt.../B.N.p..Yr.Y...5.$../.p

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.xml.dom.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):42290
                                                                  Entropy (8bit):7.301009409584117
                                                                  Encrypted:false
                                                                  SSDEEP:768:GyvMIZQqx6mssgRqwShvKe8l5sFCIvV9XaK:GykJqxdevm3ptRaK
                                                                  MD5:476A6F2B11BB60D05012AD03D982E3C1
                                                                  SHA1:2796654C41EF4AAA09D23450B3F7E616E63ABA33
                                                                  SHA-256:905C70A0DD7FC8C9F4547388EB492992B43D26FDC3D6808D9A4DFFFF577C3FAC
                                                                  SHA-512:EBF7130DB716B4FFB5C4F2951E16464A683E0BB5B65D633B7F13EFEC69EC570D9B34DB1E7902761402A9068E0EE7A0F7EBAFE0BD96648BE9CFD993BDAF420E17
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classMN.R.0.=W.G....K..TFt..3....6...8M...\..~.C..wq.........x..._.d#.,_....0n.l.?..,.....%..."..w...#U.Qu.G.b.Ct...B....MU./)t&..O..I..~p....z...k.`D.:j.......)c.Ka.=....xy..B..G..0.a...U../....8............]...e...9.8..?..S.u}\....PK...F3.....r...PK.........n/Q............%...classes/org/w3c/dom/css/Counter.class;.o.>...k.nv.&F....t.r.d...\...b}....."v..F....D...t}......F..........."F...M.......tkF...2......T.78. .(.$...+8..(9.-.,..Q.d..#.#.3..0.......r.;....@..@.....PK..............PK.........n/Q............,...classes/org/w3c/dom/css/CSS2Properties.classu..x.G...`.S..N.qh..M. ...bc..):E.P.w..Z{..=[2%@B...{..z....{...3;...w...y...von../..K=.;...y.U.3.3s...L;...f..V..'.4.4..x.....L.G...c.E+.x#......t..M.8.T.4.$.:r.#d..;.[...C;-.K.8..5Z.N..|4.W..9.;I..&....l.......l....Ig..8......\...Q.D...\.)...G..)..U./g6E..a..'m!g4L...r...#9...n...U.R0.w4{~K.&.....4..P..A0.w..=Y.S.........x.1.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\mods\jdk.zipfs.jmod

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Java jmod module version 1.0
                                                                  Category:dropped
                                                                  Size (bytes):102661
                                                                  Entropy (8bit):7.963859985844485
                                                                  Encrypted:false
                                                                  SSDEEP:1536:kipzltxqDIygENgDWnkIgwqZOQqcK4kLvPx0aKeXCCIPuV/ingD4IJT8nYjIrSb0:kipXxgIy7Ng6kqr34e7Kw7Kwtmd0c
                                                                  MD5:0FF732511F74426FBE09EEC982ED56A2
                                                                  SHA1:D06B4A0E2745AF3C47E51721347852827EE18707
                                                                  SHA-256:9DB03AC8466E45B2FF32F419686E9B44286B2B29A7FCF2B1C7DBC0BCD46C927B
                                                                  SHA-512:E0A5115D5683D2E68E5274D77D007C35ACA02C137D8D52461889289282797ED29F57DC5FE1D604D0B09EE11F4152C7AC168CEF7BC681A8890DF1589301784E05
                                                                  Malicious:false
                                                                  Preview:JM..PK.........n/Q................classes/module-info.classm..N.1...UdD~D..;..J.l.#!...J;..L'S~"+.....C..h4.I.{..n{>......!.S..K.Y.".....s.Q..\/...Q!T{O.Q..M.ef..........Q#<.2 .]..s+.\L.....m.6E.:...[.....M.....)..e...Z.b...53..8./....G..L...T..{....k...m..p.g.....a....M.....3..PK..........K...PK.........n/Q............,...classes/jdk/nio/zipfs/ByteArrayChannel.class.W.w...~&....E@Hb..$.0.....M"...jB..U..N.!..ev....V..e. Zmm.....,9m.i...?...C.{N.=m....I....{......>..y../.h.%.e.V.6..mi..k.;.5fy..Q....J..s.{G.[I_C..c...B.-.:".nPB9.N.%]'..<....nr"..gq..g..!.....#X..e..r.5.j.B.5.S.m....3...i...<s.g.t.+M..1.!.X.`..v....UXE.#.Q.e..eq....VC8mf....:.....Yy..@#.4TzT.:.i........d..Z...6..N.[6b.....f.-....l..f,G.[.l.e.rR.....)Q.@.P.P..+W..I..`.......r.t}.T.....D).A...-..L..V..1.!...,.3.Y...w.$.....Gp#.I........nE..N...v...DzM...M....x.%..u....*..'....N....R)..K..s...G.=k.d.9c*..r.....J`r.V].n.H,r.].^.[.;.|.d....Rs$m..U$-.=..}.6.y4.xe2..[)..3E....(...

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1039136
                                                                  Entropy (8bit):6.580236835541948
                                                                  Encrypted:false
                                                                  SSDEEP:24576:fXAsqzXlKZSxpJUlwtC/jCQ6tGh91Ds9H2LUVMhmP3oRaEt:fX4zXlnAlwtCbM891YVH6
                                                                  MD5:5E807B5DAD1B6C81982037C714DC9AEF
                                                                  SHA1:2B818F50C0CE821CD0278C714E57CB591B89B715
                                                                  SHA-256:AC94FBB73EBD0CE13AEA7C1AFCBA0DF9A646CBE5795E804FA0C0AC4EBA259E16
                                                                  SHA-512:665EA8069E8D75089EF9292DD6F07E19FA7F7FA1294D44F45D017BCED0D16C8281260BCA4AC7896ACBB0DFFB483BFB13BA4298D767A4BB1A91D9FA437D6BECFE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......9.}...}...}...t.[.k...........5.w......i......w......y......x...6...m...6...|......z...}...L.............|....7.|......|...Rich}...................PE..d....9:.........."....'.....v.................@..........................................`.........................................P...P............`..@........j...... )...p.......`..............................._..@............................................text............................... ..`.rdata...c.......d..................@..@.data........P.......2..............@....pdata...j.......l...6..............@..@.rsrc...@....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\sauighfs.rar

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:RAR archive data, v5
                                                                  Category:dropped
                                                                  Size (bytes):408638
                                                                  Entropy (8bit):7.999538742840416
                                                                  Encrypted:true
                                                                  SSDEEP:6144:hQ4N+JCIZtKWPU00/3vV4d4T2ycMJfrfiLqis9pLXhZEQT/WV63uRZcMI4Wn:hpOC6Kf00ExyvJfrfiLqN3EQz3+ZzI1n
                                                                  MD5:BA7BB2DC159C2BFD50A4CCE091E24D4C
                                                                  SHA1:CFD30E7F6B7505D84FE66C987FE0D59F40A7967C
                                                                  SHA-256:1C3EC11B069B60C379990690473FFD90BCBD7F6E6AE90E5659860B19461A9822
                                                                  SHA-512:549D0C42927B34833CB4B75A04153AE759B629975D213789BC2C3AE007600443C36DC98914B9BDB65A1DBD8B9B543CA42E353DE7382B0226B12B421632F93524
                                                                  Malicious:false
                                                                  Preview:Rar!........!.....Eqvj0e..5t>z.!Y..?,)Y}V.....'"d...(."&,.Y..\...u....X[^.d~....i..Dk.B...KN...O@..Ma...PO....23#.....\].87k.$t...;.T...C\K.....g..aZ8...%w...;.e~.{..R..R......B..B.....F.!..}.XLu.o....".r<....M.z.r|..Y..;M?F.@@.....5.{..w....LO2.I.2..[...I...B._..v.Q.x.8..P$..uP...|.....?.....b..^.{Vf@"|l.G.[ .IXfT.....iT..N.{.Jgw,.9...9n9.<..q.t.>..p..B<..Y4q.>..M8.....V/..a.C[e...6.un...n%..R.h.b...$..2..e..(...9..?...0.&&.j!.....$....I~..e4NI}E."\._.p...o..B.".TQ0.Z.@,n......Ii.o.."..cN).n..h'.#w..G.<P..q..D^.......66V...I.....gFx...j..KR..?=..c..%."v...`.r..T.]..@.@.....'._.+..|>.0......0..v..f{.:..9...._9,..7D'_s. h....f(U...>..]-M.....i.....jND...l.6..,>.B..eO.. 5.6.Ag7...+.<..yM..qC.i1Dz..3.n...h....PC~e.....^...(....g._{..VL./8...95.\a..AEB.E...}.....bG..@]<e.U...!=..LS.Z.d.,.Jk.C.....U[8J.6n.....l.*/^_.2..4..VT.o....*..d!.c.9.{....D.g..:*.......H...I2U..f%.....81q.....>)#9.'S..rO...........W..A..6<...6.0=.OH.).f...w.&....g.<8.

                                                                  C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\vlc.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):984312
                                                                  Entropy (8bit):6.338396454828307
                                                                  Encrypted:false
                                                                  SSDEEP:24576:ee3xAibB85Z1HrWtB8z1L1OBJB5zzz3zzzozzz3zzz6O:lxAibBEZ1LWtBzxDO
                                                                  MD5:37CA63447784D68545801EB2F9DFE1AF
                                                                  SHA1:4575FA78C6E54480A1F2DA51082BFB9538649DDF
                                                                  SHA-256:31F5E43E9283CF2469D8B3E51E7C28C132C6ECB0DAB855DF52CBF21D5394AE0B
                                                                  SHA-512:49A16F4ADE2A434D0E502571E077529CAB54BC98BD4D3EEC45C86A9CFC9623F6830F4046B94730517C6706FDA71C54490EB5ADA538A157D0CC90DC413FA008C7
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.............................................@.................................... ]....`... .........................................B............ ...(......D........:...P.............................. ...(...................h................................text...X...........................`.P`.data...h".......$..................@.`..rdata..............................@.`@.buildid5...........................@.0@.pdata..D...........................@.0@.xdata..p...........................@.0@.bss..................................`..edata..B............f..............@.0@.idata...............h..............@.0..CRT....h...........................@.@..tls....h...........................@.`..rsrc....(... ...*..................@.0..reloc.......P......................@.0B/4...........p......................@.0B................................................

                                                                  C:\Windows\Installer\63589e.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4EC82513-0279-4313-850F-996E4FDD9AFE}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Nov 24 19:56:54 2024, Last Saved Time/Date: Sun Nov 24 19:56:54 2024, Last Printed: Sun Nov 24 19:56:54 2024, Number of Pages: 450
                                                                  Category:dropped
                                                                  Size (bytes):56130466
                                                                  Entropy (8bit):7.980338246019501
                                                                  Encrypted:false
                                                                  SSDEEP:786432:Hj1h66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZaMc:HH6FnkF2d6VXXtzR5mgvkz1d2x5wKkW
                                                                  MD5:DCE26534527D10B00359837951A4F672
                                                                  SHA1:35F2BF722F71AC7D356ACA4D097099A8CC3FEC23
                                                                  SHA-256:88CD063AF950F0AC2B1085F148A75E9F9654F634E7262C8A22813258471DFD70
                                                                  SHA-512:AA00B9A8CB5A0838222772704BE0F8A052961A5D92E6E5CDE3767F97CD4A81DB302B030C4A1501547B89798FB631D0FBC970534F0D6B370ABDE9B8D713D92556
                                                                  Malicious:false
                                                                  Preview:......................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)...................................................................^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................*.......................7...9................................................................................... ...!..."...#...$...%...&...'...1...)...*...+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

                                                                  C:\Windows\Installer\6358a1.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4EC82513-0279-4313-850F-996E4FDD9AFE}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Nov 24 19:56:54 2024, Last Saved Time/Date: Sun Nov 24 19:56:54 2024, Last Printed: Sun Nov 24 19:56:54 2024, Number of Pages: 450
                                                                  Category:dropped
                                                                  Size (bytes):56130466
                                                                  Entropy (8bit):7.980338246019501
                                                                  Encrypted:false
                                                                  SSDEEP:786432:Hj1h66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZaMc:HH6FnkF2d6VXXtzR5mgvkz1d2x5wKkW
                                                                  MD5:DCE26534527D10B00359837951A4F672
                                                                  SHA1:35F2BF722F71AC7D356ACA4D097099A8CC3FEC23
                                                                  SHA-256:88CD063AF950F0AC2B1085F148A75E9F9654F634E7262C8A22813258471DFD70
                                                                  SHA-512:AA00B9A8CB5A0838222772704BE0F8A052961A5D92E6E5CDE3767F97CD4A81DB302B030C4A1501547B89798FB631D0FBC970534F0D6B370ABDE9B8D713D92556
                                                                  Malicious:false
                                                                  Preview:......................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)...................................................................^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................*.......................7...9................................................................................... ...!..."...#...$...%...&...'...1...)...*...+...,...-......./...0.......2...3...4...5...6...:...8...@...D...;...<...=...>...?...C...A...B...H...@...E...F...G...?...I...J...K...+...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i.......k...l...m...n...o...p...q...r...s...........v...w...x...y...z...

                                                                  C:\Windows\Installer\MSI6417.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI657F.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI65CF.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI661E.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI6738.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI834C.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSIA2FB.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1021792
                                                                  Entropy (8bit):6.608727172078022
                                                                  Encrypted:false
                                                                  SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                  MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                  SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                  SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                  SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSIA33A.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):380520
                                                                  Entropy (8bit):6.512348002260683
                                                                  Encrypted:false
                                                                  SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                  MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                  SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                  SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                  SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSIAD4D.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):787808
                                                                  Entropy (8bit):6.693392695195763
                                                                  Encrypted:false
                                                                  SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                  MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                  SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                  SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                  SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSIB703.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):256864
                                                                  Entropy (8bit):6.8622477797553
                                                                  Encrypted:false
                                                                  SSDEEP:3072:rRiE8BF4JQi1a7plM/P5aef3HWxph0LR/hSMXlk4ZqKFya5XB67TDmzyJd5nJMCC:6BQ1k9GH5oph0lhSMXlBXBW/ncHfdKq
                                                                  MD5:E0BFA64EEFA440859C8525DFEC1962D0
                                                                  SHA1:4FEDB2E7604FFEB30FC0B535235BC38BD73FEA96
                                                                  SHA-256:8E1B93631C730C9ECDADF15477CCA540A45A8935EF200A435BA84E15D4B1C80F
                                                                  SHA-512:04EA18B777EACB6CC8AF9E63E33E3B5C71307A83D69C8722CEBE538D5DC681D538E731560612F8DA64413D7EDAA872C2A91AC6B4CA58D7B3561C87893D365D6F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....vv..vv..vv...u..vv...s..vv...r..vv...u..vv...r..vv...s._vv...w..vv..vw..vv.G....vv.G.v..vv.G..vv..v..vv.G.t..vv.Rich.vv.................PE..L.....$g.........."!...).(..........@i.......@......................................;.....@A....................................P.......p...............`=......l....s..p....................s......@r..@............@...............................text....'.......(.................. ..`.rdata..XU...@...V...,..............@..@.data...............................@....fptable............................@....rsrc...p...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSIB80D.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):200112
                                                                  Entropy (8bit):4.367634903315844
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZRBM9Y5DoI+e7H4NVBFvvMgJOVj5Ho46cOjkDPPZ:ZM9Y5Dt+e7GVBFvvMg0Vj5Ho4CIDPPZ
                                                                  MD5:C70C741AB7FD6AA3D2E6EA9ADEBCD3EE
                                                                  SHA1:0B19459239E126706307E4726F7664931086558C
                                                                  SHA-256:109246C3098287C8A43C2C5E27CEF13397D2A9D19818BEFF8D34D336512F4797
                                                                  SHA-512:C3A87435C199EEB7888AF30C336F69CBAF09A261122DC5E68CCA6255FE9C5A53A8D29FF028B8FAB35AC79DEF4E011A28DB9C8D906872C0B6C0E45C0373020D9B
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@0|yY.@.....@.....@.....@.....@.....@......&.{2F276CDE-219F-4225-94D5-04B7DB2F9854}..Oovi Appc..R9GpVOQoR3.msi.@.....@.....@.....@......icon_27.exe..&.{4EC82513-0279-4313-850F-996E4FDD9AFE}.....@.....@.....@.....@.......@.....@.....@.......@......Oovi Appc......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@(....@.....@.]....&.{4EAB000E-DEB5-4E28-8448-068C624BCBAA}4.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\.@.......@.....@.....@......&.{3A93C24E-9EC4-4B96-973D-8D64785398E1}).21:\Software\Yuwei Qusi\Oovi Appc\Version.@.......@.....@.....@......&.{983AED90-5AA4-4C2B-A9F3-2563FFDAE964}D.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\libssl-3-x64.dll.@.......@.....@.....@......&.{C04AA22D-BE6B-4EE3-8C36-F938BA4CD485}?.C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe.@.......@.....@.....@......&.{EADBA1F2-9A40-4915-9979-43CFCD1C35CE}D.C:

                                                                  C:\Windows\Installer\SourceHash{2F276CDE-219F-4225-94D5-04B7DB2F9854}

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.1642482840827078
                                                                  Encrypted:false
                                                                  SSDEEP:12:JSbX72FjbAGiLIlHVRpZh/7777777777777777777777777vDHF85TKNit/l0i8Q:J9QI5ta5GgiF
                                                                  MD5:79B6E26202C814E07C48AC782D6EF33E
                                                                  SHA1:46EEC183CCE287048799DF94BA4CCCB6C5B87548
                                                                  SHA-256:D8A3071E60B262F4B4F28F9BA9475529B4C6459890BCAEEC44C23FC034158D16
                                                                  SHA-512:91B8620155262DEFF314BC636DBE35BCC29D50FF53D821328F048B64ACD7AC8353DFD954BC5828267D8803A7E8B32F0D6F9D96113D3887D77FEFCC2536F23CDC
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5421853703057185
                                                                  Encrypted:false
                                                                  SSDEEP:48:w8Ph8uRc06WXJ0FT5nnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:fh813FTpQZhEC2Xv6qa
                                                                  MD5:E68644B0BD86C2B998B9CDCB8C2F3802
                                                                  SHA1:D4269AD00838343DBD7B08F0856FCE462DCFCAE7
                                                                  SHA-256:BDD4F7E9A07F44EEB97629D63855F5BDE4B198ADD83E9637BDEB4786BE56EB35
                                                                  SHA-512:71914B516A1D003D47B0AA4DDBC086664130D8004A41A38E339B3AAF1BF10543873058084F4005DF9D59AE039A504582E9B2E9AC412A56983521E9BCEA837157
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):432221
                                                                  Entropy (8bit):5.375173707335242
                                                                  Encrypted:false
                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauq:zTtbmkExhMJCIpErH
                                                                  MD5:960C407DFC655129867B45F175CB40D3
                                                                  SHA1:FFCAF0ED151916211DA01459E4222CDFEA0CA321
                                                                  SHA-256:8BD727B158F7CDA334EA1E83ED1800F7B4E32ACDB674742A73987C2B80FF5646
                                                                  SHA-512:EDE1567307D0EB0376C397002BBDF197A44A63BAD12BD494FA25158D6BB29680D2AFB773424B9E9C2D0E1653F5A9ECC5F849364A11CC5F6D951DF1549F946F0B
                                                                  Malicious:false
                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                  C:\Windows\Temp\~DF0291037750D2D7B3.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2379759105566635
                                                                  Encrypted:false
                                                                  SSDEEP:48:+10uvO+CFXJpT5vnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:y0/RTBQZhEC2Xv6qa
                                                                  MD5:68E7FAFBCA504A7059B38D7724A4D035
                                                                  SHA1:E47E3EE3B3AF8972CF56D5432EC2BB9297767D66
                                                                  SHA-256:B504E437FBEE8186751E5B31B41FD3419B5688CE1CA74FE5FE49EB7B4D928059
                                                                  SHA-512:9AC90148F1BC4A6F57C3C111AF4C49F1AC29E1B3AAD44536A2C033EA2D85422BEE6E82ECA264B784C04E0DE0AE4E253079633F1348A314F63D7FF46800CEB427
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF0CFEEA10AB84157E.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):0.07192576162643322
                                                                  Encrypted:false
                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO85LTKltUltgVky6lit/:2F0i8n0itFzDHF85TKgbit/
                                                                  MD5:256CE9789EEB10F4D615FDA4E52D7DC6
                                                                  SHA1:665E19879022A65F2E3FD21948C807BFEF78C6A5
                                                                  SHA-256:A2DDE9AE0688F654CF616E4B18D3FACD7135072A6A3DB2FB2015AECB180B1C8C
                                                                  SHA-512:684A77A9718ABEEEBE6257AC1BB2A981C55EC2BB9E0A626FFF44EE3F4839F6B2A4104CA265DA0A7A322D839211AD2917F8E0FF61C51308AB228A42ABAF0395DB
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF17553589A8E7A071.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF24F09E3E4418CC1E.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF326BD11143E254EE.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5421853703057185
                                                                  Encrypted:false
                                                                  SSDEEP:48:w8Ph8uRc06WXJ0FT5nnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:fh813FTpQZhEC2Xv6qa
                                                                  MD5:E68644B0BD86C2B998B9CDCB8C2F3802
                                                                  SHA1:D4269AD00838343DBD7B08F0856FCE462DCFCAE7
                                                                  SHA-256:BDD4F7E9A07F44EEB97629D63855F5BDE4B198ADD83E9637BDEB4786BE56EB35
                                                                  SHA-512:71914B516A1D003D47B0AA4DDBC086664130D8004A41A38E339B3AAF1BF10543873058084F4005DF9D59AE039A504582E9B2E9AC412A56983521E9BCEA837157
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF374CAADCCE66B05A.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF4D4D3A56B9EC7622.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF5461D03B0EBABF18.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2379759105566635
                                                                  Encrypted:false
                                                                  SSDEEP:48:+10uvO+CFXJpT5vnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:y0/RTBQZhEC2Xv6qa
                                                                  MD5:68E7FAFBCA504A7059B38D7724A4D035
                                                                  SHA1:E47E3EE3B3AF8972CF56D5432EC2BB9297767D66
                                                                  SHA-256:B504E437FBEE8186751E5B31B41FD3419B5688CE1CA74FE5FE49EB7B4D928059
                                                                  SHA-512:9AC90148F1BC4A6F57C3C111AF4C49F1AC29E1B3AAD44536A2C033EA2D85422BEE6E82ECA264B784C04E0DE0AE4E253079633F1348A314F63D7FF46800CEB427
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF58A318BD7E4ACCF9.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.5421853703057185
                                                                  Encrypted:false
                                                                  SSDEEP:48:w8Ph8uRc06WXJ0FT5nnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:fh813FTpQZhEC2Xv6qa
                                                                  MD5:E68644B0BD86C2B998B9CDCB8C2F3802
                                                                  SHA1:D4269AD00838343DBD7B08F0856FCE462DCFCAE7
                                                                  SHA-256:BDD4F7E9A07F44EEB97629D63855F5BDE4B198ADD83E9637BDEB4786BE56EB35
                                                                  SHA-512:71914B516A1D003D47B0AA4DDBC086664130D8004A41A38E339B3AAF1BF10543873058084F4005DF9D59AE039A504582E9B2E9AC412A56983521E9BCEA837157
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF58E00B976A6E6244.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFC1B20FA37EDF130D.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.2379759105566635
                                                                  Encrypted:false
                                                                  SSDEEP:48:+10uvO+CFXJpT5vnQyZCSCZwAECiCyWTo1XQZCSCZ+Tttqa:y0/RTBQZhEC2Xv6qa
                                                                  MD5:68E7FAFBCA504A7059B38D7724A4D035
                                                                  SHA1:E47E3EE3B3AF8972CF56D5432EC2BB9297767D66
                                                                  SHA-256:B504E437FBEE8186751E5B31B41FD3419B5688CE1CA74FE5FE49EB7B4D928059
                                                                  SHA-512:9AC90148F1BC4A6F57C3C111AF4C49F1AC29E1B3AAD44536A2C033EA2D85422BEE6E82ECA264B784C04E0DE0AE4E253079633F1348A314F63D7FF46800CEB427
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFED056EB7B30F59ED.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):0.1287582865145596
                                                                  Encrypted:false
                                                                  SSDEEP:48:aa/tQTeZCSCZDZCSCZwAECiCyWTo1XIsn:aaFc+hEC2XIU
                                                                  MD5:0B826B73031717EE8A9D2AB09D363B1B
                                                                  SHA1:E113B2E2D16A67238DA889499F2FAEA66AECA405
                                                                  SHA-256:FE1770E9EBA3725BED94C219FD2AE899D82452D4140464280F9D0FC4475D7000
                                                                  SHA-512:543E04EC9BD2FA9D7EEC1A4A2DDA87E129AA7810317CA57EF2DFD8834CA035381F2382D782EB38379617A914EEEE1C0B116340FC341BE24FB3F6DCB3D99B524F
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4EC82513-0279-4313-850F-996E4FDD9AFE}, Number of Words: 10, Subject: Oovi Appc, Author: Yuwei Qusi, Name of Creating Application: Oovi Appc, Template: x64;1033, Comments: This installer database contains the logic and data required to install Oovi Appc., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Nov 24 19:56:54 2024, Last Saved Time/Date: Sun Nov 24 19:56:54 2024, Last Printed: Sun Nov 24 19:56:54 2024, Number of Pages: 450
                                                                  Entropy (8bit):7.980338246019501
                                                                  TrID:
                                                                  • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                  • Microsoft Windows Installer (60509/1) 46.00%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                  File name:R9GpVOQoR3.msi
                                                                  File size:56'130'466 bytes
                                                                  MD5:dce26534527d10b00359837951a4f672
                                                                  SHA1:35f2bf722f71ac7d356aca4d097099a8cc3fec23
                                                                  SHA256:88cd063af950f0ac2b1085f148a75e9f9654f634e7262c8a22813258471dfd70
                                                                  SHA512:aa00b9a8cb5a0838222772704be0f8a052961a5d92e6e5cde3767f97cd4a81db302b030c4a1501547b89798fb631d0fbc970534f0d6b370abde9b8d713d92556
                                                                  SSDEEP:786432:Hj1h66e8idkF2dtoCcxgvCoczhzf557KgvPnvETaqe8s+d2tIQ66UNK4ZaMc:HH6FnkF2d6VXXtzR5mgvkz1d2x5wKkW
                                                                  TLSH:ECC7337075A6C437D66D11B7A539EEEA423F3D210BB188D7B3E4796E0E348C1A231A17
                                                                  File Content Preview:........................>...................Y...................................t.......0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...*...+...,...-...$...%...&...'...(...)..................................................................

                                                                  File Icon

                                                                  Icon Hash:2d2e3797b32b2b99

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-11-25T21:33:28.737873+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449732104.21.81.131443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 25, 2024 21:33:27.367638111 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:27.367691040 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:27.367763996 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:27.373217106 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:27.373234034 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:28.687304020 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:28.687386036 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:28.733510971 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:28.733566999 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:28.733892918 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:28.733985901 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:28.737673044 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:28.737804890 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:28.737840891 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:29.402523041 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:29.402616024 CET44349732104.21.81.131192.168.2.4
                                                                  Nov 25, 2024 21:33:29.402621984 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:29.402669907 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:29.409025908 CET49732443192.168.2.4104.21.81.131
                                                                  Nov 25, 2024 21:33:29.409043074 CET44349732104.21.81.131192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 25, 2024 21:33:27.007373095 CET5871453192.168.2.41.1.1.1
                                                                  Nov 25, 2024 21:33:27.309536934 CET53587141.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Nov 25, 2024 21:33:27.007373095 CET192.168.2.41.1.1.10xa185Standard query (0)key-keys.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Nov 25, 2024 21:33:27.309536934 CET1.1.1.1192.168.2.40xa185No error (0)key-keys.com104.21.81.131A (IP address)IN (0x0001)false
                                                                  Nov 25, 2024 21:33:27.309536934 CET1.1.1.1192.168.2.40xa185No error (0)key-keys.com172.67.161.47A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • key-keys.com

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449732104.21.81.1314437632C:\Windows\SysWOW64\msiexec.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-11-25 20:33:28 UTC194OUTPOST /licenseUser.php HTTP/1.1
                                                                  Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                  User-Agent: AdvancedInstaller
                                                                  Host: key-keys.com
                                                                  Content-Length: 48
                                                                  Cache-Control: no-cache
                                                                  2024-11-25 20:33:28 UTC48OUTData Raw: 54 69 6d 65 3d 31 35 25 33 41 33 33 25 33 41 32 36 26 44 61 74 65 3d 32 35 25 32 46 31 31 25 32 46 32 30 32 34 26 50 72 6f 64 75 63 74 49 44 3d
                                                                  Data Ascii: Time=15%3A33%3A26&Date=25%2F11%2F2024&ProductID=
                                                                  2024-11-25 20:33:29 UTC785INHTTP/1.1 200 OK
                                                                  Date: Mon, 25 Nov 2024 20:33:29 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  cf-cache-status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pbgI%2Bsrrn%2FL0Ygn2OyoUvI%2Bz%2Bu83nDbGfFHA4P43RxsZnieQkjcV7WB3w2F60KI8RV88uTLN3abyFwTlt2puTT1e99Ccx47c998MfaBBkWk1ZTI3SaetNBExlBo%2Bz6g%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8e8469fc081d5e76-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2425&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2825&recv_bytes=902&delivery_rate=1240441&cwnd=208&unsent_bytes=0&cid=c4cad61d746e0d20&ts=729&x=0"
                                                                  2024-11-25 20:33:29 UTC7INData Raw: 32 0d 0a 30 61 0d 0a
                                                                  Data Ascii: 20a
                                                                  2024-11-25 20:33:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:15:33:06
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\R9GpVOQoR3.msi"
                                                                  Imagebase:0x7ff6ccb20000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:15:33:07
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                  Imagebase:0x7ff6ccb20000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:2
                                                                  Start time:15:33:10
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 57EB98099E4B236155B9A7DA141C0C85
                                                                  Imagebase:0x8c0000
                                                                  File size:59'904 bytes
                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:15:33:29
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssADC5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiADB3.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrADB4.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrADB5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                  Imagebase:0x670000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:15:33:29
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:15:33:37
                                                                  Start date:25/11/2024
                                                                  Path:C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\Yuwei Qusi\Oovi Appc\openvpn.exe"
                                                                  Imagebase:0x7ff7870a0000
                                                                  File size:1'039'136 bytes
                                                                  MD5 hash:5E807B5DAD1B6C81982037C714DC9AEF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:15:33:37
                                                                  Start date:25/11/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 06FC1B50 Relevance: 4.0, Strings: 3, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $dq$$dq$$dq
                                                                    • API String ID: 0-2861643491
                                                                    • Opcode ID: 144a6c2e2db7d858bbbc87d8432c861d529c2d2c3a83e44e27e0bd11fc1e7ffd
                                                                    • Instruction ID: 498e208010b1b547ac7c267ee71ed5c0b3a3adfdfbf405d201681b83156513e5
                                                                    • Opcode Fuzzy Hash: 144a6c2e2db7d858bbbc87d8432c861d529c2d2c3a83e44e27e0bd11fc1e7ffd
                                                                    • Instruction Fuzzy Hash: 13610831F0021ADFDB54DF68C5506AA7BF2EF84321F14847EE8458B252DB35C960CB91
                                                                    Function 06FC1B34 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $dq$$dq
                                                                    • API String ID: 0-2340669324
                                                                    • Opcode ID: a7f790b54abbd364cdd7d565155840b9e253a5762d6a6246a7584107074145c9
                                                                    • Instruction ID: 1741f035b53488b34cbb9de4db359b2f991a510be0baf78098c70d3930ce2e0f
                                                                    • Opcode Fuzzy Hash: a7f790b54abbd364cdd7d565155840b9e253a5762d6a6246a7584107074145c9
                                                                    • Instruction Fuzzy Hash: 05315C71E0420BDFDBA8CF15C684AA677F5EF45260F1880BEE8058B292D735D9A0CB91
                                                                    Function 02A03A78 Relevance: .3, Instructions: 321COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bb34aecf568d5f647277043bfb12a5eebe4af53a1b40d49b4221ae32d7d65452
                                                                    • Instruction ID: 599930de0d44ad47ba32f52a61706719f61bef7d6a9beb0a1438ebcaee7b6821
                                                                    • Opcode Fuzzy Hash: bb34aecf568d5f647277043bfb12a5eebe4af53a1b40d49b4221ae32d7d65452
                                                                    • Instruction Fuzzy Hash: ABD1BC70A042418FCB15CF68D4D4ABABBF2FF8A314B1585A9D456DB3A5CB35EC41CBA0
                                                                    Function 02A08460 Relevance: .3, Instructions: 266COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 333471bf50a912c1d9d97f8ec428b4a8bb0e59bd3c92b56dd523a4cae2eb78d8
                                                                    • Instruction ID: acf1e33d52dcbc9104887056f1e8c982e002494f7de6cd57a2ec1874d4d72123
                                                                    • Opcode Fuzzy Hash: 333471bf50a912c1d9d97f8ec428b4a8bb0e59bd3c92b56dd523a4cae2eb78d8
                                                                    • Instruction Fuzzy Hash: EBA15E31E00208CFDB14DFA5D984AADBBB3FF84354F158558E406AB299DB78AD89CB44
                                                                    Function 02A08953 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c8fabfad7776c33da07bcce0c65cdfaeb461331353de4bfa322865cb0d920e0
                                                                    • Instruction ID: aa180ce6f44def8f3ea6e2b3e3edfbc93275576ac4e3b8b3ee485317f28f3e0b
                                                                    • Opcode Fuzzy Hash: 5c8fabfad7776c33da07bcce0c65cdfaeb461331353de4bfa322865cb0d920e0
                                                                    • Instruction Fuzzy Hash: AA41AF70A002048FEB14DB25D4A9ABE7BF2EF89750F144428E906EB3A0CF359C81CB90
                                                                    Function 02A03D08 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: baf4538ccb86dbc7041d9bbea3939e8d72c47ed1d73887a83f162a5bcec52c5d
                                                                    • Instruction ID: 43bf5163edc403d275bb9a49e1a81c197023bae2af3f2ef109b581b10e6cd3ee
                                                                    • Opcode Fuzzy Hash: baf4538ccb86dbc7041d9bbea3939e8d72c47ed1d73887a83f162a5bcec52c5d
                                                                    • Instruction Fuzzy Hash: F94115B4A006058FCB05CF99D5D4AAAFBB1FF48314B158299D815AB3A5CB36EC50CFA0
                                                                    Function 02A08C0B Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 013e2e250d109c6e7cc3d00685abc0a2d6d471fe4d3da1913daaba005d0e60a2
                                                                    • Instruction ID: 09a390e4e10ab2b6580468460f513f5016eb70ff07b50318ce847a4d71e48827
                                                                    • Opcode Fuzzy Hash: 013e2e250d109c6e7cc3d00685abc0a2d6d471fe4d3da1913daaba005d0e60a2
                                                                    • Instruction Fuzzy Hash: 6931AE70E01649CFDB18CFA5D4987ADBBF2BF88304F148829D806AB295DF75A891CF44
                                                                    Function 027ED01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901349370.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_27ed000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a199aa3ee2f943e0c1c76c235ca7240bba034fb19e4ba55d16557c156ac161f
                                                                    • Instruction ID: bf34c3d8444fb50ef3785ee55ac84129ac3042672545c62b9473a0e21e465d33
                                                                    • Opcode Fuzzy Hash: 4a199aa3ee2f943e0c1c76c235ca7240bba034fb19e4ba55d16557c156ac161f
                                                                    • Instruction Fuzzy Hash: 9701FD71108340AAEB309B29CD84B66BFDCDF59325F0CC41AED1A1F682C7799841CAB1
                                                                    Function 027ED007 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901349370.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_27ed000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 037fc796c9b31b92e7d0a077f7955a9d0fbe389ffdf2f65433a7a010bf2d3564
                                                                    • Instruction ID: a41b397fac105c39324c5936f1f8c115250a7da7c2ffdfcdf9f63355cdd99269
                                                                    • Opcode Fuzzy Hash: 037fc796c9b31b92e7d0a077f7955a9d0fbe389ffdf2f65433a7a010bf2d3564
                                                                    • Instruction Fuzzy Hash: F601527100E3C09ED7224B258D94B52BFB8DF57224F1D81CBD9898F1A3C2695845C772
                                                                    Function 02A088D5 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1901925051.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2a00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4afc7870779bbb6cf038c78df535a0232a15e7744943e030dda93fc86330e007
                                                                    • Instruction ID: 2cd072c530614f54945bf30b6e45ad150af7e58829513a1208c2c30a4eaa7661
                                                                    • Opcode Fuzzy Hash: 4afc7870779bbb6cf038c78df535a0232a15e7744943e030dda93fc86330e007
                                                                    • Instruction Fuzzy Hash: 19F01C74A407068FEB04DBA4D5A9B6E7BB2AB44380F104914E5069F398CB785988CB84

                                                                    Non-executed Functions

                                                                    Function 06FC1658 Relevance: 15.3, Strings: 12, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 84Xk$84Xk$tPdq$tPdq$tPdq$tPdq$$dq$$dq$$dq$$dq$Pk$Pk
                                                                    • API String ID: 0-137564974
                                                                    • Opcode ID: ceeb2ac5e0ae8c79f93d71cd4d3af14fcae6113774ada554fcbae5f6dcc9f2d3
                                                                    • Instruction ID: 1a45b5b4539339a112afbb6adb3d26a9a8c9aa559e7d31d6f17ae68134b3d6fb
                                                                    • Opcode Fuzzy Hash: ceeb2ac5e0ae8c79f93d71cd4d3af14fcae6113774ada554fcbae5f6dcc9f2d3
                                                                    • Instruction Fuzzy Hash: 2D816C31F083168FDB50DB68D910A67BBE2EF85321B1880AED845CB392CE31DC15C7A1
                                                                    Function 06FC0898 Relevance: 10.2, Strings: 8, Instructions: 182COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                                    • API String ID: 0-2559950116
                                                                    • Opcode ID: 968dc3dfd7af3a233a2b8899f0c839f3b9f49d41c72894e6996a48145547698a
                                                                    • Instruction ID: 805f96bd30a9795703de50a8f307d03df7028c83108cb9b56fda8880e20f617e
                                                                    • Opcode Fuzzy Hash: 968dc3dfd7af3a233a2b8899f0c839f3b9f49d41c72894e6996a48145547698a
                                                                    • Instruction Fuzzy Hash: C4510835F0531ADFEB648B69D9007ABBBA6AFC5231B24806FD84587381DE33C546C7A1
                                                                    Function 06FC0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4Wk$4Wk$$dq$$dq$$dq
                                                                    • API String ID: 0-597175769
                                                                    • Opcode ID: f9015773e7348d5c99012753857ed620b354ae746e928a899b9e8da890312317
                                                                    • Instruction ID: ba1a34ce8f50a6f6dbdce206fb6d9940c95af02ea3450778486cea4fdcdf35d0
                                                                    • Opcode Fuzzy Hash: f9015773e7348d5c99012753857ed620b354ae746e928a899b9e8da890312317
                                                                    • Instruction Fuzzy Hash: DB110832B10206DFEB785569A91067B7AC6CBC4631B54803ED905DB281DF37C983C2B5
                                                                    Function 06FC04D0 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.1907167600.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_6fc0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4'dq$4'dq$$dq$$dq
                                                                    • API String ID: 0-4229963660
                                                                    • Opcode ID: b39d8f4162a57eed9f59304fd17013adbe56ee80d56f902000f81472b27ffc4d
                                                                    • Instruction ID: 100b462570d3cb7cd6b90798dd81cba2f8fffbacf13fa210e5b0a536abfa9b0f
                                                                    • Opcode Fuzzy Hash: b39d8f4162a57eed9f59304fd17013adbe56ee80d56f902000f81472b27ffc4d
                                                                    • Instruction Fuzzy Hash: 2801D622F193568FDB56566C18201763FB35FC2620366449BC585EB2C7CD258E47C3A2

                                                                    Execution Graph

                                                                    Execution Coverage:11.1%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:69
                                                                    Total number of Limit Nodes:10
                                                                    execution_graph 123912 7ffe003e38b8 123913 7ffe003e38c8 123912->123913 123920 7ffe003edcd0 123913->123920 123915 7ffe003e38d1 123916 7ffe003e38df 123915->123916 123928 7ffe003e36c0 GetStartupInfoW 123915->123928 123921 7ffe003edd18 123920->123921 123922 7ffe003edcef 123920->123922 123927 7ffe003edd00 123921->123927 123939 7ffe003edbd8 123921->123939 123946 7ffe003d78ec 7 API calls _get_daylight 123922->123946 123924 7ffe003edcf4 123947 7ffe003dcb80 16 API calls _invalid_parameter_noinfo 123924->123947 123927->123915 123929 7ffe003e36f5 123928->123929 123930 7ffe003e378f 123928->123930 123929->123930 123931 7ffe003edcd0 19 API calls 123929->123931 123934 7ffe003e37b0 123930->123934 123932 7ffe003e371e 123931->123932 123932->123930 123933 7ffe003e3748 GetFileType 123932->123933 123933->123932 123935 7ffe003e37ce 123934->123935 123936 7ffe003e389d 123935->123936 123937 7ffe003e3829 GetStdHandle 123935->123937 123936->123916 123937->123935 123938 7ffe003e383c GetFileType 123937->123938 123938->123935 123948 7ffe003e3934 123939->123948 123941 7ffe003edc5b 123953 7ffe003e4794 7 API calls 2 library calls 123941->123953 123943 7ffe003edc65 123943->123921 123945 7ffe003edbf9 123945->123941 123945->123945 123952 7ffe003e5398 GetLastError GetProcAddress InitializeCriticalSectionAndSpinCount __crtLCMapStringW 123945->123952 123946->123924 123947->123927 123949 7ffe003e3945 std::_Facet_Register wcsftime 123948->123949 123951 7ffe003e3994 123949->123951 123954 7ffe003d78ec 7 API calls _get_daylight 123949->123954 123951->123945 123952->123945 123953->123943 123954->123951 123955 7ffe003566dd 123958 7ffe0035e750 123955->123958 123957 7ffe003566f9 123974 7ffe00370440 123958->123974 123960 7ffe0035e76e 123961 7ffe0035e772 123960->123961 123982 7ffe00370610 123960->123982 123961->123957 123963 7ffe0035e797 123965 7ffe0035e7ed 123963->123965 123988 7ffe0036b580 17 API calls std::_Facet_Register 123963->123988 123966 7ffe0035e7fb 123965->123966 123992 7ffe0036c250 17 API calls 123965->123992 123966->123957 123968 7ffe0035e7b1 123968->123965 123989 7ffe0036b710 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive __std_exception_destroy 123968->123989 123970 7ffe0035e7c2 123990 7ffe0035b6b0 20 API calls 123970->123990 123972 7ffe0035e7df 123972->123965 123991 7ffe0036c250 17 API calls 123972->123991 123975 7ffe0037048c 123974->123975 123981 7ffe00370590 123974->123981 123976 7ffe00370508 123975->123976 123993 7ffe003cbc60 123975->123993 123979 7ffe0037055d 123976->123979 124000 7ffe00389e60 17 API calls 4 library calls 123976->124000 123980 7ffe003cbc60 std::_Facet_Register 17 API calls 123979->123980 123979->123981 123980->123981 123981->123960 123983 7ffe0037065d 123982->123983 123984 7ffe00370669 123982->123984 124005 7ffe003cbbe8 AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 123983->124005 124003 7ffe0039a520 VirtualProtect 123984->124003 123986 7ffe003706cd __std_exception_destroy 123986->123963 123988->123968 123989->123970 123990->123972 123991->123965 123992->123966 123996 7ffe003cbc6b std::_Facet_Register 123993->123996 123994 7ffe003cbc84 123994->123976 123995 7ffe003cbc95 124002 7ffe00341280 17 API calls 3 library calls 123995->124002 123996->123994 123996->123995 124001 7ffe003ca6bc RtlPcToFileHeader std::_Throw_Cpp_error std::bad_alloc::bad_alloc 123996->124001 123999 7ffe003cbc9b 124000->123979 124002->123999 124004 7ffe0039a5b9 124003->124004 124004->123986

                                                                    Executed Functions

                                                                    Function 00007FFE00349CD0 Relevance: 238.9, APIs: 108, Strings: 28, Instructions: 947threadtimefileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ffe00349cd0-7ffe00349cf8 1 7ffe00349d13-7ffe00349d1d 0->1 2 7ffe00349cfa-7ffe00349d0c 0->2 3 7ffe00349d1f-7ffe00349d92 GetDynamicTimeZoneInformation call 7ffe00480da0 IsClipboardFormatAvailable SleepConditionVariableSRW GetActiveProcessorGroupCount GetDlgItemInt CreateDirectoryTransactedW LoadPackagedLibrary GetCommModemStatus ReleaseMutex WaitForDebugEvent 1->3 4 7ffe00349d98-7ffe00349e73 call 7ffe003cbc60 call 7ffe00356310 call 7ffe0035a680 call 7ffe003cbb74 1->4 2->1 3->4 15 7ffe00349e75-7ffe00349e7a 4->15 16 7ffe00349e7c-7ffe00349e7e 4->16 15->16 17 7ffe00349e80-7ffe00349e85 16->17 18 7ffe00349e8a-7ffe00349e98 16->18 21 7ffe0034aa02-7ffe0034aa15 17->21 19 7ffe00349e9e-7ffe00349f77 GetFullPathNameTransactedW call 7ffe00480878 GetACP GetBrushOrgEx GlobalUnlock GetNamedPipeClientComputerNameW SetTapeParameters WritePrivateProfileSectionW FindCloseChangeNotification BackupWrite LocalFlags GetThreadPreferredUILanguages GetDeviceCaps GetVolumePathNameW CreateBrushIndirect GetEnhMetaFileW LPtoDP PowerCreateRequest 18->19 20 7ffe00349f7d-7ffe00349f80 18->20 19->20 23 7ffe00349f82-7ffe00349f8f call 7ffe003dcc18 20->23 24 7ffe00349f94-7ffe00349f9e 20->24 31 7ffe0034a089-7ffe0034a0a1 23->31 27 7ffe00349fa4-7ffe0034a062 GetConsoleOutputCP SleepConditionVariableSRW call 7ffe00480878 SetThreadPriorityBoost OpenFile call 7ffe00480a00 FindNLSStringEx QueryDosDeviceW OpenMutexW SetFileAttributesTransactedW InterlockedPopEntrySList 24->27 28 7ffe0034a068-7ffe0034a082 24->28 27->28 28->31 32 7ffe0034a0a5-7ffe0034a0ba 31->32 34 7ffe0034a132-7ffe0034a140 32->34 35 7ffe0034a0bc-7ffe0034a12c PowerCreateRequest GlobalReAlloc GetProcAddress LoadModule CloseThreadpoolCleanupGroup GetProcessHeaps GetNLSVersionEx GetCommState FreeUserPhysicalPages FreeResource 32->35 34->32 37 7ffe0034a146-7ffe0034a172 call 7ffe003538c0 34->37 35->34 40 7ffe0034a177-7ffe0034a195 GetLocalTime 37->40 41 7ffe0034a9ff 40->41 42 7ffe0034a19b-7ffe0034a1a5 40->42 41->21 43 7ffe0034a1b0-7ffe0034a1ba 42->43 44 7ffe0034a2c3-7ffe0034a2d6 43->44 45 7ffe0034a1c0-7ffe0034a2bd GetSystemInfo CreateEventExW MapViewOfFile CreateRemoteThread SetProcessShutdownParameters SetDllDirectoryW GetLongPathNameTransactedW GetNumberOfConsoleMouseButtons SetCalendarInfoW DisassociateCurrentThreadFromCallback GetCommProperties BindIoCompletionCallback CompareStringOrdinal SetCommMask Wow64GetThreadContext IsProcessInJob SystemTimeToTzSpecificLocalTime call 7ffe00480ab8 43->45 47 7ffe0034a2de-7ffe0034a2ed call 7ffe003cdc8c 44->47 48 7ffe0034a2d8-7ffe0034a2dc 44->48 45->44 50 7ffe0034a2f1-7ffe0034a2f4 47->50 48->50 51 7ffe0034a39f-7ffe0034a3b3 50->51 52 7ffe0034a2fa-7ffe0034a308 50->52 55 7ffe0034a3b5-7ffe0034a3ba 51->55 56 7ffe0034a3bc-7ffe0034a3cb call 7ffe003cdc8c 51->56 52->51 54 7ffe0034a30e-7ffe0034a313 52->54 54->51 57 7ffe0034a319-7ffe0034a35f RegCreateKeyExW 54->57 59 7ffe0034a3d0 55->59 56->59 57->51 60 7ffe0034a361-7ffe0034a399 RegSetValueExW RegCloseKey 57->60 62 7ffe0034a3d6-7ffe0034a3dd 59->62 60->51 62->62 63 7ffe0034a3df-7ffe0034a3f9 62->63 64 7ffe0034a3fb 63->64 65 7ffe0034a407-7ffe0034a41a 63->65 66 7ffe0034a400-7ffe0034a405 64->66 67 7ffe0034a41c 65->67 68 7ffe0034a437-7ffe0034a440 65->68 66->65 66->66 69 7ffe0034a420-7ffe0034a435 67->69 70 7ffe0034aa16-7ffe0034aa98 FatalExit call 7ffe00353a90 68->70 71 7ffe0034a446-7ffe0034a44d 68->71 69->68 69->69 77 7ffe0034aaa0-7ffe0034aab8 70->77 71->70 72 7ffe0034a453-7ffe0034a45a 71->72 72->70 75 7ffe0034a460-7ffe0034a467 72->75 75->70 76 7ffe0034a46d-7ffe0034a480 75->76 79 7ffe0034a482-7ffe0034a484 76->79 80 7ffe0034a486-7ffe0034a493 call 7ffe003cdc8c 76->80 77->77 78 7ffe0034aaba 77->78 82 7ffe0034aac0-7ffe0034aad8 78->82 81 7ffe0034a495-7ffe0034a49c 79->81 80->81 86 7ffe0034a4f2-7ffe0034a509 81->86 87 7ffe0034a49e-7ffe0034a4b5 CreateMutexW 81->87 82->82 84 7ffe0034aada-7ffe0034aae9 82->84 90 7ffe0034aaf0-7ffe0034ab08 84->90 88 7ffe0034a512-7ffe0034a521 call 7ffe003cdc8c 86->88 89 7ffe0034a50b-7ffe0034a510 86->89 91 7ffe0034a4de-7ffe0034a4e5 OutputDebugStringA 87->91 92 7ffe0034a4b7-7ffe0034a4dc MessageBoxW CloseHandle 87->92 93 7ffe0034a526-7ffe0034a52b 88->93 89->93 90->90 95 7ffe0034ab0a-7ffe0034ab21 90->95 96 7ffe0034a4eb 91->96 92->96 98 7ffe0034a530-7ffe0034a535 93->98 99 7ffe0034ab23-7ffe0034ab2a 95->99 100 7ffe0034ab47-7ffe0034ab52 FatalExit 95->100 96->86 98->98 101 7ffe0034a537-7ffe0034a597 98->101 99->100 102 7ffe0034ab2c-7ffe0034ab34 99->102 103 7ffe0034ab53-7ffe0034ab57 100->103 104 7ffe0034a5a5-7ffe0034a5af 101->104 105 7ffe0034a599-7ffe0034a59c 101->105 102->100 106 7ffe0034ab36-7ffe0034ab3d 102->106 108 7ffe0034a5b5-7ffe0034a5bc 104->108 105->104 107 7ffe0034a59e 105->107 106->100 109 7ffe0034ab3f-7ffe0034ab45 106->109 107->104 108->108 110 7ffe0034a5be-7ffe0034a5e6 108->110 109->100 109->103 111 7ffe0034a5ee-7ffe0034a617 110->111 112 7ffe0034a5e8-7ffe0034a5ec 110->112 113 7ffe0034a63a-7ffe0034a66d 111->113 114 7ffe0034a619 111->114 112->111 112->112 115 7ffe0034a66f 113->115 116 7ffe0034a679-7ffe0034a6f1 113->116 117 7ffe0034a620-7ffe0034a638 114->117 118 7ffe0034a670-7ffe0034a677 115->118 119 7ffe0034a6f3-7ffe0034a6f8 116->119 120 7ffe0034a6fa-7ffe0034a700 116->120 117->113 117->117 118->116 118->118 119->119 119->120 120->70 121 7ffe0034a706-7ffe0034a70d 120->121 121->70 122 7ffe0034a713-7ffe0034a718 121->122 122->70 123 7ffe0034a71e-7ffe0034a724 122->123 123->70 124 7ffe0034a72a-7ffe0034a730 123->124 124->70 125 7ffe0034a736-7ffe0034a73d 124->125 125->70 126 7ffe0034a743-7ffe0034a74a 125->126 126->70 127 7ffe0034a750-7ffe0034a757 126->127 127->70 128 7ffe0034a75d-7ffe0034a764 127->128 128->70 129 7ffe0034a76a-7ffe0034a770 128->129 129->70 130 7ffe0034a776-7ffe0034a77d 129->130 130->70 131 7ffe0034a783-7ffe0034a7bb 130->131 132 7ffe0034a882 131->132 133 7ffe0034a7c1-7ffe0034a880 GetProcessHeaps SetFileApisToANSI FindVolumeMountPointClose InitOnceExecuteOnce UnregisterApplicationRestart FileTimeToDosDateTime InitializeProcThreadAttributeList ReOpenFile call 7ffe00480a70 SetProcessWorkingSetSizeEx FindNLSString GetMaximumProcessorCount 131->133 135 7ffe0034a885-7ffe0034a896 132->135 133->135 137 7ffe0034a8b1-7ffe0034a8de call 7ffe003538c0 135->137 138 7ffe0034a898-7ffe0034a8ac 135->138 141 7ffe0034a8f5-7ffe0034a8ff 137->141 142 7ffe0034a8e0-7ffe0034a8f0 137->142 138->137 143 7ffe0034a905-7ffe0034a9d8 DdeReconnect FindFirstVolumeW InterlockedPushListSListEx IsWindowUnicode GetNumaAvailableMemoryNodeEx TzSpecificLocalTimeToSystemTimeEx ChangeDisplaySettingsW UserHandleGrantAccess GetTapeParameters RemoveVectoredExceptionHandler EnumTimeFormatsW FindNextVolumeW GetWriteWatch SetProcessPreferredUILanguages CharUpperW GetStartupInfoW DdeNameService GetVersionExW 141->143 144 7ffe0034a9de-7ffe0034a9f2 141->144 142->141 143->144 144->43 145 7ffe0034a9f8 144->145 145->41
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Time$CreateFile$FindProcessThread$CloseNameString$CommExceptionListLocalTransactedVolume$InfoMutexOpenParametersPathSystemWrite$AvailableBrushCallbackChangeConditionConsoleCountDebugDeviceDirectoryEventExitFatalFreeGlobalGroupHandleHeapsInterlockedLanguagesLoadOnceOutputPowerPreferredProcProcessorRaiseRequestSleepSpecificTapeUserVariableVersion$AccessActiveAddressAllocApisApplicationAttributeAttributesBackupBindBoostButtonsCalendarCapsCharCleanupClientClipboardCompareCompletionComputerContextCurrentDateDisassociateDisplayDynamicEntryEnumExecuteFilterFirstFlagsFormatFormatsFromFullGrantHandlerIndirectInformationInitInitializeItemLibraryLocaleLongMaskMaximumMemoryMessageMetaModemModuleMountMouseNamedNextNodeNotificationNumaNumberOrdinalPackagedPagesPhysicalPipePointPointerPriorityPrivateProfilePropertiesPushQueryReconnectReleaseRemoteRemoveResourceRestartSectionServiceSettingsShutdownSizeStartupStateStatusThreadpoolUnhandledUnicodeUnlockUnregisterUpperValidValueVectoredViewWaitWatchWindowWorkingWow64Zone
                                                                    • String ID: 3re3o5aA4HTYIeL4B6$90$CXERZaji8iTErRk66Tl31$DnFJ8XHHv6v3LAN6N92mV3$JeEu6HO65A25HpJsSqv$Software\aJHdXBlMuxgZHPTeQNWXhlfVCjtHF$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$VUUU$Vjx753Au3vKZFYp36TuP4ftwyeX6$Vst7mgaB7x5p8CBDf1$YDdxeBPelaniEHxnpISBVxEEFn$ZNQgipRfuHAwydEiKvDC$ZQzBH1fejINWQDl3hNaW$bq28v4Pk1PsFZdYm7CfR8Du7K$gJdnA5SKl1MCYJkebfN193YbU$i62xKH1dE4XdRxCLh$lgQ6gAxJE83p7WbG541L4O$ltpyAndBGtgTnNYsWLvigOtbhtE$nKByysQPvonAAFdADgWvEDdaSIwHX$p1N24XHoAeo58Xzgu$wjQRPNXhMJQkvRPXcwpG
                                                                    • API String ID: 543866257-1801069392
                                                                    • Opcode ID: dbf0c3548439d0e2bb8223bff2e5909e3f7f52edf1a14fef04cb73269afdf9a1
                                                                    • Instruction ID: bf39808f012ca65bf0ce514045b809a89914f60ea3e548b03283bf4c02a5e449
                                                                    • Opcode Fuzzy Hash: dbf0c3548439d0e2bb8223bff2e5909e3f7f52edf1a14fef04cb73269afdf9a1
                                                                    • Instruction Fuzzy Hash: 6D92D232A18A5186E769CF35E854BAE33A1FF88714F408539DB4A4AB78DF3DE548C704
                                                                    Function 00007FFE003433F0 Relevance: 160.1, APIs: 84, Strings: 7, Instructions: 802threadtimefileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 146 7ffe003433f0-7ffe003434e8 call 7ffe00349790 call 7ffe003cbc60 call 7ffe00359880 call 7ffe0035a680 call 7ffe003cbb74 157 7ffe003434ee-7ffe003435d6 call 7ffe003cbc60 call 7ffe00359680 call 7ffe0035a680 call 7ffe003cbb74 146->157 158 7ffe00343876-7ffe003438bf call 7ffe003d1b38 146->158 157->158 175 7ffe003435dc-7ffe003436ce call 7ffe003cbc60 call 7ffe00359460 call 7ffe0035a680 call 7ffe003cbb74 157->175 164 7ffe003438c5-7ffe00343a24 QueryFullProcessImageNameW CommConfigDialogW CallbackMayRunLong lstrcatW UnregisterApplicationRestart GetThreadSelectorEntry BuildCommDCBW SetConsoleHistoryInfo PtVisible CreatePrivateNamespaceW GetConsoleSelectionInfo WakeConditionVariable PeekNamedPipe EnumCalendarInfoExEx Polygon OpenWaitableTimerW GetLogicalDrives EnumResourceTypesExW GetPhysicallyInstalledSystemMemory SetEventWhenCallbackReturns CopyFileW GetFirmwareType GetStartupInfoW GetColorAdjustment CreateMetaFileW CancelWaitableTimer BackupRead GetCommState GetCommandLineW 158->164 165 7ffe00343a2a-7ffe00343a86 call 7ffe00352a80 158->165 164->165 170 7ffe00343b94-7ffe00343ba9 165->170 171 7ffe00343a8c-7ffe00343b8e GetWindowsDirectoryW GetConsoleCursorInfo GetNamedPipeServerProcessId GetMaximumProcessorGroupCount OpenWaitableTimerW SetFileAttributesTransactedW DeleteTimerQueueEx SetFileAttributesW MoveFileExW WaitForThreadpoolTimerCallbacks CreateThreadpoolWait CopyFileW ReadConsoleOutputCharacterW SetFirmwareEnvironmentVariableW GetTempFileNameW AddScopedPolicyIDAce GetCPInfoExW QueryInformationJobObject FatalExit CreateThreadpoolWork 165->171 171->170 175->158 184 7ffe003436d4-7ffe003436ee 175->184 185 7ffe003436f0-7ffe003436f8 184->185 185->185 186 7ffe003436fa-7ffe0034371d call 7ffe00354380 185->186 189 7ffe0034371f-7ffe00343736 186->189 190 7ffe0034374a 186->190 191 7ffe00343745-7ffe00343748 189->191 192 7ffe00343738-7ffe0034373b 189->192 193 7ffe00343751-7ffe00343843 call 7ffe00350a70 call 7ffe003cbc60 call 7ffe00359270 call 7ffe0035a680 call 7ffe003cbb74 190->193 191->193 192->190 194 7ffe0034373d-7ffe00343743 192->194 193->158 205 7ffe00343845-7ffe00343856 193->205 194->191 194->192 206 7ffe00343871 call 7ffe003cbb74 205->206 207 7ffe00343858-7ffe0034386b 205->207 206->158 207->206 208 7ffe00343baa-7ffe00343c41 call 7ffe003dcba0 call 7ffe00352b70 207->208 214 7ffe00343d87-7ffe00343d89 208->214 215 7ffe00343c47-7ffe00343d81 GetLongPathNameW SetConsoleCP VerifyScripts CreateThreadpoolIo EnumResourceLanguagesW FindNLSString CancelThreadpoolIo UpdateResourceW CheckNameLegalDOS8Dot3W ScrollConsoleScreenBufferW GetVolumeNameForVolumeMountPointW TransactNamedPipe ReadFile CreateEventW GetLogicalDriveStringsW CreateDirectoryExW EnumResourceTypesW 208->215 216 7ffe00343d8f-7ffe00343e0b call 7ffe00352e60 214->216 217 7ffe00344072 214->217 215->214 221 7ffe00343e11-7ffe00343ed9 GetThreadGroupAffinity CreateWaitableTimerW GetNamedPipeClientComputerNameW VirtualFreeEx TerminateThread SetDynamicTimeZoneInformation GetLogicalDriveStringsW CloseThreadpoolWork GetThreadIdealProcessorEx CreateJobObjectW UnregisterWait OpenFileById MapViewOfFile UnregisterWait AddIntegrityLabelToBoundaryDescriptor CancelIo SetThreadPriorityBoost QueryPerformanceFrequency 216->221 222 7ffe00343edf-7ffe00343f80 call 7ffe003cbc60 call 7ffe00358e90 216->222 218 7ffe00344074-7ffe00344086 217->218 221->222 226 7ffe00343f85-7ffe00343fa3 call 7ffe0035a680 call 7ffe003cbb74 222->226 231 7ffe00343fa5-7ffe00343fa9 226->231 232 7ffe00343fb2-7ffe0034406d call 7ffe003cbc60 call 7ffe00358ca0 call 7ffe0035a680 call 7ffe003cbb74 226->232 231->232 233 7ffe00343fab-7ffe00343fad 231->233 232->217 233->218
                                                                    APIs
                                                                    Strings
                                                                    • xVQ2m838HA8YKr1fmnZ, xrefs: 00007FFE00343970
                                                                    • dUFRUaq3xRDI35YYmpeCZW9ydzSg, xrefs: 00007FFE00343CB6
                                                                    • GlMGnHUXGrikFQwGsw, xrefs: 00007FFE00343966
                                                                    • TNU2c6xtdj7442G5, xrefs: 00007FFE00343C60
                                                                    • l7eDhLPkyPlOcU1Jvq8z3HxlhRVD5, xrefs: 00007FFE00343C6A
                                                                    • B69pRqd7PuJt61du2P1i, xrefs: 00007FFE00343CA7
                                                                    • 7+NtR/ISF9z+Hx77mLX8UcEjad55ZXY8LqQ4yPAxRJToRmDIIzGbUytQj0qBZA4eF2p9/3blutOZ59txJeRfMZA9DSPA4WDwZaNpqLuT0PEEpTygJ50ssm4KeGalbUMtIg9Nsjyg3DEm9nsDdIh0WPzO0vUzVZJt3MbULKC/ASDtHIO+s54aXib5aU+aXFl3rxG2BeN1cJkSWXLeySdQkS0QQHXZt0k0UfnAmztyJVB9f9l8DRh2oOSUvkClPeJtfEAE, xrefs: 00007FFE00343A6E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: File$Create$Info$ConsoleName$ThreadThreadpoolTimer$EnumProcess$CommNamedPipeQueryResourceUnregisterWaitWaitable$AttributesCancelCopyInformationLogicalOpenRead$CallbackConcurrency::cancel_current_taskCursorDirectoryDriveEventFindFirmwareGroupInputLocaleLongMemoryObjectProcessorStringsSystemTypesVariableVirtualVolumeWindowWindowsWork$AdjustmentAffinityAllocApplicationAwareBackupBoostBoundaryBufferBuildCalendarCallbacksCharCharacterCheckClientCloseColorCommandComputerConditionConfigCountCurrentDefaultDeferDeleteDescriptorDialogDot3DrivesDynamicEntryEnvironmentEventsExceptionExemptionExitFatalFreeFrequencyFullGlobalHandleHandlerHeapHistoryIdealImageIndirectInstalledIntegrityLabelLanguagesLegalLineMaximumMessageMetaModuleMountMoveNamespaceNotificationNumberOutputPathPeekPerformancePhysicallyPointPolicyPolygonPrefetchPriorityPrivateProcQueueRectRemoveRestartRestrictionResumeReturnsScopedScreenScriptsScrollSelectionSelectorServerStartupStateStringSuspendTempTerminateTimeTransactTransactedTransmitTypeUpdateUserValidateVectoredVerifyViewVisibleWakeWhenZonelstrcatmouse_event
                                                                    • String ID: 7+NtR/ISF9z+Hx77mLX8UcEjad55ZXY8LqQ4yPAxRJToRmDIIzGbUytQj0qBZA4eF2p9/3blutOZ59txJeRfMZA9DSPA4WDwZaNpqLuT0PEEpTygJ50ssm4KeGalbUMtIg9Nsjyg3DEm9nsDdIh0WPzO0vUzVZJt3MbULKC/ASDtHIO+s54aXib5aU+aXFl3rxG2BeN1cJkSWXLeySdQkS0QQHXZt0k0UfnAmztyJVB9f9l8DRh2oOSUvkClPeJtfEAE$B69pRqd7PuJt61du2P1i$GlMGnHUXGrikFQwGsw$TNU2c6xtdj7442G5$dUFRUaq3xRDI35YYmpeCZW9ydzSg$l7eDhLPkyPlOcU1Jvq8z3HxlhRVD5$xVQ2m838HA8YKr1fmnZ
                                                                    • API String ID: 858035477-3186825483
                                                                    • Opcode ID: 68342b25a8afa93e473770bb2aa6fdf9f277a872e3cf5525fdf41b4cd48d18be
                                                                    • Instruction ID: b02be8bbcd2f21b271295d1e83ed3e90d7b9bb1704d7a00f56c6ac6eb42c11a2
                                                                    • Opcode Fuzzy Hash: 68342b25a8afa93e473770bb2aa6fdf9f277a872e3cf5525fdf41b4cd48d18be
                                                                    • Instruction Fuzzy Hash: 12827F32A28B918AF714CFB4E85169E7375FF98718F00853AEB8956A68DF3CD149C704
                                                                    Function 00007FFE003478C0 Relevance: 158.6, APIs: 72, Strings: 18, Instructions: 1102threadtimememoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 241 7ffe003478c0-7ffe0034797a call 7ffe003dbab8 call 7ffe003d1b64 call 7ffe003539a0 CryptAcquireContextW 248 7ffe003479a6 241->248 249 7ffe0034797c-7ffe003479a4 CryptGenRandom CryptReleaseContext 241->249 250 7ffe003479a9-7ffe00347b17 call 7ffe003539a0 call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 248->250 249->250 263 7ffe00347b1d-7ffe00347bf5 call 7ffe00352080 call 7ffe00351fa0 250->263 264 7ffe00347efa-7ffe0034819a call 7ffe003cbc60 call 7ffe00356b10 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 call 7ffe00356910 call 7ffe0035a680 call 7ffe003cbb74 250->264 274 7ffe00347bf8-7ffe00347bfb 263->274 329 7ffe00348330-7ffe00348505 call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 264->329 330 7ffe003481a0-7ffe003481a3 264->330 275 7ffe00347c15-7ffe00347c9e call 7ffe003cae44 call 7ffe0034da10 call 7ffe003527d0 274->275 276 7ffe00347bfd-7ffe00347c00 274->276 275->274 296 7ffe00347ca4-7ffe00347cd8 275->296 276->275 279 7ffe00347c02-7ffe00347c10 call 7ffe003527d0 276->279 279->275 298 7ffe00347d07-7ffe00347d0a 296->298 299 7ffe00347cda-7ffe00347ce7 296->299 302 7ffe00347d37-7ffe00347d3b 298->302 303 7ffe00347d0c-7ffe00347d19 298->303 299->298 301 7ffe00347ce9-7ffe00347d05 299->301 305 7ffe00347d3f-7ffe00347d42 301->305 302->305 303->302 306 7ffe00347d1b-7ffe00347d35 303->306 308 7ffe00347d44-7ffe00347d4d call 7ffe00352130 305->308 309 7ffe00347d52-7ffe00347d5a 305->309 306->305 308->309 311 7ffe00347d8d-7ffe00347ef9 call 7ffe003cbc60 call 7ffe003578c0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe0034b6b0 call 7ffe003cabdc 309->311 312 7ffe00347d5c-7ffe00347d6d 309->312 311->264 315 7ffe00347d6f-7ffe00347d82 312->315 316 7ffe00347d88 call 7ffe003cbb74 312->316 315->316 319 7ffe00348c0f-7ffe00348c14 call 7ffe003dcba0 315->319 316->311 379 7ffe00348602-7ffe0034860a 329->379 380 7ffe0034850b-7ffe003485fc CreateThreadpoolWait GetSystemDefaultLangID lstrlenW HeapReAlloc UnregisterBadMemoryNotification ConnectNamedPipe DeleteTimerQueueEx FindFirstFileNameW VirtualQuery WaitCommEvent CompareStringOrdinal SetThreadErrorMode WriteConsoleOutputW IsThreadpoolTimerSet NeedCurrentDirectoryForExePathW call 7ffe00480198 GetDefaultCommConfigW GetNamedPipeClientSessionId FindVolumeClose 329->380 330->329 334 7ffe003481a9-7ffe003481e7 GetTempPathW GetTempFileNameW 330->334 336 7ffe003481f0-7ffe003481f9 334->336 336->336 338 7ffe003481fb-7ffe00348239 call 7ffe003dcc20 call 7ffe0034d590 336->338 353 7ffe003482b2 338->353 354 7ffe0034823b-7ffe00348268 call 7ffe0035bc40 call 7ffe00350710 338->354 358 7ffe003482b5-7ffe0034832f call 7ffe0034d310 call 7ffe003cabdc 353->358 354->358 370 7ffe0034826a-7ffe0034829c 354->370 358->329 370->358 372 7ffe0034829e-7ffe003482a0 370->372 374 7ffe00348bcd-7ffe00348bdd 372->374 375 7ffe003482a6-7ffe003482ad 372->375 376 7ffe00348be1-7ffe00348c0e call 7ffe00341440 call 7ffe00342340 call 7ffe003cdd08 374->376 375->376 376->319 383 7ffe0034860c-7ffe0034860f 379->383 384 7ffe00348636-7ffe00348726 call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 379->384 380->379 383->384 387 7ffe00348611-7ffe0034862b CreateSemaphoreW 383->387 400 7ffe003488a4-7ffe003489ac call 7ffe003cbc60 call 7ffe00356720 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe00344090 384->400 401 7ffe0034872c-7ffe0034889e WakeConditionVariable VerifyVersionInfoW CompareStringEx ConvertFiberToThread GetStartupInfoW GetOverlappedResultEx GetProcessId call 7ffe00480c68 WriteConsoleOutputCharacterW SetTapeParameters RegisterApplicationRestart AddScopedPolicyIDAce ConvertThreadToFiberEx WaitForDebugEvent UnregisterBadMemoryNotification GetThreadSelectorEntry LeaveCriticalSection SetSystemFileCacheSize VerifyScripts SetUserGeoID GetLocalTime GetShortPathNameW IsProcessInJob GetVolumePathNamesForVolumeNameW EscapeCommFunction 384->401 387->384 390 7ffe0034862d-7ffe00348630 CloseHandle 387->390 390->384 414 7ffe003489b2-7ffe00348a9a DeleteTimerQueueEx WriteProcessMemory IsValidLanguageGroup GetDynamicTimeZoneInformation InitOnceExecuteOnce GetNumberOfConsoleMouseButtons RtlCaptureStackBackTrace GetNamedPipeServerProcessId LoadResource WinExec GetCommModemStatus FreeConsole LoadResource GetCurrentThread CompareFileTime HeapLock GetNumberOfConsoleInputEvents OpenFileMappingW SetCommState IsBadStringPtrW call 7ffe00480c68 400->414 415 7ffe00348aa0-7ffe00348b83 call 7ffe003cbc60 call 7ffe00356500 400->415 401->400 414->415 420 7ffe00348b88-7ffe00348bcc call 7ffe0035a680 call 7ffe003cbb74 call 7ffe00350a10 415->420
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: File$CommConsoleStringThreadTime$NamePathProcess$CompareCryptHeapMemoryNamedPipeSystemTimerVolumeWaitWrite$CloseConcurrency::cancel_current_taskContextConvertCreateCurrentDefaultDeleteEventFiberFindFreeInfoLoadNotificationNumberOnceOutputQueueResourceTempThreadpoolTypeUnregisterVerify$AcquireAllocApplicationBackButtonsCacheCaptureCharacterClientConditionConfigConnectCriticalDebugDirectoryDynamicEntryErrorEscapeEventsExecExecuteFirstFunctionGroupHandleInformationInitInputLangLanguageLeaveLocalLockMappingModeModemMouseNamesNeedOpenOrdinalOverlappedParametersPolicyQueryRandomRegisterReleaseRestartResultScopedScriptsSectionSelectorSemaphoreServerSessionShortSizeStackStartupStateStatusTapeTraceUserValidVariableVersionVirtualWakeZonelstrlen
                                                                    • String ID: 3KQ5Y831J1naUTKTMVZe8D9II$3o1nWce16yNPnwrND7X7af2u$7jDC433sAxX62XWGP326bkR1F8mv$84HiMbeEzDLu255867N94q45Tp$84KHyVHvKPK52qUtF4$8NxviUB22I3V2l76qG7nmudwpEyU$CkyfLdWneOPdzGhIxzb$HEX$HGNjbGd5Q9q1873SFVZ2632jtj3$L2RHu4JiwkbJ7rffD8vZev$WB74wNky3w9MqIEST88Lz$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$k4kfRMOadwmFr1xIq16Eq83Gb2iDo$kjFbxle2rAmx6OCg5p7KCcH8$nTVYlIVr2oRitKfET32ny7v3rjp$txt
                                                                    • API String ID: 2553382334-2758290097
                                                                    • Opcode ID: 4a2646b33918cddd06aa23113ab4ac3e702eb46318514e55420590df13f8efa2
                                                                    • Instruction ID: 57fed681e41682019335b9f0304107a357ecf20cbdd8031b4a9e57c1e783bc40
                                                                    • Opcode Fuzzy Hash: 4a2646b33918cddd06aa23113ab4ac3e702eb46318514e55420590df13f8efa2
                                                                    • Instruction Fuzzy Hash: 90C22732A18B818AE751CFB4E8412EE77B1FB94718F40853ADB8D5AB69DF38D148C744
                                                                    Function 00007FFE003455A0 Relevance: 144.5, APIs: 64, Strings: 18, Instructions: 1018threadtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 427 7ffe003455a0-7ffe003458da call 7ffe00353510 call 7ffe003cbc60 call 7ffe003578c0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe0034b7e0 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00350320 call 7ffe003cbc60 call 7ffe003576c0 call 7ffe0035a680 call 7ffe003cbb74 GetCurrentProcess GetProcessTimes 472 7ffe003458e0-7ffe00345b02 call 7ffe003cbc60 call 7ffe003574c0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe0034b7e0 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00353160 call 7ffe0034c470 call 7ffe00350320 OutputDebugStringW call 7ffe0034dd90 call 7ffe0034bf00 call 7ffe003cabdc 427->472 473 7ffe00345b03-7ffe00345b0d 427->473 472->473 474 7ffe00345c35-7ffe00345c4f OpenMutexW 473->474 475 7ffe00345b13-7ffe00345c2f GetLocalTime GetDateFormatW VirtualQuery FormatMessageW FindClose WinExec ReadThreadProfilingData WriteConsoleOutputCharacterW SetThreadpoolThreadMaximum GetCurrentConsoleFontEx SetHandleInformation call 7ffe00480530 GetEnvironmentVariableW RegisterWaitForSingleObject OffsetClipRgn FindNLSStringEx 473->475 478 7ffe00345c51-7ffe00345c67 OutputDebugStringW CloseHandle 474->478 479 7ffe00345c69-7ffe00345c70 OutputDebugStringW 474->479 475->474 482 7ffe00345c76-7ffe00345dae GetTempPathW call 7ffe003410c0 call 7ffe003cbc60 call 7ffe003572c0 call 7ffe0035a680 call 7ffe003cbb74 GetFileAttributesW 478->482 479->482 504 7ffe00345db4-7ffe00345dd3 call 7ffe0034d590 482->504 505 7ffe00346027-7ffe00346052 RegOpenKeyExW 482->505 518 7ffe00345dd9-7ffe00345e0f 504->518 519 7ffe00345fbc-7ffe00346022 call 7ffe0034d310 call 7ffe003cabdc 504->519 507 7ffe00346058-7ffe00346134 call 7ffe003cbc60 call 7ffe00358e90 call 7ffe0035a680 call 7ffe003cbb74 505->507 508 7ffe00346136 505->508 511 7ffe0034613d OutputDebugStringW 507->511 508->511 515 7ffe00346143-7ffe00346213 call 7ffe003538c0 call 7ffe0034dd90 call 7ffe0034bf00 call 7ffe003cabdc 511->515 523 7ffe00345e11-7ffe00345e15 518->523 524 7ffe00345e1a-7ffe00345e2d 518->524 519->515 532 7ffe00345f04-7ffe00345f35 call 7ffe0035bc40 call 7ffe003527d0 523->532 529 7ffe00345e33-7ffe00345e36 524->529 530 7ffe0034626d-7ffe00346272 call 7ffe00341320 524->530 533 7ffe00345ebf 529->533 534 7ffe00345e3c-7ffe00345e46 529->534 558 7ffe00346273-7ffe0034636b call 7ffe003dcba0 call 7ffe003cbc60 call 7ffe00356ee0 call 7ffe0035a680 call 7ffe003cbb74 530->558 574 7ffe00345f68-7ffe00345f74 call 7ffe00350710 532->574 575 7ffe00345f37-7ffe00345f48 532->575 549 7ffe00345ec3-7ffe00345ed8 533->549 541 7ffe00345e80-7ffe00345e93 534->541 542 7ffe00345e48-7ffe00345e55 534->542 554 7ffe00345eb5-7ffe00345ebd 541->554 555 7ffe00345e95-7ffe00345e9c 541->555 552 7ffe00345e59-7ffe00345e64 call 7ffe003cbc60 542->552 550 7ffe00345ef3-7ffe00345f00 549->550 551 7ffe00345eda 549->551 550->532 560 7ffe00345ee0-7ffe00345ef1 551->560 552->558 578 7ffe00345e6a-7ffe00345e7e 552->578 554->549 564 7ffe00345e9e-7ffe00345ea5 555->564 565 7ffe00345ead-7ffe00345eb2 call 7ffe003cbc60 555->565 613 7ffe00346371-7ffe00346427 GetConsoleAliasesW GetConsoleCursorInfo RegisterApplicationRecoveryCallback lstrcmpiW CreateThreadpool GetSystemPowerStatus BeginUpdateResourceW LoadResource UnlockFileEx CreateMutexExW CreateMemoryResourceNotification FindResourceW GetCalendarInfoEx 558->613 614 7ffe0034642d-7ffe00346447 558->614 560->550 560->560 571 7ffe00346267-7ffe0034626c call 7ffe00341280 564->571 572 7ffe00345eab 564->572 565->554 571->530 572->552 594 7ffe00345fa8-7ffe00345fb5 OutputDebugStringA 574->594 595 7ffe00345f76-7ffe00345fa2 574->595 581 7ffe00345f63 call 7ffe003cbb74 575->581 582 7ffe00345f4a-7ffe00345f5d 575->582 578->549 581->574 582->558 582->581 594->519 595->594 597 7ffe00346214-7ffe00346217 595->597 601 7ffe00346222-7ffe00346233 597->601 602 7ffe00346219-7ffe00346220 597->602 605 7ffe00346237-7ffe00346266 call 7ffe00341440 call 7ffe00342340 call 7ffe003cdd08 601->605 602->605 605->571 613->614 617 7ffe00346588-7ffe0034658a 614->617 618 7ffe0034644d-7ffe00346582 DosDateTimeToFileTime CreateThreadpoolWork UnlockFileEx GetFirmwareEnvironmentVariableW DeleteProcThreadAttributeList EnumTimeFormatsW GetSystemFileCacheSize CreateFileW CancelThreadpoolIo BackupSeek SetStdHandle CreateThreadpoolWork FreeEnvironmentStringsW GetUserDefaultLangID EnumResourceNamesExW IsDBCSLeadByte GetConsoleProcessList CloseThreadpoolIo OpenFileById RtlCaptureStackBackTrace GetThreadPreferredUILanguages TerminateThread 614->618 621 7ffe00346596-7ffe0034663c call 7ffe003cbc60 call 7ffe00356cf0 617->621 622 7ffe0034658c-7ffe00346590 617->622 618->617 633 7ffe00346641-7ffe00346658 call 7ffe0035a680 call 7ffe003cbb74 621->633 622->621 626 7ffe0034665d-7ffe00346667 622->626 633->626
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: File$CreateOutputStringThreadThreadpool$ConsoleDebugResource$Time$CloseConcurrency::cancel_current_taskCurrentEnvironmentFindHandleOpenProcess$DateEnumFormatInfoListMutexRegisterSystemUnlockVariableWork$AliasesApplicationAttributeAttributesBackBackupBeginByteCacheCalendarCallbackCancelCaptureCharacterClipCursorDataDefaultDeleteExceptionExecFirmwareFontFormatsFreeHeaderInformationLangLanguagesLeadLoadLocalMaximumMemoryMessageNamesNotificationObjectOffsetPathPowerPreferredProcProfilingQueryRaiseReadRecoverySeekSingleSizeStackStatusStringsTempTerminateTimesTraceUpdateUserVirtualWaitWrite__std_exception_copylstrcmpi
                                                                    • String ID: %s\FoToIxlpxZgvjkBkrtuURKlTDNDgF$5GZab3L9Nr8eo7gYNOTRoRst$C6dJkommwFrUPgX441ln4Cz$Kuzrs8im19t335xmyNGZFNot58$Mutex does not exist.$Mutex exists.$MyUniqueMutex$Oq28ZHC8F7Gu15gw$Process started at: $QWpKPLqCamQtAxGcqwVqJksRDBwI$Software\FxkIvcaluufkvuMeyzcOPp$UF93nk7FgvT6MiryfpQHS5e8ACKs$XhRE9GsDku8BYak85jkUlcf7M$bFURlLyvBdEyBZwiMKDtpi$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$mEqASpgOskMpurtSucuOxvjgTZggd
                                                                    • API String ID: 1401062970-266131634
                                                                    • Opcode ID: 35b830c5c011ca8862a8e6a77dc359fe253385ce19149d0ef4c673e54678dfcc
                                                                    • Instruction ID: 7dc5c080c06ec952dd4bfd4a38277755e848ead001c305cb71e94d16d7decd73
                                                                    • Opcode Fuzzy Hash: 35b830c5c011ca8862a8e6a77dc359fe253385ce19149d0ef4c673e54678dfcc
                                                                    • Instruction Fuzzy Hash: 27B25532A19B8189E751CFB4E8412AD77B1FB98748F40843ADB8D97B69DF38E148C744
                                                                    Function 00007FFE00344090 Relevance: 131.9, APIs: 62, Strings: 13, Instructions: 612memorythreadtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 640 7ffe00344090-7ffe003440d6 call 7ffe003d1b38 643 7ffe003440d8-7ffe0034412f AllocConsole SetConsoleScreenBufferInfoEx TryEnterCriticalSection AreFileApisANSI call 7ffe00480630 SetDefaultCommConfigW GetProcessHandleCount ReleaseMutexWhenCallbackReturns CloseThreadpoolTimer call 7ffe00480a60 640->643 644 7ffe00344136-7ffe00344149 640->644 643->644 646 7ffe0034414f-7ffe00344168 call 7ffe003cc00c 644->646 647 7ffe003441d5-7ffe003441dc 644->647 656 7ffe003449de-7ffe003449e1 646->656 657 7ffe0034416e-7ffe003441d0 SetFileShortNameW SystemTimeToFileTime GetPrivateProfileSectionW WriteConsoleW GetStringTypeA CreateEventExW 646->657 648 7ffe003441de-7ffe003441e3 647->648 649 7ffe003441e5-7ffe003441e7 647->649 648->649 652 7ffe00344854-7ffe00344857 649->652 653 7ffe003441ed-7ffe003441f7 call 7ffe003d1b38 649->653 660 7ffe003448dd-7ffe003448e4 652->660 661 7ffe0034485d-7ffe00344899 call 7ffe00353510 652->661 668 7ffe00344200-7ffe00344204 653->668 669 7ffe003441f9-7ffe003441fe 653->669 665 7ffe00344ad1-7ffe00344adf 656->665 666 7ffe003449e7-7ffe003449f1 656->666 657->656 663 7ffe00344970-7ffe003449d6 call 7ffe003535f0 660->663 664 7ffe003448ea-7ffe0034496a MulDiv SetCommConfig FindNextFileW SetFileValidData ReleaseMutex SetThreadLocale CreateFileMappingFromApp PrepareTape GetLogicalProcessorInformation WriteFileEx 660->664 679 7ffe003448c3-7ffe003448d8 call 7ffe004808e0 661->679 680 7ffe0034489b-7ffe003448bd IsDebuggerPresent WaitForThreadpoolTimerCallbacks GlobalHandle call 7ffe00480da0 CreateThreadpool 661->680 677 7ffe003449db 663->677 664->663 671 7ffe00344a8f-7ffe00344ad0 call 7ffe00352a80 666->671 672 7ffe003449f7-7ffe00344a89 AllocConsole CloseHandle WritePrivateProfileSectionW call 7ffe004804f8 GlobalSize call 7ffe00480198 CreateTapePartition GetDriveTypeW GetErrorMode call 7ffe00480530 SetConsoleTextAttribute CreateEventExW GetProcessHandleCount IsDBCSLeadByte GetMaximumProcessorCount 666->672 675 7ffe00344761-7ffe00344781 LocalAlloc 668->675 676 7ffe0034420a-7ffe00344503 call 7ffe003cbc60 call 7ffe00358aa0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 call 7ffe003588b0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe003cbc60 call 7ffe003586b0 call 7ffe0035a680 call 7ffe003cbb74 call 7ffe0034b7e0 call 7ffe00353160 * 4 668->676 669->668 672->671 684 7ffe00344819-7ffe0034484f call 7ffe00353420 675->684 685 7ffe00344787-7ffe00344813 FindNextVolumeW GetCapture GetEnvironmentStringsW GetNumaAvailableMemoryNode GetCurrentConsoleFontEx SetComputerNameExW UnregisterApplicationRestart AnyPopup IsZoomed lstrcpyW ReadConsoleInputW GetMaximumProcessorCount SetupComm GetDiskFreeSpaceW 675->685 729 7ffe00344515-7ffe00344519 676->729 730 7ffe00344505-7ffe00344510 call 7ffe00353160 676->730 677->656 679->677 680->679 684->677 685->684 732 7ffe0034452b-7ffe0034452f 729->732 733 7ffe0034451b-7ffe00344526 call 7ffe00353160 729->733 730->729 735 7ffe00344541-7ffe00344545 732->735 736 7ffe00344531-7ffe0034453c call 7ffe00353160 732->736 733->732 738 7ffe00344557-7ffe0034455b 735->738 739 7ffe00344547-7ffe00344552 call 7ffe00353160 735->739 736->735 741 7ffe0034456d-7ffe00344571 738->741 742 7ffe0034455d-7ffe00344568 call 7ffe00353160 738->742 739->738 744 7ffe00344583-7ffe00344587 741->744 745 7ffe00344573-7ffe0034457e call 7ffe00353160 741->745 742->741 747 7ffe00344599-7ffe0034459d 744->747 748 7ffe00344589-7ffe00344594 call 7ffe00353160 744->748 745->744 749 7ffe003445af-7ffe0034468e call 7ffe00350320 call 7ffe003cbc60 call 7ffe003584c0 747->749 750 7ffe0034459f-7ffe003445aa call 7ffe00353160 747->750 748->747 758 7ffe00344693-7ffe0034475c call 7ffe0035a680 call 7ffe003cbb74 call 7ffe0034dd90 call 7ffe00353420 call 7ffe0034bf00 call 7ffe003cabdc 749->758 750->749 758->656
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Console$Section$CountCreateFileHandle$AllocCloseCriticalEventInfoPrivateProcessProfileTimeTypeWrite$ApisAttributeBufferByteCallbackCodeCommConfigCurrentDefaultDeleteDriveEnterErrorFreeGlobalHeapLeadLocaleMaximumModeMutexNamePagePartitionProcessorReleaseReturnsScreenShortSizeStringSystemTapeTextThreadThreadpoolTimerValidWhen
                                                                    • String ID: - Archive$ - Compressed$ - Directory$ - Encrypted$ - Hidden$ - Read-only$ - System$ - Temporary$Attributes:$Current Directory: $VUUU$uqo4qJ12sX1m12J1FuF8TO6X8j$v3OU2MlwL8gPcVAkbeX
                                                                    • API String ID: 4139790471-1023201208
                                                                    • Opcode ID: b7a509154a13f8015b61b11dbb9031719fabeda0ade3d7b8582a691031e3fb28
                                                                    • Instruction ID: 3c3a777817a6ef72bc114285dbf8d1dedf2e3c92089d6b9f90e881ee67f675ae
                                                                    • Opcode Fuzzy Hash: b7a509154a13f8015b61b11dbb9031719fabeda0ade3d7b8582a691031e3fb28
                                                                    • Instruction Fuzzy Hash: 51526B32A28A828AE754DF74E8416AE7361FF94704F50453AEB8E46A7DDF3CD149C704
                                                                    Function 00007FFE0034AC80 Relevance: 63.2, APIs: 27, Strings: 9, Instructions: 194timethreadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: File$Time$NameProcessString$BoostCopyFindGroupInfoPriorityProcessorQuery$AffinityAssignBufferCommComputerConfigConsoleCounterCurrentDebugDefaultEnumFile2FirstFlushFormatsInputLanguageLocaleMemoryModuleNodeNotificationNumaNumberObjectOrdinalOutputPagesPerformancePhysicalPrivateProfileResourceScatterScriptsSectionStartupSystemThreadTransactedUserValidVerify
                                                                    • String ID: CwMO9TngM79xYYUeI8c4OT$DsbjzvXjNgL4k48gO3LW2V$INfZVNtC38o1Mz6727419LbxnczSs$K6mQLsWasfbs6ylow$W765XNqjufb9d6FKVtMjuff1F$h2226O6n2RnJ7r1ezmRe2IvN9$oqVlXzKgAfqVJRvawU$sHtc9hSTD4XQqn7LV$t1d2Z5B477n8moRq
                                                                    • API String ID: 3494401022-3528938499
                                                                    • Opcode ID: 5cd6c41964f2e88484bc5e522ee369ad17db9970db6c57670fb8e2f3e013c1c0
                                                                    • Instruction ID: f9e7d9c0620c6ac5b1c6e1d73a4ea1a85bfbe3479d0660a087e98dcf63db6393
                                                                    • Opcode Fuzzy Hash: 5cd6c41964f2e88484bc5e522ee369ad17db9970db6c57670fb8e2f3e013c1c0
                                                                    • Instruction Fuzzy Hash: 78915D32A147419AE754DF75E8516AE73A2EF98308F44883ADB4E46A7CDF3DD148C704
                                                                    Function 00007FFE003CC040 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 792 7ffe003cc040-7ffe003cc046 793 7ffe003cc048-7ffe003cc04b 792->793 794 7ffe003cc081-7ffe003cc08b 792->794 795 7ffe003cc04d-7ffe003cc050 793->795 796 7ffe003cc075-7ffe003cc0ad call 7ffe003cbe08 793->796 797 7ffe003cc1a8-7ffe003cc1bd 794->797 798 7ffe003cc068 __scrt_dllmain_crt_thread_attach 795->798 799 7ffe003cc052-7ffe003cc055 795->799 811 7ffe003cc0b2-7ffe003cc0b4 796->811 800 7ffe003cc1cc-7ffe003cc1e6 call 7ffe003cbc9c 797->800 801 7ffe003cc1bf 797->801 807 7ffe003cc06d-7ffe003cc074 798->807 803 7ffe003cc057-7ffe003cc060 799->803 804 7ffe003cc061-7ffe003cc066 call 7ffe003cbd4c 799->804 813 7ffe003cc21b-7ffe003cc24c call 7ffe003cc808 800->813 814 7ffe003cc1e8-7ffe003cc219 call 7ffe003cbdc4 call 7ffe003cca0c call 7ffe003cca80 call 7ffe003cbf68 call 7ffe003cbf8c call 7ffe003cbdf4 800->814 805 7ffe003cc1c1-7ffe003cc1cb 801->805 804->807 815 7ffe003cc0ba-7ffe003cc0cf call 7ffe003cbc9c 811->815 816 7ffe003cc182 811->816 826 7ffe003cc25d-7ffe003cc263 813->826 827 7ffe003cc24e-7ffe003cc254 813->827 814->805 824 7ffe003cc19a-7ffe003cc1a7 call 7ffe003cc808 815->824 825 7ffe003cc0d5-7ffe003cc0e6 call 7ffe003cbd0c 815->825 819 7ffe003cc184-7ffe003cc199 816->819 824->797 842 7ffe003cc137-7ffe003cc141 call 7ffe003cbf68 825->842 843 7ffe003cc0e8-7ffe003cc10c call 7ffe003cca44 call 7ffe003cc9fc call 7ffe003cca20 call 7ffe003e0b0c 825->843 832 7ffe003cc2a5-7ffe003cc2ad call 7ffe0034afa0 826->832 833 7ffe003cc265-7ffe003cc26f 826->833 827->826 831 7ffe003cc256-7ffe003cc258 827->831 838 7ffe003cc342-7ffe003cc34f 831->838 844 7ffe003cc2b2-7ffe003cc2bb 832->844 839 7ffe003cc276-7ffe003cc27c call 7ffe004812b0 833->839 840 7ffe003cc271-7ffe003cc274 833->840 845 7ffe003cc27e-7ffe003cc284 839->845 840->845 842->816 867 7ffe003cc143-7ffe003cc14f call 7ffe003cca3c 842->867 843->842 897 7ffe003cc10e-7ffe003cc115 __scrt_dllmain_after_initialize_c 843->897 852 7ffe003cc2bd-7ffe003cc2bf 844->852 853 7ffe003cc2f3-7ffe003cc2f5 844->853 848 7ffe003cc28a-7ffe003cc292 call 7ffe003cc040 845->848 849 7ffe003cc338-7ffe003cc340 845->849 866 7ffe003cc297-7ffe003cc29f 848->866 849->838 852->853 862 7ffe003cc2c1-7ffe003cc2e3 call 7ffe0034afa0 call 7ffe003cc1a8 852->862 856 7ffe003cc2fc-7ffe003cc311 call 7ffe003cc040 853->856 857 7ffe003cc2f7-7ffe003cc2fa 853->857 856->849 876 7ffe003cc313-7ffe003cc31d 856->876 857->849 857->856 862->853 891 7ffe003cc2e5-7ffe003cc2ed call 7ffe004812b0 862->891 866->832 866->849 883 7ffe003cc175-7ffe003cc180 867->883 884 7ffe003cc151-7ffe003cc15b call 7ffe003cbed0 867->884 881 7ffe003cc324-7ffe003cc332 call 7ffe004812b0 876->881 882 7ffe003cc31f-7ffe003cc322 876->882 887 7ffe003cc334 881->887 882->887 883->819 884->883 896 7ffe003cc15d-7ffe003cc16b 884->896 887->849 891->853 896->883 897->842 898 7ffe003cc117-7ffe003cc134 call 7ffe003e0ac8 897->898 898->842
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                    • String ID: Pc?
                                                                    • API String ID: 190073905-1800135419
                                                                    • Opcode ID: 246ea4d73848f51b4afbd247b9c89f376c14e35868bb7bacca2e5da668b8e543
                                                                    • Instruction ID: 4d75bc4c85325a3d2ca790c24d346cb0eb8d98300c7d64ba02261780b3eb8507
                                                                    • Opcode Fuzzy Hash: 246ea4d73848f51b4afbd247b9c89f376c14e35868bb7bacca2e5da668b8e543
                                                                    • Instruction Fuzzy Hash: 5E81B271E2C24786FA929B669841AB96390BF45780F489435DB0DD37BFDF3CE8468704
                                                                    Function 00007FFE003E37B0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: FileHandleType
                                                                    • String ID:
                                                                    • API String ID: 3000768030-0
                                                                    • Opcode ID: 6baec63feb1a4407557d6251544551a24ed08cc6170edb8c31f62c33efaa1f4f
                                                                    • Instruction ID: 8ca4b96fc3409d49556d8257eb8acf619022d835dc501afaa7e7aa9e23c4b084
                                                                    • Opcode Fuzzy Hash: 6baec63feb1a4407557d6251544551a24ed08cc6170edb8c31f62c33efaa1f4f
                                                                    • Instruction Fuzzy Hash: 2B31E122A18B8581EB658B1594841786750FB55BB0F68133AEB6E033FCCF3CE5A5D340
                                                                    Function 00007FFE0039A750 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: d86bdaa27196374e294cfbf7bd1d5411a5a7b569221d59ed5ed9ded445e4de73
                                                                    • Instruction ID: 8041b56636e3ccaecd76df5b7e4b71c10e48dee34af6e403c57365ed96fc53ad
                                                                    • Opcode Fuzzy Hash: d86bdaa27196374e294cfbf7bd1d5411a5a7b569221d59ed5ed9ded445e4de73
                                                                    • Instruction Fuzzy Hash: A411F0F7610A84D6DB50CFAAC4853A877A0E799F8AF29D01ACF1D47350EB3AC189C701
                                                                    Function 00007FFE0039A520 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 973 7ffe0039a520-7ffe0039a5b2 VirtualProtect 974 7ffe0039a5b9-7ffe0039a5d3 973->974
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
                                                                    • Instruction ID: 010ad77b46231546ad8e563a91b9bd877a52f49bfa2d6eec000b6cc97054d2fc
                                                                    • Opcode Fuzzy Hash: 08162ecbcb6fe265952aeab26004fd56f186c16ea12c815fdaed98c207f13e25
                                                                    • Instruction Fuzzy Hash: 381133B7600A88C6CB50CF6AD988AA87760F79CB89F268116DF0D43350DB36C495CB40
                                                                    Function 00007FFE0037E2C0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: f66b9508e528772ae19c2a6d3ea917364f03120cd1a1b9f731b054640fea4449
                                                                    • Instruction ID: cacf716ddbdab194caf656cedee7c2905e5be9711785da4680c3af929ca57171
                                                                    • Opcode Fuzzy Hash: f66b9508e528772ae19c2a6d3ea917364f03120cd1a1b9f731b054640fea4449
                                                                    • Instruction Fuzzy Hash: F8210735A08F8291F662CB11E84016973A5FB88794F584236E78C47778EFBCE695CB04
                                                                    Function 00007FFE003823A0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 4f1e5f83affd1a33e8fcef03a736980c17ef082c28e0c8fc1d0463f47f2a8c19
                                                                    • Instruction ID: a9207e6ce07efef37795305fc973c3fca7b73d3fe3d2406fb00ea86a67b2669f
                                                                    • Opcode Fuzzy Hash: 4f1e5f83affd1a33e8fcef03a736980c17ef082c28e0c8fc1d0463f47f2a8c19
                                                                    • Instruction Fuzzy Hash: 58210371A09F8295E612CB52F8800AA73A5BB88794F554236DB4C837BCEF3CE555CB08
                                                                    Function 00007FFE00370610 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 330af779436e796a39aa7a6803f0049bb7ec6903eba815cd3aec02ea144364f5
                                                                    • Instruction ID: 63d58f38f7162b531bb0009fcb2d7a36c01031634d024d15fa7c45e804340d5b
                                                                    • Opcode Fuzzy Hash: 330af779436e796a39aa7a6803f0049bb7ec6903eba815cd3aec02ea144364f5
                                                                    • Instruction Fuzzy Hash: 34211631A08F4282E616CB15F880075B3A8FB88794F544236EB4D47B78EF7CE595CB04
                                                                    Function 00007FFE003746F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 4278b4a0d322c34a03724e4d4ce591d765b46d14e1e973994541ddeb78597b63
                                                                    • Instruction ID: 03e25404037f2b22d33197836ef91dff6e4d096268921415c266b9da71d994fa
                                                                    • Opcode Fuzzy Hash: 4278b4a0d322c34a03724e4d4ce591d765b46d14e1e973994541ddeb78597b63
                                                                    • Instruction Fuzzy Hash: 72213431A08F8285E666CB15F98007873A5FB88790F564236D75C43B79EF3CE595CB04
                                                                    Function 00007FFE0037C8C0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 6ddabe38642e5f553cf386b1aca0ce9693158dea4834493e6fd50f400d4e90fd
                                                                    • Instruction ID: 84a5adeeae8cdd248348cb103951393f8802ecbb2fa189e8e6bffebece17665d
                                                                    • Opcode Fuzzy Hash: 6ddabe38642e5f553cf386b1aca0ce9693158dea4834493e6fd50f400d4e90fd
                                                                    • Instruction Fuzzy Hash: 79211431A08B4295E656CB11F84017973A5FB88B94F554236EB8C437B8EF3CE595CB08
                                                                    Function 00007FFE0037EFB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 4d43db6fde1b314870aad173eedbc65c3bd4ab71aac13b262439a782b6208a4e
                                                                    • Instruction ID: 6c9865ba893ba6b28458a40449d36d37f91e4d891d06a1eacd45c6be8d0bfd1e
                                                                    • Opcode Fuzzy Hash: 4d43db6fde1b314870aad173eedbc65c3bd4ab71aac13b262439a782b6208a4e
                                                                    • Instruction Fuzzy Hash: FC21E035A08F4685E752CB21E9400A973A8FB88794F944236D78C477B9EF7CE595CB08
                                                                    Function 00007FFE003830F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 82914a75519a566f67888f1375f3c3920c615679212ee54667be176632562a89
                                                                    • Instruction ID: de62958a4e3f3961b679c5f887c59adb3edc4eaa4766c32d97cbece718a5404b
                                                                    • Opcode Fuzzy Hash: 82914a75519a566f67888f1375f3c3920c615679212ee54667be176632562a89
                                                                    • Instruction Fuzzy Hash: F5213731A08F42C1EA16CB11F880069B3A5FB88B90F544236DB4D47779EFBCE595C708
                                                                    Function 00007FFE0036D1F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: c338118c99b954676fec626e0e5e16c09eaece1e3a0ee4897fd5e345748919be
                                                                    • Instruction ID: a343ef48c28befebb9fa9a426d84003cb216a34ff11658071dadbba2b83b0243
                                                                    • Opcode Fuzzy Hash: c338118c99b954676fec626e0e5e16c09eaece1e3a0ee4897fd5e345748919be
                                                                    • Instruction Fuzzy Hash: 2121E231A08F8296E612CB15F9400B973AABB88794F554236D78D8377DEF3CE595C708
                                                                    Function 00007FFE00371310 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 6f99457a0e386d421e091149835e0a0e85496f33b68614a8e840ac05b2320b29
                                                                    • Instruction ID: 9de633ceaf3044d1581539d00c10d0f8d73a08442eed0207fc674caf3a5a3b9c
                                                                    • Opcode Fuzzy Hash: 6f99457a0e386d421e091149835e0a0e85496f33b68614a8e840ac05b2320b29
                                                                    • Instruction Fuzzy Hash: 6C21F576A0CF8291E622CB15E88016973A5FB88794F944236DB8C437BDEF7CE595C708
                                                                    Function 00007FFE003753D0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: be2882889c5a38e688faa0dbadddcf6f8ffdf35bf657b2ec37264657d760cf5d
                                                                    • Instruction ID: d9bef2b63377bcc2054a7be5b0b15a4383b43e3bfa76c68f22561b8d8ce2e903
                                                                    • Opcode Fuzzy Hash: be2882889c5a38e688faa0dbadddcf6f8ffdf35bf657b2ec37264657d760cf5d
                                                                    • Instruction Fuzzy Hash: 7E21E431A08F8299EA66CB11F94017973A5BB88794F554236EB8C437BCEF3CE595C708
                                                                    Function 00007FFE00389940 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 467fa180b9341d9d7db0258047ef367013953028c771bd1387b475188cada7fb
                                                                    • Instruction ID: 6db0d72a44629dbab38f350dec9590e87fb18ad4f6fa5929b5bd4e73bf72fc72
                                                                    • Opcode Fuzzy Hash: 467fa180b9341d9d7db0258047ef367013953028c771bd1387b475188cada7fb
                                                                    • Instruction Fuzzy Hash: D721F335A08B42C1EA12CB11F8402B973A8FB887A4F544236E79C43B79EF7CE955C708
                                                                    Function 00007FFE003739F0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: ca388407abd75436559ac309b8d95ec9af4446b8ade2a6768df823f57358d544
                                                                    • Instruction ID: 04e68cc0ed069bb7a30a372018528f49e8e872aa193834a051d4438d2b34f4cf
                                                                    • Opcode Fuzzy Hash: ca388407abd75436559ac309b8d95ec9af4446b8ade2a6768df823f57358d544
                                                                    • Instruction Fuzzy Hash: 5B210435A0DF8281E652CB21E9401B973A4FB88BA4F944236D78C57778EF7CEA95C704
                                                                    Function 00007FFE00377AB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 1ad0cf307b20a09f7a1c11651f5f2f9852345e2de3553354130868b7e6d21ccc
                                                                    • Instruction ID: 675f420ada96116342b2c21f4f8d5827b557194b1f03b1c20ad69d377acdb924
                                                                    • Opcode Fuzzy Hash: 1ad0cf307b20a09f7a1c11651f5f2f9852345e2de3553354130868b7e6d21ccc
                                                                    • Instruction Fuzzy Hash: 3D21F331A08B428AEA52CB11F9400B973A8FB887A4F554236D78C437BCEF7CE955C708
                                                                    Function 00007FFE0037BBE0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 1c6a916dc9237179688f8ff1c6f52b5bcde3ce8354cfc59eeadf82e84a0d353a
                                                                    • Instruction ID: ec20ded7b707fe15bf7b60f48e45cd84e8ca2fd48ac713ea03746336c21b1fc5
                                                                    • Opcode Fuzzy Hash: 1c6a916dc9237179688f8ff1c6f52b5bcde3ce8354cfc59eeadf82e84a0d353a
                                                                    • Instruction Fuzzy Hash: 2C213431A08F4282E622CB11F9405B9B3A9FB88794F454236E79C43778EF3CE595CB04
                                                                    Function 00007FFE0037FCB0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: cea088f2820e75e25aecc4aa681e4bf93f02cc27244ae5e1e54440551fdceff2
                                                                    • Instruction ID: 871629922fd33301b59ec431e281b5cb040c7fe5b684359f862943078d3162ca
                                                                    • Opcode Fuzzy Hash: cea088f2820e75e25aecc4aa681e4bf93f02cc27244ae5e1e54440551fdceff2
                                                                    • Instruction Fuzzy Hash: CB214331A08F82D5E6A2CB21E8401A973A5FB88794F444236D78C4B77CEF7CE494C708
                                                                    Function 00007FFE00383E20 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 5f8ae0a2be13ab2076e37824bc8d676975906e31c1ebb0035824de83e6b86731
                                                                    • Instruction ID: cfa9dfb4aa3f6a8f786b7d173dd6845ea85aede44f41964f94e0ce8595b5273f
                                                                    • Opcode Fuzzy Hash: 5f8ae0a2be13ab2076e37824bc8d676975906e31c1ebb0035824de83e6b86731
                                                                    • Instruction Fuzzy Hash: 0B210735A08F4281EB56CB15E9400B973A9FB98B98F55423AEB4C43778EF3CE555C704
                                                                    Function 00007FFE00387F20 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AcquireExclusiveLock__std_exception_destroy
                                                                    • String ID:
                                                                    • API String ID: 504776981-0
                                                                    • Opcode ID: 9e65af6732581b26a9fd2163da3696d58528150a9acd69e65b06b9f90d3cd10e
                                                                    • Instruction ID: 0e2a4913d61f6581326af7991212372a3ad4998afa30957e148ebee2b6f6454a
                                                                    • Opcode Fuzzy Hash: 9e65af6732581b26a9fd2163da3696d58528150a9acd69e65b06b9f90d3cd10e
                                                                    • Instruction Fuzzy Hash: B7216532A0CF8681E612CB11F8401A8B3A5FB88794F544236DB9C477B8EF7CE594CB04
                                                                    Function 00007FFE003EDCD0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 3215553584-0
                                                                    • Opcode ID: 7097b2d52f1b4ac38c73c491a33784019e875e8d080d305ec7f1a3106f3632f1
                                                                    • Instruction ID: 8e90e86a1489011ac745e653cd64734a345cc8584bbd73b8caf10ad882f1c7e1
                                                                    • Opcode Fuzzy Hash: 7097b2d52f1b4ac38c73c491a33784019e875e8d080d305ec7f1a3106f3632f1
                                                                    • Instruction Fuzzy Hash: FF116D3292868282E216AF14A8401AA77A5FF90740F550235E79D477FEDE3CE910D741
                                                                    Function 00007FFE0039AAE0 Relevance: 1.5, APIs: 1, Instructions: 35registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue
                                                                    • String ID:
                                                                    • API String ID: 3660427363-0
                                                                    • Opcode ID: b6326df03547ea6f84f29f9ee147747a304e1d365c9d8797de04ee65a0ac18c9
                                                                    • Instruction ID: 8f8d52afec40f46d0eeadfd85e36a0686173138d1b6a7b5bb6e5a7a16d19a297
                                                                    • Opcode Fuzzy Hash: b6326df03547ea6f84f29f9ee147747a304e1d365c9d8797de04ee65a0ac18c9
                                                                    • Instruction Fuzzy Hash: AE01CE7B604F8896CB50CF5AE48469D77A0F38CBD4B25812AEF9C93724CB3AC451CB00
                                                                    Function 00007FFE0039AB70 Relevance: 1.5, APIs: 1, Instructions: 30registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
                                                                    • Instruction ID: 7c15578d300e577eb2588c54f86070f396cfde503b42f02a8c29891fe5e503b2
                                                                    • Opcode Fuzzy Hash: cfebc1515fc543b2b083fe2095759787ddce3388642ce27f36cb7901a027486b
                                                                    • Instruction Fuzzy Hash: EEF0B2BB610A84D6CB50CF6AE484A9D7760F359FD8B258126DF5C43724CB3AC455CB00
                                                                    Function 00007FFE0039AD30 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1705453755-0
                                                                    • Opcode ID: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
                                                                    • Instruction ID: d6bd023aef13f88f7da155c71dc16a27506a3a5de3dcecbee528923cabe123b6
                                                                    • Opcode Fuzzy Hash: 5f538518f70937bf11e419d51a4fea6598bbd6422f46c342526eb7ef06b1ca16
                                                                    • Instruction Fuzzy Hash: ECF092B7600A8496CB50CFAAD584AAD77A0F758BD8B258027EB5C83714CB3AC495CB00
                                                                    Function 00007FFE0039AA00 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 2ba6818c44b3c839024e50f709396ad1f8f57b850ceec6c737bacfcb6873c483
                                                                    • Instruction ID: ef376864580e8a8876c0b650256e5046ad582dc95c722622520f6c1bd50b2383
                                                                    • Opcode Fuzzy Hash: 2ba6818c44b3c839024e50f709396ad1f8f57b850ceec6c737bacfcb6873c483
                                                                    • Instruction Fuzzy Hash: F9E0E5B3600AC0D6DB40CF6AE584269B360EB48B99F19C02ADB184B718DA39C094CB00
                                                                    Function 00007FFE003CBE08 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE003CBE1C
                                                                      • Part of subcall function 00007FFE003CDE1C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFE003CDE24
                                                                      • Part of subcall function 00007FFE003CDE1C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE003CDE29
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                    • String ID:
                                                                    • API String ID: 1208906642-0
                                                                    • Opcode ID: ace1e87e0addd771cc244c9e6dcdaad3f3a174f17219fae7662bfe84eee06147
                                                                    • Instruction ID: a76b6f0519ac4ea72008b098e439a25e8185591014e77f6851ffdac618e449c9
                                                                    • Opcode Fuzzy Hash: ace1e87e0addd771cc244c9e6dcdaad3f3a174f17219fae7662bfe84eee06147
                                                                    • Instruction Fuzzy Hash: 99E092A4D0D24240FEEB26712103AF983801F21704F542078EB4E823ABDE4E34565322
                                                                    Function 00007FFE0039A630 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ExitFatal
                                                                    • String ID:
                                                                    • API String ID: 3155629236-0
                                                                    • Opcode ID: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
                                                                    • Instruction ID: acba1fe49ee8351d4f0489dbb5485bd46bb8baaf7d3ea97e89b45ff6e6ab8d73
                                                                    • Opcode Fuzzy Hash: 00ca3bb6c16bf401e8107cfd5d380dc7284680fb22f24669aa6de33ca1ad307b
                                                                    • Instruction Fuzzy Hash: BEE0E2F3701A80C6DB14CF69C48536877A1EB58B8AF19D019CB1C4B394EA3AC489CB10
                                                                    Function 00007FFE0039A830 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
                                                                    • Instruction ID: 3d8f7e631a3ccd99bc0deaa089928b8581e76186698eec05205fca20e431eef2
                                                                    • Opcode Fuzzy Hash: 58984d69895f230553de08d39cbae206efa4d1f7ff968e70513416a8fd665297
                                                                    • Instruction Fuzzy Hash: 1411F0B7700A88C6CB10CF6AD888AA837A4F75CB89F268016DF1C83750DB36C495CB00
                                                                    Function 00007FFE003E3934 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 4292702814-0
                                                                    • Opcode ID: 4aeada3056b48720d5248332ab97d1d4c82a395e32c37c5675c881d1979179e2
                                                                    • Instruction ID: eb5f27f0d7bad1c4232b3d1adf6182d242db67ec280eedca9875650467f536cf
                                                                    • Opcode Fuzzy Hash: 4aeada3056b48720d5248332ab97d1d4c82a395e32c37c5675c881d1979179e2
                                                                    • Instruction Fuzzy Hash: 35F06D14F0924341FE56666599593B913901F64B90F0C5531EB0E873FFEF9CEA808220
                                                                    Function 00007FFE0039A9A0 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1987235834.00007FFE00341000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE00340000, based on PE: true
                                                                    • Associated: 00000008.00000002.1987173407.00007FFE00340000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987514617.00007FFE003F9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987574788.00007FFE003FA000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1987906185.00007FFE00472000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1988001661.00007FFE00478000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ffe00340000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AllocGlobal
                                                                    • String ID:
                                                                    • API String ID: 3761449716-0
                                                                    • Opcode ID: 8fea5eb6323e3e63017db24c699ab59a48e80916294d6c97a701adab72061d90
                                                                    • Instruction ID: c4390af75f89330070d097c7c49b29603c7a0856d5e46e461b1317677b76f78d
                                                                    • Opcode Fuzzy Hash: 8fea5eb6323e3e63017db24c699ab59a48e80916294d6c97a701adab72061d90
                                                                    • Instruction Fuzzy Hash: A1F015B3200B84D6CB44CF59E5C42A973A0E748B8AF64802ADB5D43324CF36C595C741

                                                                    Non-executed Functions

                                                                    Function 00007FF78712F380 Relevance: 202.2, APIs: 23, Strings: 92, Instructions: 960COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$free$Cipher$C_update_exithtonl$C_finalC_initFinalInit_exO_memcmpR_clear_errorUpdateX_get_mac_size__stdio_common_vsprintf
                                                                    • String ID: $ $ $%.*s$%02x$%s: EVP_CipherUpdate() failed$%s: cipher final failed$%s: cipher reset failed$%s: client key authentication error$%s: failed to initialize IV$%s: failed to read client key$%s: invalid length$%s: metadata too large for supplied buffer$%s: net_len=%u, BLEN=%i$%s: packet authentication failed$%s: packet replay$%s: packet too short$%s: potential buffer overflow$%s: unwrapping client key (len=%d): %s$%s: wrapped client key too big$--tls-crypt-v2-verify$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\tls_crypt.c$Can not locate tls-crypt-v2 client key$Can not unwrap tls-crypt-v2 client key$Client wants tls-crypt-v2, but no server key present.$Control Channel Encryption$Control Channel: using tls-crypt-v2 key$ERROR: --tls-crypt-v2 not supported$ERROR: could not PEM-encode client key$ERROR: could not crypt: insufficient space in dst$ERROR: could not generate random key$ERROR: could not wrap generated client key$ERROR: could not write client key file$ERROR: could not write tag$ERROR: failed to base64 decode provided metadata$ERROR: invalid tls-crypt-v2 client key format$ERROR: invalid tls-crypt-v2 server key format$ERROR: metadata too long (%d bytes, max %u bytes)$ERROR: not enough data in tls-crypt-v2 client key$EVP_MAC_init failed$Executing tls-crypt-v2-verify$INET address service: %s %s/%d$OpenVPN tls-crypt-v2 client key$RAND_bytes() failed$TLS CRYPT V2 VERIFY SCRIPT ERROR$TLS CRYPT V2 VERIFY SCRIPT OK$TLS-CRYPT UNWRAP AD: %s$TLS-CRYPT UNWRAP FROM: %s$TLS-CRYPT UNWRAP TO: %s$TLS-CRYPT WRAP TAG: %s$TUN$TUN: %s address failed using service: %s [status=%u if_index=%d]$Testing client-side key loading...$Testing server-side key loading...$WARNING: Failed running command (%s)$WARNING: failed to remove temp file '%s$add$adding$buf_advance(&plaintext, sizeof(client_key->keys))$buf_advance(&tmp, TLS_CRYPT_OFF_PID)$buf_inc_len(&metadata, decoded_len)$buf_inc_len(&plaintext, outlen)$buf_inc_len(&work, outlen)$buf_inc_len(buf, -(BLEN(&wrapped_client_key)))$buf_inc_len(dst, outlen)$buf_write(&dst, client_key.keys, sizeof(client_key.keys))$buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_TIMESTAMP, 1)$buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1)$buf_write(&metadata, &timestamp, sizeof(timestamp))$buf_write(&work, &net_len, sizeof(net_len))$cipher_ctx_final(cipher_ctx, BEND(&work), &outlen)$cipher_ctx_reset(cipher_ctx, tag)$cipher_ctx_update$ctx->cipher$deleting$metadata_file$metadata_type$opt$packet_id_initialized(&opt->packet_id) || (opt->flags & CO_IGNORE_PACKET_ID)$packet_id_read(&pin, &tmp, true)$remove$script_type$src->len > 0$tag : %s$tag_check: %s$tls-crypt unwrap error$tls-crypt-v2 server key$tls-crypt-v2-verify$tls_crypt_v2_metadata_$tls_crypt_v2_unwrap_client_key$tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata, test_wrapped_client_key, &server_key)
                                                                    • API String ID: 380149588-3871694270
                                                                    • Opcode ID: 1afc86c4f5c5f50da67d961d1351a5da7cc90ddc7bd300f738aa20ed759cac6e
                                                                    • Instruction ID: e9622b8eece7c0454db8f4d3400d60e548efadd46798ea9223e64607a95e8460
                                                                    • Opcode Fuzzy Hash: 1afc86c4f5c5f50da67d961d1351a5da7cc90ddc7bd300f738aa20ed759cac6e
                                                                    • Instruction Fuzzy Hash: F292E421F9864286FB14EB60F4443B9ABA6FF80748FE44535CA1F57A99DE3CE446C360
                                                                    Function 00007FF787123FE0 Relevance: 106.5, APIs: 21, Strings: 39, Instructions: 1459COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: %u$!reliable_pid_min(pid, rel->packet_id)$ACK %u is a replay: %s$ACK acknowledge ID %u (ack->len=%d)$ACK acknowledge ID %u FAILED (ack->len=%d)$ACK mark active incoming ID %u$ACK no free receive buffer available: %s$ACK read BAD SESSION-ID FROM REMOTE, local=%s, remote=%s$ACK read ID %u (buf->len=%d)$ACK read ID FAILED (buf->len=%d)$ACK received for pid %u, deleting from send buffer$ACK reliable_schedule_now$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\reliable.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$Incoming control channel packet too big, dropping.$Peer tried unsupported key-method 1$TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s$TLS ERROR: received control packet with stale session-id=%s$TLS Error: Cannot accept new session request from %s due to session context expire or --single-session$TLS Error: Existing session control channel packet from unknown IP address: %s$TLS Error: Received control packet from unexpected IP addr: %s$TLS Error: Unroutable control packet received from %s (si=%d op=%s)$TLS Error: client->client or server->server connection attempted from %s$TLS Error: reading acknowledgement record from packet$TLS Error: session-id not found in packet from %s$TLS Error: unknown opcode received from %s op=%d$TLS: Initial packet from %s, sid=%s$TLS: control channel, op=%s, IP=%s$TLS: found match, session[%d], sid=%s$TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s$TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s$TLS: received control channel packet s#=%d sid=%s$[%u]$[NULL]$false$ks->state != S_ERROR$ks->state != S_UNDEF$session_id_defined(&session->session_id)
                                                                    • API String ID: 2803490479-1960415790
                                                                    • Opcode ID: 143a6c24d1539054254afb77238d2795caab912242bde4b7c43f88048d5f79b7
                                                                    • Instruction ID: 0b460451bddb4e3fc8d490bb1f23095fe2bd8c79e1d3799dc74074892d978f7f
                                                                    • Opcode Fuzzy Hash: 143a6c24d1539054254afb77238d2795caab912242bde4b7c43f88048d5f79b7
                                                                    • Instruction Fuzzy Hash: FBE28E21E99652C5FA10EB64E4802BDBBA1FF84784FE44035DA4F17A95DF3CE942C760
                                                                    Function 00007FF7870D27C0 Relevance: 98.9, APIs: 26, Strings: 30, Instructions: 923stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$free$memset$_exitfgetsstrchrstrncpy$fclose
                                                                    • String ID: @$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\console.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\misc.c$CHALLENGE: %s$CRV1::%s::%s$ERROR: %s username is empty$ERROR: Failed retrieving username or password$ERROR: could not base64-encode password/static_response$ERROR: could not read %s ok-confirmation from stdin$ERROR: could not read challenge response from stdin$ERROR: could not retrieve static challenge response$ERROR: received malformed challenge request from server$ERROR: username from %s authfile '%s' is empty$Enter %s Password:$Enter %s Username:$Error opening '%s' auth file: %s$Error reading password from %s authfile: %s$Error reading username from %s authfile: %s$NEED-OK|%s|%s:$No password found in %s authfile '%s'. Querying the management interface$Note: previous '%s' credentials failed$SCRV1:%s:%s$SESS_ID_$i < QUERY_USER_NUMSLOTS$make_arg_array$n >= 0 && n + base + 1 <= max_parms$prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL$stdin$str
                                                                    • API String ID: 3045993279-932351873
                                                                    • Opcode ID: 924279bbff4b0c103b54e11c29a485d7b05ca7d0d4e1b68444afb3e365500376
                                                                    • Instruction ID: dc4743082196f9f5ea97d59bcb4588079de53dc1b50a200cb58918057abeca2e
                                                                    • Opcode Fuzzy Hash: 924279bbff4b0c103b54e11c29a485d7b05ca7d0d4e1b68444afb3e365500376
                                                                    • Instruction Fuzzy Hash: 8B82D621E8978281FA15AB14A5943B9EFA1FF44784FE44135DA4F87799EE3CE487C320
                                                                    Function 00007FF7870C48C0 Relevance: 81.5, APIs: 20, Strings: 26, Instructions: 954COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$free$_exit$R_get_modememset$Any_exD_fetchD_freeR_fetchR_freeR_get_flags__acrt_iob_funccallocexitfprintfpkcs11h_certificate_sign
                                                                    • String ID: !options->test_crypto$BF-CBC$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\init.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_openssl.c$Control Channel MTU parms$ERROR: --%s requires %s support.$ERROR: Cannot load auth-token secret$ERROR: not enough data in auth-token secret$Error: private key password verification failed$NULL != ctx$OpenVPN auth-token server key$Re-using SSL/TLS context$SHA256$TAS$TLS-Auth MTU parms$auth-gen-token$auth-token secret$ciphername$gfff$none$options->tls_server == !options->tls_client$options->tls_server || options->tls_client$private-key-password-failure$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 2521965006-2305849387
                                                                    • Opcode ID: eb105fa63fe9332fcd7743fcd4e5a59a4a1cb2e5116f93920d676fe26b93b187
                                                                    • Instruction ID: 4dfe59966ee3c9cc1d41b08289b8c47902c5265d87fcf5a305e5c85e62cec837
                                                                    • Opcode Fuzzy Hash: eb105fa63fe9332fcd7743fcd4e5a59a4a1cb2e5116f93920d676fe26b93b187
                                                                    • Instruction Fuzzy Hash: D7B2A222E08BC186E751DF28D4003F8B7A0FB95758F689235DF8D5B656EF38A295C720
                                                                    Function 00007FF7870CA3F0 Relevance: 75.9, APIs: 15, Strings: 28, Instructions: 646stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$atoihtonlinet_ntoamalloc$__stdio_common_vsprintfstrncpy
                                                                    • String ID: 0 <= x && x < mod && -mod <= y && y <= mod$>PKCS11ID-COUNT:%d$@$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$END$ERROR: %s of type '%s' entered, but we need one of type '%s'$ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'$ERROR: The '%s' command is not supported by the current daemon mode$ERROR: client at address %s:%d not found$ERROR: common name '%s' not found$ERROR: error parsing IP address: %s$ERROR: kill parse$ERROR: no %s is currently needed at this time$ERROR: port number is out of range: %s$PKCS#11: Cannot get certificate list %ld-'%s'$PKCS#11: pkcs11_management_id_count - entered$PKCS#11: pkcs11_management_id_count - return count=%d$SUCCESS: %d client(s) at address %s:%d killed$SUCCESS: '%s' %s entered, but not yet verified$SUCCESS: common name '%s' found, %d client(s) killed$SUCCESS: real-time %s notification set to OFF$SUCCESS: real-time %s notification set to ON$all$kill$man->connection.up_query_type$off
                                                                    • API String ID: 3011225574-532987796
                                                                    • Opcode ID: 7f52540132923405dfa0e60b7fcfacf501be6ba923415182122fe1ffa25bf520
                                                                    • Instruction ID: dd34b3bf3ef95fbdb9ee6278aac61140725ff21b0bf5c5e5fd240b48c58159ff
                                                                    • Opcode Fuzzy Hash: 7f52540132923405dfa0e60b7fcfacf501be6ba923415182122fe1ffa25bf520
                                                                    • Instruction Fuzzy Hash: 3F42DE61E9D68282EA14BB10B4403B8E7A1FFC5790FE44135DA4F87B95EE2CE547D720
                                                                    Function 00007FF7870C2BC0 Relevance: 72.3, APIs: 9, Strings: 32, Instructions: 581COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.VCRUNTIME140 ref: 00007FF7870C2BFE
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64 ref: 00007FF7870C2C4D
                                                                    • EVP_CIPHER_get_mode.LIBCRYPTO-3-X64 ref: 00007FF7870C2C5E
                                                                    • EVP_CIPHER_get_nid.LIBCRYPTO-3-X64 ref: 00007FF7870C2C6E
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64 ref: 00007FF7870C2C7E
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64 ref: 00007FF7870C2C89
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                    • memcmp.VCRUNTIME140 ref: 00007FF7870C319D
                                                                    • memcmp.VCRUNTIME140 ref: 00007FF7870C31B6
                                                                      • Part of subcall function 00007FF7870C16B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,FFFFFFFF,?,00000000,00000000,56D81A5E,00007FF7870C3125), ref: 00007FF7870C176B
                                                                      • Part of subcall function 00007FF7870C16B0: htonl.WS2_32 ref: 00007FF7870C17A3
                                                                      • Part of subcall function 00007FF7870C16B0: inet_ntoa.WS2_32 ref: 00007FF7870C17AB
                                                                      • Part of subcall function 00007FF7870C16B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,FFFFFFFF,?,00000000,00000000,56D81A5E,00007FF7870C3125), ref: 00007FF7870C1803
                                                                      • Part of subcall function 00007FF7870C16B0: htonl.WS2_32 ref: 00007FF7870C183D
                                                                      • Part of subcall function 00007FF7870C16B0: inet_ntoa.WS2_32 ref: 00007FF7870C1845
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A1017
                                                                      • Part of subcall function 00007FF7870A1000: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7870A1037
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A1040
                                                                      • Part of subcall function 00007FF7870A1000: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7870A10C2
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A10CB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$R_free_time64htonlinet_ntoamallocmemcmp$R_fetchR_get_modeR_get_nid__stdio_common_vsprintfmemset
                                                                    • String ID: %llu$ cc-exit$ dyn-tls-crypt$ tls-ekm$%s: peer-id %d, fd %d$, compression: '%s'$, peer-id: %d$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\dco.c$Cannot set parameters for DCO peer (id=%u): %s$Data Channel: cipher '%s'$Data Channel: cipher '%s', auth '%s'$ERROR: Failed to apply DCO keepalive or MSS fix parameters$ERROR: Failed to apply push options$NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.$Need hold release from management interface, waiting...$OPTIONS ERROR: failed to import crypto options$Protocol options: $Timers: $Warning: SetEvent/ResetEvent failed in net_event_win32_reset_write$ciphername$dco-win doesn't yet support reopening TUN device$dco_new_peer$explicit-exit-notify %d$inactive %d$ls->info.connection_established$man_standalone_ok(man)$ping %d$ping-exit %d$ping-restart %d$protocol-flags$session-timeout %d
                                                                    • API String ID: 3568111874-781789071
                                                                    • Opcode ID: 00918f3cb5946f9bcdf09531064260c385ca47f733b1c3cb0c57d924fab4d701
                                                                    • Instruction ID: f9aaf96f8bab02e503d42269d99c2cc7593e464f19391182b6899e75ed5f007a
                                                                    • Opcode Fuzzy Hash: 00918f3cb5946f9bcdf09531064260c385ca47f733b1c3cb0c57d924fab4d701
                                                                    • Instruction Fuzzy Hash: BA52B331A9868281EB60BB11E4402B9E751FFC4B98FE44135DA4E87A99DF3CE587D730
                                                                    Function 00007FF78713FF60 Relevance: 66.9, APIs: 29, Strings: 9, Instructions: 427stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: calloc$freememcpystrtok$mallocstrncpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$Length of --data-ciphers is over the limit of 127 chars$Unsupported %scipher algorithm '%s'. It does not use CFB, OFB, CBC, or a supported AEAD mode$Unsupported %scipher in --data-ciphers: %s$WARNING: cipher 'none' specified for --data-ciphers. This allows negotiation of NO encryption and tunnelled data WILL then be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!$[null-cipher]$ciphername$none$optional
                                                                    • API String ID: 3147589124-2633421923
                                                                    • Opcode ID: 4fc4ec28340074b8986ecdddbc4ec2ec2d738a80144a93f1869f7762d9c29437
                                                                    • Instruction ID: 91a75927cd8cdb277880f93f08629a65a280880a4f8ca809621fabdc66d2b22e
                                                                    • Opcode Fuzzy Hash: 4fc4ec28340074b8986ecdddbc4ec2ec2d738a80144a93f1869f7762d9c29437
                                                                    • Instruction Fuzzy Hash: 19F1D621E8964245FA14BB22B50127CABA2BF85F94FE80575CD2F57B95EE3CE447C320
                                                                    Function 00007FF7870A3440 Relevance: 62.0, APIs: 22, Strings: 13, Instructions: 739COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A346B
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A34D3
                                                                    • memcpy.VCRUNTIME140 ref: 00007FF7870A3500
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A3600
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A363B
                                                                    • memcpy.VCRUNTIME140(?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A36F8
                                                                    • memcpy.VCRUNTIME140(?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A373C
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A3745
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00007FF7870CE26A), ref: 00007FF7870A375B
                                                                      • Part of subcall function 00007FF7870B3310: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870B3319
                                                                      • Part of subcall function 00007FF7870B3310: fprintf.MSPDB140-MSVCRT ref: 00007FF7870B3329
                                                                      • Part of subcall function 00007FF7870B3310: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870B3333
                                                                      • Part of subcall function 00007FF7870A2610: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870A2640
                                                                      • Part of subcall function 00007FF7870A2610: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A2690
                                                                      • Part of subcall function 00007FF787103F50: MultiByteToWideChar.KERNEL32 ref: 00007FF787103F8E
                                                                      • Part of subcall function 00007FF787103F50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787103FA5
                                                                      • Part of subcall function 00007FF787103F50: MultiByteToWideChar.KERNEL32 ref: 00007FF787103FD9
                                                                      • Part of subcall function 00007FF787103F50: _wstat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF787103FE5
                                                                      • Part of subcall function 00007FF787103F50: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787103FF6
                                                                      • Part of subcall function 00007FF787103D20: MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103D65
                                                                      • Part of subcall function 00007FF787103D20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103D7C
                                                                      • Part of subcall function 00007FF787103D20: MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103DAB
                                                                      • Part of subcall function 00007FF787103D20: MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103DC8
                                                                      • Part of subcall function 00007FF787103D20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103DDF
                                                                      • Part of subcall function 00007FF787103D20: MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103E0B
                                                                      • Part of subcall function 00007FF787103D20: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103E17
                                                                      • Part of subcall function 00007FF787103D20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000000,?,00007FF7870A3837), ref: 00007FF787103E26
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A388C
                                                                    • fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A38F1
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A3933
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A394A
                                                                    • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A39A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$ByteCharMultiWide$free$memcpy$calloc$__acrt_iob_func_exit_wfopen_wstat64i32exitfclosefprintffread
                                                                    • String ID: CNAT[%d] t=%d %s/%s/%s$!ol->head$*** CNAT list$@$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$WARNING: client-nat table overflow (max %d entries)$buf_inc_len(&ret, (int)read_size)$client-nat: bad foreign network: %s$client-nat: bad netmask: %s$client-nat: bad network: %s$ol->head$snat
                                                                    • API String ID: 2294394663-4267946636
                                                                    • Opcode ID: d257b4cad0f0ad5defe3afda91f942d32cc3782afc45b3c45fa968fafb194dbf
                                                                    • Instruction ID: 74426acb41f565b0d9a25cf47a9c0cc4c9880c3a6eaeacd135cd6db30e59c105
                                                                    • Opcode Fuzzy Hash: d257b4cad0f0ad5defe3afda91f942d32cc3782afc45b3c45fa968fafb194dbf
                                                                    • Instruction Fuzzy Hash: 2A52A422A4878186EB14EF25E440379F7A1FF84788FA48135DA4E87B95DF3CE596C720
                                                                    Function 00007FF787125C20 Relevance: 60.2, APIs: 18, Strings: 16, Instructions: 676COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$htonl$__stdio_common_vsprintfmemcpy
                                                                    • String ID: %s$ / time = (%u) %s$ DATA %s$ DATA len=%d$ pid=%s$ pid=%u$ sid=%s$ tls_crypt_hmac=%s$ tls_hmac=%s$%02x$%s kid=%d$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$DATA UNDEF len=%d$P$[ #%u$tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH
                                                                    • API String ID: 1384873380-3281156924
                                                                    • Opcode ID: d06eb2533d4ac6bcd58374a834234b5388003a6d6476eaea5038797e83c87b23
                                                                    • Instruction ID: f9212a1b0b207f76d26c8a63702d7a31d7742d9345659a6e354b103e9e4ee290
                                                                    • Opcode Fuzzy Hash: d06eb2533d4ac6bcd58374a834234b5388003a6d6476eaea5038797e83c87b23
                                                                    • Instruction Fuzzy Hash: ED52E322E58B4286EB11EF14B540279EFB1BFC5785FA04135DA4F46E99EE3CE846C720
                                                                    Function 00007FF787119650 Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 533networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$Event$FileRecvReset_exitfree$FromReadWritehtonsmemcpy
                                                                    • String ID: BUG: link_socket_read_tcp(): sock->sd==-1, reset client instance$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$ERROR: received strange incoming packet with an address length of %d -- we only accept address lengths of %d.$ResetEvent(sock->reads.overlapped.hEvent)$STREAM: GET FINAL len=%d$STREAM: GET NEXT len=%d$STREAM: RESET$STREAM: WRITE %d offset=%d$SetEvent(sock->reads.overlapped.hEvent)$WIN32 I/O: Socket Receive error [%d]: %s$WIN32 I/O: Socket Receive immediate return [%d,%d]$WIN32 I/O: Socket Receive queued [%d]$buf_defined(&sb->buf)$buf_defined(&sb->next)$buf_write_prepend(buf, &len, sizeof(len))$len <= sock->stream_buf.maxlen$proto >= 0 && proto < PROTO_N$wsabuf[0].len <= BLEN(&sock->reads.buf)
                                                                    • API String ID: 1809827303-1195219215
                                                                    • Opcode ID: 7366de2be6acfb5513f0286e0300818d38855823eb2e970bdffc304020ea6c1e
                                                                    • Instruction ID: 7c926ccbe14b87b9135a025b433754eced2c99d548d8451c73b1beb3a4290409
                                                                    • Opcode Fuzzy Hash: 7366de2be6acfb5513f0286e0300818d38855823eb2e970bdffc304020ea6c1e
                                                                    • Instruction Fuzzy Hash: 4B32CF32E48A8286E614AF24F4442B8FB60FB94784FA45131DA6E4BE95DF3CE556C730
                                                                    Function 00007FF7870A1F60 Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 282COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Fwpm$EngineFreeMemory0$Close0ConvertIndexInterfaceKey0LayerLuidOpen0memset
                                                                    • String ID: Add filter to block IPv4 DNS traffic failed$Add filter to block IPv6 DNS traffic failed$Add filter to permit IPv4 DNS traffic through TAP failed$Add filter to permit IPv4 port 53 traffic from OpenVPN failed$Add filter to permit IPv6 DNS traffic through TAP failed$Add filter to permit IPv6 port 53 traffic from OpenVPN failed$Block_DNS: Added a persistent sublayer with pre-defined UUID$Block_DNS: Added block filters for all interfaces$Block_DNS: Added permit filters for TAP interface$Block_DNS: Added permit filters for exe_path$Block_DNS: Using existing sublayer$Block_DNS: WFP engine opened$Convert interface index to luid failed$FwpEngineOpen: open fwp session failed$Get byte blob for openvpn executable name failed$OpenVPN$add_sublayer: failed to add persistent sublayer
                                                                    • API String ID: 1723056124-4259130440
                                                                    • Opcode ID: 29cd173e175c34d014592a56532ead9b22d349961c1be3ac37add17c1aa73166
                                                                    • Instruction ID: 6c17409b37950ef281c07e71fc2a3cc1f064d39a26de6ea5770db37a3a18d3eb
                                                                    • Opcode Fuzzy Hash: 29cd173e175c34d014592a56532ead9b22d349961c1be3ac37add17c1aa73166
                                                                    • Instruction Fuzzy Hash: BBE17332D48BC285E7219F24E8417F8A7B1FB98348FE05135DA4E86A55EF78E2C6C310
                                                                    Function 00007FF7871457E0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ConditionMask$InfoVerifyVersion$memset$_exit
                                                                    • String ID: Error: Windows version must be XP or greater.
                                                                    • API String ID: 2007392446-681966143
                                                                    • Opcode ID: c4257da68e6beeba14109d7818ada4f2101440bcbf2f1321422ff0f9df8df272
                                                                    • Instruction ID: 393c0dca313e20f51da021c3db4ac89a6d0fc7fbcbef49e2b03f30bb67dc14f9
                                                                    • Opcode Fuzzy Hash: c4257da68e6beeba14109d7818ada4f2101440bcbf2f1321422ff0f9df8df272
                                                                    • Instruction Fuzzy Hash: 29A17031A4860186E760DF20F4557AABBA2FBC4B48F506138E64F47B68EF7DD54ACB10
                                                                    Function 00007FF7871237C0 Relevance: 47.8, APIs: 14, Strings: 13, Instructions: 586COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787123815
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,00007FF787123C1B), ref: 00007FF787123967
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,00007FF787123C1B), ref: 00007FF787123994
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787123A19
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787123A44
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,00007FF787123C1B), ref: 00007FF787123A96
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,00007FF787123C1B), ref: 00007FF787123AC4
                                                                    • ERR_clear_error.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF78712576C), ref: 00007FF787123C1B
                                                                      • Part of subcall function 00007FF787118AB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787118B02
                                                                      • Part of subcall function 00007FF787118AB0: memset.VCRUNTIME140 ref: 00007FF787118B4C
                                                                      • Part of subcall function 00007FF787118AB0: getnameinfo.WS2_32 ref: 00007FF787118C50
                                                                      • Part of subcall function 00007FF787118AB0: FormatMessageA.KERNEL32 ref: 00007FF787118C87
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$malloc$FormatMessageR_clear_error__stdio_common_vsprintfgetnameinfomemset
                                                                    • String ID: (deferred)$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_common.h$Key %s [%d] not authorized%s, dropping packet.$Key %s [%d] not initialized (yet), dropping packet.$Protocol error: received P_DATA_V2 from %s but length is < 4$TLS Error: local/remote TLS keys are out of sync: %s (received key id: %d, known key ids: %s)$TLS: tls_pre_decrypt, key_id=%d, IP=%s$[NULL]$buf_advance(buf, 1)$false$ks->crypto_options.key_ctx_bi.initialized
                                                                    • API String ID: 4060640804-123584870
                                                                    • Opcode ID: 32c1891dfc93897cc81d07f3c4c9767992b474515c2eee7126025d0356e5fd11
                                                                    • Instruction ID: ec12754371c7319d0c9d6b1fd524db141b19f382cb4d05a7e93f7e37526665d0
                                                                    • Opcode Fuzzy Hash: 32c1891dfc93897cc81d07f3c4c9767992b474515c2eee7126025d0356e5fd11
                                                                    • Instruction Fuzzy Hash: 06327A32EA9A52C6EA15EB15F5452B8AB61BF84B84FA44032CE4E17F55DF3CE447C320
                                                                    Function 00007FF7871148D0 Relevance: 47.7, APIs: 10, Strings: 17, Instructions: 449windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessagefreegetaddrinfo$_errno_exitfreeaddrinfohtonl
                                                                    • String ID: !$!(flags & GETADDR_HOST_ORDER)$!@$%u.%u.%u.%u$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.c$GETADDRINFO flags=0x%04x ai_family=%d ai_socktype=%d$RESOLVE: Cannot parse IP address: %s:%s (%s)$RESOLVE: Cannot resolve host address: %s:%s (%s)$RESOLVE: Cannot resolve host address: %s:%s (%s) (I would have retried this name query if you had specified the --resolv-retry option.)$RESOLVE: Ignored SIGUSR1 signal received during DNS resolution attempt$RESOLVE: signal received during DNS resolution attempt$WARNING: ignoring --remote-random-hostname because the hostname is an IP address$buf_inc_len(&ret, (int)read_size)$gfff$hostname || servname$res$undefined
                                                                    • API String ID: 2288921036-1362950862
                                                                    • Opcode ID: 76c340e7498f22dd36503456e82e4f5e2c9a800d13fc7fc81f48d8c99a384097
                                                                    • Instruction ID: 5f96a3026416a32b7529a633a0eec7eeb4e83efc3f6dd035ad3afd7963905427
                                                                    • Opcode Fuzzy Hash: 76c340e7498f22dd36503456e82e4f5e2c9a800d13fc7fc81f48d8c99a384097
                                                                    • Instruction Fuzzy Hash: 64129231E4864282FA64AB14B4803B9EA91FFC4B90FA45135DE8F5BB95DF3CE446C760
                                                                    Function 00007FF7870A9460 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_fetchR_free$R_get_mode$R_get_flagsR_get_nid$R_get_iv_length
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_backend.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$buf_init(&work, frame->buf.headroom)$ciphername$none
                                                                    • API String ID: 3412402220-4141282390
                                                                    • Opcode ID: 92499ea3f1b541d0bca4b9cd6c5dfebe2429d77057c766d004109f9d386fe082
                                                                    • Instruction ID: 20a922340ee3f8d694d105b9fd9c04a5d04f25401be3b39a32c82c95d3e904ff
                                                                    • Opcode Fuzzy Hash: 92499ea3f1b541d0bca4b9cd6c5dfebe2429d77057c766d004109f9d386fe082
                                                                    • Instruction Fuzzy Hash: 2D816021F9C65642EE14BB62A415179E691BF99F80FED4435CE0F87BA1EE2CE446C330
                                                                    Function 00007FF787136F80 Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 262registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$ByteCharCloseEnumMultiOpenWide_exit$QueryValuecallocmemcpy
                                                                    • String ID: %s\%s\Connection$Error enumerating registry subkeys of key: %s$Error opening registry key: %s$Error opening registry key: %s\%s\%ls$SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
                                                                    • API String ID: 2397854197-1468838861
                                                                    • Opcode ID: 91daf308980fb084b93f883104c1d118c11d7e73ea786a4a3301b1f7f836ec3f
                                                                    • Instruction ID: 6ddf836bf4945e59ed1c02e946cea104d507467a08f1c55088bdc3bc7fbecd28
                                                                    • Opcode Fuzzy Hash: 91daf308980fb084b93f883104c1d118c11d7e73ea786a4a3301b1f7f836ec3f
                                                                    • Instruction Fuzzy Hash: 5CC15431E48B4681E750AF51F8402A9BBA5FBC8758FA40535EA9E43F94EF3CD546C720
                                                                    Function 00007FF7870B0880 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 180stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strcmp$_exitmemcpy$ControlDeviceR_fetchR_freeR_get_key_length
                                                                    • String ID: %s: slot %d, key-id %d, peer-id %d, cipher %s$AES-128-GCM$AES-192-GCM$AES-256-GCM$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\dco_win.c$CHACHA20-POLY1305$DCO: provided unsupported cipher: %s$DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed$ciphername$crypto_data.CipherAlg > 0$dco_new_key
                                                                    • API String ID: 3389766186-522471507
                                                                    • Opcode ID: 622622f20ed82f8a2ed51833332abc861bb1b25190db24bfad7429967bf5b5a4
                                                                    • Instruction ID: 695b11db49e5e943617890281e47b7964c4eda78623271b818033f3057b5a458
                                                                    • Opcode Fuzzy Hash: 622622f20ed82f8a2ed51833332abc861bb1b25190db24bfad7429967bf5b5a4
                                                                    • Instruction Fuzzy Hash: 05717432E5C78281EA64EB15B8113AAE791FBC4784FE04135DA8E97B55EF3CD186C710
                                                                    Function 00007FF7870CDB60 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 389stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$strcmp$O_memcmp_closemallocrecv
                                                                    • String ID: END$ERROR: bad password$MAN: client connection rejected after %d failed password attempts$MANAGEMENT: CMD '%s'$MANAGEMENT: CMD 'password [...]'$SUCCESS: password is correct$TCP$load-stats$password
                                                                    • API String ID: 462450963-3486594601
                                                                    • Opcode ID: 1a188d8dbcf9503ff361fb643d73cb1d66e012992a1df4f2b7ff7b055a727814
                                                                    • Instruction ID: 47bcda7bffd4f9151a98abe84b00f58627617b7b0a9303a92aa37b90b454abd8
                                                                    • Opcode Fuzzy Hash: 1a188d8dbcf9503ff361fb643d73cb1d66e012992a1df4f2b7ff7b055a727814
                                                                    • Instruction Fuzzy Hash: FC02C432E4C68282F720EB21E4502B9A7A1FBD4798FA54135DE4E87755EF3CE592C360
                                                                    Function 00007FF78713E350 Relevance: 35.3, APIs: 7, Strings: 13, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$htonlinet_ntoainet_ntop
                                                                    • String ID: %s%s interface %s delete address %lu %s store=active$%s%s interface %s delete dns %lu all$%s%s interface ipv4 delete winsservers %lu all$%s: command failed$@$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\win32.c$ERROR: command failed$NETSH$\system32\netsh.exe$ipv4$ipv6$win_sys_path
                                                                    • API String ID: 786485511-430533056
                                                                    • Opcode ID: 836ec534091f28972d964e7c3e09857bb9e9dcbc8f426aaa4776da1dc3356978
                                                                    • Instruction ID: 5c4beccb81f2e1625685318828cb6b7098b20698890b957330725f1642a2e0c0
                                                                    • Opcode Fuzzy Hash: 836ec534091f28972d964e7c3e09857bb9e9dcbc8f426aaa4776da1dc3356978
                                                                    • Instruction Fuzzy Hash: F2D16E71E8874285EB05FB64F4412F9AB61BFC4748FE04035DA4E56AA6EF3CE54AC320
                                                                    Function 00007FF787143F40 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 194synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Console$ByteCharDescriptorModeMultiSecurityWide_exit$CreateCtrlDaclEventHandleHandlerInitializeObjectSingleWaitfreemalloc
                                                                    • String ID: ERROR: Exit Event ('%s') is signaled$Error: win32_signal_open: SetConsoleMode failed$Error: win32_signal_open: init SA failed$NOTE: CreateEventW '%s' failed$WARN: SetConsoleCtrlHandler failed
                                                                    • API String ID: 421275626-4265619579
                                                                    • Opcode ID: 079f102ee2e3e17ea2a83020dac7c8e3b43bb422fbbff634ce50a6a1ac770552
                                                                    • Instruction ID: 0747144e6e55f548a0ed6549849180069614893a0e2ef265bfa97859da0bf313
                                                                    • Opcode Fuzzy Hash: 079f102ee2e3e17ea2a83020dac7c8e3b43bb422fbbff634ce50a6a1ac770552
                                                                    • Instruction Fuzzy Hash: EE819F31E4864182F710AB11F8423B9ABA6FFC4B94FA44535DA4E07BE5EE3CE446C760
                                                                    Function 00007FF7870CD370 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 134networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitfree$getsocknamelistensocket
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.c$Failed to get the management socket address$MANAGEMENT$MANAGEMENT: Client disconnected$MANAGEMENT: TCP Socket listening on %s$MANAGEMENT: Triggering management exit$MANAGEMENT: Triggering management signal$MANAGEMENT: listen() failed$addrinfo$addrinfo->ai_socktype == SOCK_STREAM$management-disconnect$management-exit
                                                                    • API String ID: 2178588119-4032398024
                                                                    • Opcode ID: 6229464f4941144564f40edeff386bd857376400fe094c38104292d17fe871a7
                                                                    • Instruction ID: 1fca4aece53ecaf9f83f3880cbc3117da6185edbfd9f6b03d9a78e91f43fdad1
                                                                    • Opcode Fuzzy Hash: 6229464f4941144564f40edeff386bd857376400fe094c38104292d17fe871a7
                                                                    • Instruction Fuzzy Hash: 3F519F31A4964282EA20EB11E4553B9A761FBC8BA4FE44131DB5F4BB95DF3CE447C360
                                                                    Function 00007FF7871434A0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 119registrynetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: memset$CloseOpenStartupValue_exit_wgetenv_s_wputenv_s
                                                                    • String ID: %ls$%ls\ssl\%ls$C:\Windows\System32$SOFTWARE\OpenVPN$WSAStartup failed$\
                                                                    • API String ID: 3173856009-2305895326
                                                                    • Opcode ID: 59bf6e5c4f8308b5e52ee5288ccbafa06450be1b17c4ac6d29538fcc033bb539
                                                                    • Instruction ID: 32c19b0b2d08215bc212675e19ee24335d27443f16c4e30b334ba47339d10e18
                                                                    • Opcode Fuzzy Hash: 59bf6e5c4f8308b5e52ee5288ccbafa06450be1b17c4ac6d29538fcc033bb539
                                                                    • Instruction Fuzzy Hash: 20519131E48A8291EB20EB11F4413AAE762FBC5354FE04236D69E13E95EF7CD546C720
                                                                    Function 00007FF7871353C0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 201sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Create$Event_exit$FileMapping$ControlDeviceEntryInterfaceSleepcalloc
                                                                    • String ID: Cannot allocate memory for ring buffer$Cannot create events for ring buffer$DeviceIoControl(OVPN_IOCTL_START_VPN) failed$dco_start_tun$interface %ld not yet ready, retrying
                                                                    • API String ID: 1686616596-1354142042
                                                                    • Opcode ID: a3873a7debbf371e659541d8e994e9e6f7a501c3c1eeedc020323e72f4ef3824
                                                                    • Instruction ID: b4e66e5233531f489b7594e376e978bd7c15e9774141bbd0cbc3908b16a26dbb
                                                                    • Opcode Fuzzy Hash: a3873a7debbf371e659541d8e994e9e6f7a501c3c1eeedc020323e72f4ef3824
                                                                    • Instruction Fuzzy Hash: 6CA1B232E08B8182E714DF34B5452ADB761FB98748FE45239DB8E13A56EF38A199C710
                                                                    Function 00007FF7870AD7B0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: O_free$M_read_bioO_new_mem_buf_exitmemcpy
                                                                    • String ID: %s: PEM decode failed$%s: dst too small (%i, needs %li)$%s: unexpected PEM name (got '%s', expected '%s')$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$Cannot open memory BIO for PEM decode$crypto_pem_decode
                                                                    • API String ID: 282625255-1387290694
                                                                    • Opcode ID: 5077f8fdfdd9410975063eabfda8171593eaf8feaf7949d2da9326bd629f5d79
                                                                    • Instruction ID: 9bddde14a50527b6d5919daf96c45f579e0acc70b00c4cb960548b05759ec2f3
                                                                    • Opcode Fuzzy Hash: 5077f8fdfdd9410975063eabfda8171593eaf8feaf7949d2da9326bd629f5d79
                                                                    • Instruction Fuzzy Hash: FA718031A5C64686EB54AF15E440AB9F7A2FF81B84FE04036DA4F87699DE3CE446C730
                                                                    Function 00007FF7870E4D00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetConsoleOutputCP.KERNEL32(?,?,00000000,0000027C), ref: 00007FF7870E4D39
                                                                    • memset.VCRUNTIME140(?,00000000,0000027C), ref: 00007FF7870E4D4B
                                                                    • memset.VCRUNTIME140(?,00000000,0000027C), ref: 00007FF7870E4D5F
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A1017
                                                                      • Part of subcall function 00007FF7870A1000: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7870A1037
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A1040
                                                                      • Part of subcall function 00007FF7870A1000: _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7870A10C2
                                                                      • Part of subcall function 00007FF7870A1000: GetTickCount.KERNEL32 ref: 00007FF7870A10CB
                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,0000027C), ref: 00007FF7870E4DC9
                                                                    • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,0000027C), ref: 00007FF7870E4DDA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$__acrt_iob_func_time64memset$ConsoleOutput
                                                                    • String ID: struct session *
                                                                    • API String ID: 3769645568-2659699318
                                                                    • Opcode ID: f033218f381563d25998beaf72996a7715b0c51a260d1b4b5d2fa2b22a61a1bd
                                                                    • Instruction ID: 4d9decad0a36b68216127b701c4d9793f761add75bbaf3e42255c65f148b50ee
                                                                    • Opcode Fuzzy Hash: f033218f381563d25998beaf72996a7715b0c51a260d1b4b5d2fa2b22a61a1bd
                                                                    • Instruction Fuzzy Hash: 2751D132E4C7C285F320EB21B8057A9BAA6FB84754FE04134D94E56E95EF3CA107C720
                                                                    Function 00007FF787106060 Relevance: 18.3, APIs: 7, Strings: 5, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID: %s,%s,%s$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\pool.c$IFCONFIG POOL LIST$buf_init(&in, 0)
                                                                    • API String ID: 1294909896-2098788154
                                                                    • Opcode ID: 9374a39a8ad1decf306c01e6d18613cb583b323946ed3adff0c03bc9b47242d0
                                                                    • Instruction ID: 8cb2b577d344e8b070011bbd8e4c9a42890faa9cf3242f0a838a1e22555677e7
                                                                    • Opcode Fuzzy Hash: 9374a39a8ad1decf306c01e6d18613cb583b323946ed3adff0c03bc9b47242d0
                                                                    • Instruction Fuzzy Hash: B0C1D322E58B8282E710DB10E4143BDBBA4FBD9744FA69235DE8D03A55EF78E596C310
                                                                    Function 00007FF78714A240 Relevance: 17.5, APIs: 13, Instructions: 1296COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: dd7b488b21ac567e28c2da0be42e855d2117a4bfc4e93d3fc264ca86bc64229c
                                                                    • Instruction ID: 3589fc0bd75a3b5449ea2604bcd34b195ad7166afa168c5b3bb9d57e2f8a0a76
                                                                    • Opcode Fuzzy Hash: dd7b488b21ac567e28c2da0be42e855d2117a4bfc4e93d3fc264ca86bc64229c
                                                                    • Instruction Fuzzy Hash: 34B243B3F4868286DB249F15E40527CBBA2FB94784FA58136DB8E47B90EE3CD546C314
                                                                    Function 00007FF78712ABD0 Relevance: 12.8, APIs: 10, Instructions: 305COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$callocmemcpy
                                                                    • String ID:
                                                                    • API String ID: 603207647-0
                                                                    • Opcode ID: 8ac5b759bd5b427ad2ada5b5de7e2a59a2c1e524992cffaf2b347350a8697257
                                                                    • Instruction ID: 8593ed913fd4c5bf3b30acc775252e758ed79ad4ceb54de6746fe24e993f766b
                                                                    • Opcode Fuzzy Hash: 8ac5b759bd5b427ad2ada5b5de7e2a59a2c1e524992cffaf2b347350a8697257
                                                                    • Instruction Fuzzy Hash: 03C1F421E59A82D2EA15EB21B450279EBA1FF84B80FA84531DE4F57B54EF3CE452C720
                                                                    Function 00007FF787110BA0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 214COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$AdaptersInfo
                                                                    • String ID: TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s$down$ipv4$win_sys_path
                                                                    • API String ID: 2303100344-3811647181
                                                                    • Opcode ID: b7af8b5313e33d5bf69d95ffeb41b7c8b2403819420973949c565fc4be63a065
                                                                    • Instruction ID: 27c3da1c7dcec620ee02544a611520938170248ab6a6de2510a86b25753ed8de
                                                                    • Opcode Fuzzy Hash: b7af8b5313e33d5bf69d95ffeb41b7c8b2403819420973949c565fc4be63a065
                                                                    • Instruction Fuzzy Hash: B791A432E4965586EA549F11B04077AFBA5FBC5B44FA85035DB9E0BB94DF3CE802CB20
                                                                    Function 00007FF7870B0C90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: AlgorithmCryptProvider$CloseOpen
                                                                    • String ID: AES-128-GCM:AES-256-GCM:AES-192-GCM$AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305$CHACHA20_POLY1305
                                                                    • API String ID: 58216706-2740195256
                                                                    • Opcode ID: 2ea88a768574f7140f9c6bdb60ca1e451349dddb716a2ea06b16f70317851d7b
                                                                    • Instruction ID: 60f585ad5229e5177a4c5113142fba49cbf6dbd0a21e89c15d35d1fd0d8a9164
                                                                    • Opcode Fuzzy Hash: 2ea88a768574f7140f9c6bdb60ca1e451349dddb716a2ea06b16f70317851d7b
                                                                    • Instruction Fuzzy Hash: 74F01226F5864291FA20BF25F852166AB61BFC8B58FD41031D94F5AA75EE2CE207CB10
                                                                    Function 00007FF7870F3A20 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 164stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmp
                                                                    • String ID: I'm trying to parse "%s" as an --option parameter but I don't see a leading '--'$config
                                                                    • API String ID: 1114863663-2595940126
                                                                    • Opcode ID: 92940d0c1e3fe738f5f18f1c093b4e827aec9dbdcf939995a4b017c32dd87693
                                                                    • Instruction ID: 418ac2d69dbc7ad22daa691f6668f4bd466d326333adc1c5099011e3fde1889d
                                                                    • Opcode Fuzzy Hash: 92940d0c1e3fe738f5f18f1c093b4e827aec9dbdcf939995a4b017c32dd87693
                                                                    • Instruction Fuzzy Hash: B2618132E18BD185F710AF54E8413AAB7B4FB88398F501225EE8D47B54EF78D196C700
                                                                    Function 00007FF78714D3EC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                    • String ID:
                                                                    • API String ID: 2933794660-0
                                                                    • Opcode ID: 8bb8798fa24b04c6f855689a19d150424734e4ed990ee904e665654fc4bf7c4e
                                                                    • Instruction ID: 3777c3d8e6c30ba42afa57960bd14057d0e67aa66e5a32c826504fb870f5b87e
                                                                    • Opcode Fuzzy Hash: 8bb8798fa24b04c6f855689a19d150424734e4ed990ee904e665654fc4bf7c4e
                                                                    • Instruction Fuzzy Hash: AE114F22B54B018AEB00DF60E8552B877A4F758758F840E35DA6E46BA4EF38D19AC350
                                                                    Function 00007FF78712E470 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\tls_crypt.c$key->n == 2 && other->n == 2
                                                                    • API String ID: 0-2684567639
                                                                    • Opcode ID: 120f2afdc7dd5c3ea57313a9a2338e5117b65b4b447236ae7c18a5bf4b9cf8c1
                                                                    • Instruction ID: 5d6d0740a194502b9302c6a64de19d26132d9bf8b2a9b381b0ecc7f495541274
                                                                    • Opcode Fuzzy Hash: 120f2afdc7dd5c3ea57313a9a2338e5117b65b4b447236ae7c18a5bf4b9cf8c1
                                                                    • Instruction Fuzzy Hash: 3691AD8340E6E005C70B877990A05BEBFE0D99BD2576F86DAD7E24F293C409C39ADB51
                                                                    Function 00007FF78713BCB0 Relevance: 100.1, APIs: 18, Strings: 39, Instructions: 359COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonl$freemalloc$Fileinet_ntoa$AddressFlushReadTableWrite_exit
                                                                    • String ID: %02x$%s%s%s$.tap$Adapter %s is already in use$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\tun.c$CreateFile failed on %s device: %s$DHCP option string not set due to error$DHCP option string: %s$ERROR: Wintun requires SYSTEM privileges and therefore should be used with interactive service. If you want to use openvpn from command line, you need to do SYSTEM elevation yourself (for example with psexec).$ERROR: --dev tun also requires --ifconfig$ERROR: AddIPAddress %s/%s failed on interface %s, index=%lu, status=%lu (windows error: '%s') -- %s$ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun$ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode$ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call$ERROR: unable to get adapter index for interface %s -- %s$FAILED$Failed to register %s adapter ring buffers$Failed to register ring buffers$I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')$NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'$Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]$Register ring buffers$Register ring buffers failed using service: %s [status=0x%x]$Ring buffers registered via service$SUCCEEDED$Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]$Set TAP-Windows TUN with fake IPv4 [%s]$Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API$Successful ARP Flush on interface [%lu] %s$TUN$Using device interface: %s$WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'$\\.\Global\$ep[3] > 0$ovpn-dco$tap-windows6$tt->type == DEV_TYPE_TAP$unspecified$wintun
                                                                    • API String ID: 3908182678-2654160778
                                                                    • Opcode ID: 604c5edc02341e383df48ed9fdb2a8e50ed2ea4648dd6dcb13bc3f4685389dcc
                                                                    • Instruction ID: c3ce779b0cb1ab0e9ebf47ff520c91fac4134516197b27fa0236fd38a947b127
                                                                    • Opcode Fuzzy Hash: 604c5edc02341e383df48ed9fdb2a8e50ed2ea4648dd6dcb13bc3f4685389dcc
                                                                    • Instruction Fuzzy Hash: 5A02A432E4878185E710AF24E4412BDBB65FFC8748FA40235DA8E57B95EF3CA446C710
                                                                    Function 00007FF787146790 Relevance: 86.2, APIs: 18, Strings: 31, Instructions: 436stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_get_errorfreestrcmp$R_error_stringX_freeX_new_from_nameY_fromdataY_fromdata_initY_get0_type_name_exitstrncatstrncpy
                                                                    • String ID: %s,hashalg=%s$%s,hashalg=%s,saltlen=%s$,data=message$@$DigestSign$ECDSA$ECDSA,hashalg=%s$ED25519$ED448$In xkey_management_sign with keytype = %s, op = %s$OpenSSL error %lu: %s$OpenSSL error: failed to load key into ovpn.xkey provider$RSA padding mode not supported by management-client <%s>$RSA_NO_PADDING$RSA_PKCS1_PADDING$RSA_PKCS1_PSS_PADDING$Sign$`$external$free_op$handle$none$pkcs1$provider=ovpn.xkey$pss$pubkey$sign_op$tbs$xkey management_sign: requesting sig with algorithm <%s>$xkey-origin$xkey_management_sign: computing digest
                                                                    • API String ID: 3985632809-150305114
                                                                    • Opcode ID: 374e76871399fe97bf3cf43c52a9dd72386d820f32566e96b4e40421472b55af
                                                                    • Instruction ID: 66f46e26566e5da16f0e7052478fae060fa60bea34823e8883faa5ae93473740
                                                                    • Opcode Fuzzy Hash: 374e76871399fe97bf3cf43c52a9dd72386d820f32566e96b4e40421472b55af
                                                                    • Instruction Fuzzy Hash: AB129532E58B8685EB10AB51F4513B9BBA1FB86758FE00035DA8F53B55EE3CE546C320
                                                                    Function 00007FF787137400 Relevance: 64.9, APIs: 21, Strings: 16, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • --ifconfig 10.7.0.5 10.7.0.6 (on host A), xrefs: 00007FF787137621
                                                                    • must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver, xrefs: 00007FF787137429
                                                                    • cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver, xrefs: 00007FF78713744E
                                                                    • remote endpoints must be part of the same 255.255.255.252, xrefs: 00007FF7871375E5
                                                                    • As an example, the following option would be correct:, xrefs: 00007FF787137615
                                                                    • On Windows, point-to-point IP support (i.e. --dev tun), xrefs: 00007FF7871375BF
                                                                    • There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try 'openvpn --show-valid-subnets' option for more info., xrefs: 00007FF787137574
                                                                    • [%3d,%3d] , xrefs: 00007FF787137656
                                                                    • imposed by this approach is that the --ifconfig local and, xrefs: 00007FF7871375D9
                                                                    • component of the IP address pairs is at issue., xrefs: 00007FF787137609
                                                                    • is emulated by the TAP-Windows driver. The major limitation, xrefs: 00007FF7871375CD
                                                                    • --ifconfig 10.7.0.6 10.7.0.5 (on host B), xrefs: 00007FF78713762D
                                                                    • subnet. The following list shows examples of endpoint, xrefs: 00007FF7871375F1
                                                                    • must be different, xrefs: 00007FF787137415
                                                                    • because [5,6] is part of the below list., xrefs: 00007FF787137639
                                                                    • pairs which satisfy this requirement. Only the final, xrefs: 00007FF7871375FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: printf$__acrt_iob_funchtonlinet_ntoamalloc$__stdio_common_vfprintf_exitexitfprintf
                                                                    • String ID: --ifconfig 10.7.0.5 10.7.0.6 (on host A)$ --ifconfig 10.7.0.6 10.7.0.5 (on host B)$As an example, the following option would be correct:$On Windows, point-to-point IP support (i.e. --dev tun)$There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try 'openvpn --show-valid-subnets' option for more info.$[%3d,%3d] $because [5,6] is part of the below list.$cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver$component of the IP address pairs is at issue.$imposed by this approach is that the --ifconfig local and$is emulated by the TAP-Windows driver. The major limitation$must be different$must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver$pairs which satisfy this requirement. Only the final$remote endpoints must be part of the same 255.255.255.252$subnet. The following list shows examples of endpoint
                                                                    • API String ID: 2945620666-3734294087
                                                                    • Opcode ID: df0c1468a43f14069af28afbceb465faf2f01f358c2680085dc89d864996bb2f
                                                                    • Instruction ID: 587954f16dff4771f099febe5f75f5b171bd3c32c9407f87ee902c33ffda719f
                                                                    • Opcode Fuzzy Hash: df0c1468a43f14069af28afbceb465faf2f01f358c2680085dc89d864996bb2f
                                                                    • Instruction Fuzzy Hash: 7F716321E9865685FB00EF64F8911B8AB61BF84758FE80435DA4F52EA5EF3CE546C330
                                                                    Function 00007FF78713E060 Relevance: 64.9, APIs: 4, Strings: 33, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$_exitcalloc
                                                                    • String ID: %s device [%s] opened$%s%s interface ip set address %lu dhcp$%s: command failed$(DEBUG)$Adapter '%s' is using %s driver, %s expected. If you want to use this device, adjust --windows-driver.$Adapter '%s' not found$All %s adapters on this system are currently in use or disabled.$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\tun.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\win32.c$ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade your Tap-Win32 driver.$ERROR: This version of OpenVPN requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your OpenVPN distribution, a reboot is probably required at this point to get Windows to see the new driver.$ERROR: command failed$Failed to open %s adapter: %s$NETSH$NOTE: could not get adapter index for %s$Sleeping for %d seconds...$Some --dhcp-option or --dns options require DHCP server, which is not supported by the selected %s driver. They will be ignored.$TAP-Windows Driver Version %d.%d %s$TAP-Windows MTU=%d$There are no TAP-Windows, Wintun or ovpn-dco adapters on this system. You should be able to create an adapter by using tapctl.exe utility.$Unknown virtual device type: '%s'$WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will not work. Upgrade your Tap-Win32 driver.$WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call.$\DEVICE\TCPIP_%hs$\system32\netsh.exe$device_number >= 0$null$open_tun$ovpn-dco$tap-windows6$unspecified$win_sys_path$wintun
                                                                    • API String ID: 1149598282-1342652516
                                                                    • Opcode ID: 1194d315558a40a4b633e7a5d27ab28d27d955a5cc1992e76dd99b28db390ec9
                                                                    • Instruction ID: 189de15c1f871c8cd6dc56e5a8e922e842174df44045ad465f3c049251b9e74b
                                                                    • Opcode Fuzzy Hash: 1194d315558a40a4b633e7a5d27ab28d27d955a5cc1992e76dd99b28db390ec9
                                                                    • Instruction Fuzzy Hash: B0516235E8874281FA54BB10B4543B9AB51BFC4784FA40435DA4F07BA5DE3CE54AC321
                                                                    Function 00007FF7870CF8E0 Relevance: 63.4, APIs: 9, Strings: 27, Instructions: 396COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Event$Resetmemset$EnumEventsNetworkObjectSingleWait_exitfreemallocmemcpy
                                                                    • String ID: MSG:%s$ SC:%d,%s$>%s$>%s:%s$>%s:Need '%s' %s$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$NEED-OK$NEED-STR$Need hold release from management interface, waiting...$Need information from management interface, waiting...$Need password(s) from management interface, waiting...$PASSWORD$PK_SIGN$RSA_SIGN$SUCCESS: %s command succeeded$Warning: SetEvent/ResetEvent failed in net_event_win32_reset_write$[[BLANK]]$buf_inc_len(&ret, (int)read_size)$certificate$confirmation$man_standalone_ok(man)$password$pk-sign$rand_bytes(output, len)$rsa-sign$string$username/password
                                                                    • API String ID: 3810465939-1946045651
                                                                    • Opcode ID: bc92622e5fe118b8c23c6cf0a2fa1997a3e8bc8d0173ad730354a53e997ced13
                                                                    • Instruction ID: 8a2e6440984d97ed99b433859d549bedc73464f9341503e3c8259b19c890ca5e
                                                                    • Opcode Fuzzy Hash: bc92622e5fe118b8c23c6cf0a2fa1997a3e8bc8d0173ad730354a53e997ced13
                                                                    • Instruction Fuzzy Hash: EC129C32F8864286F718EB61E5553F8A7A1BB84758FA04035CA0E87B95EF38F517C361
                                                                    Function 00007FF78713BB80 Relevance: 59.9, APIs: 19, Strings: 15, Instructions: 439COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • --dhcp-renew, xrefs: 00007FF78713BF83
                                                                    • I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi'), xrefs: 00007FF78713C010
                                                                    • WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically', xrefs: 00007FF78713BE86
                                                                    • Successful ARP Flush on interface [%lu] %s, xrefs: 00007FF78713BE04
                                                                    • NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s, xrefs: 00007FF78713BE44
                                                                    • Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API, xrefs: 00007FF78713C1ED
                                                                    • NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically', xrefs: 00007FF78713C04F
                                                                    • --dhcp-internal %lu, xrefs: 00007FF78713BF9B
                                                                    • ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet, xrefs: 00007FF78713BC72
                                                                    • @, xrefs: 00007FF78713BBC3
                                                                    • ERROR: unable to get adapter index for interface %s -- %s, xrefs: 00007FF78713C01A
                                                                    • openvpn --verb %d --tap-sleep %d, xrefs: 00007FF78713BF3D
                                                                    • ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server, xrefs: 00007FF78713BC48
                                                                    • TUN, xrefs: 00007FF78713BD54
                                                                    • --dhcp-pre-release, xrefs: 00007FF78713BF69
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonl$malloc$freeinet_ntoa$_exit$AddressFlushTable__stdio_common_vsprintf
                                                                    • String ID: --dhcp-internal %lu$ --dhcp-pre-release$ --dhcp-renew$@$ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet$ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server$ERROR: unable to get adapter index for interface %s -- %s$I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')$NOTE: FlushIpNetTable failed on interface [%lu] %s (status=%lu) : %s$NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'$Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API$Successful ARP Flush on interface [%lu] %s$TUN$WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'$openvpn --verb %d --tap-sleep %d
                                                                    • API String ID: 857723900-2254446668
                                                                    • Opcode ID: 963867a03e292f7cfad4edf775e63180ab5fe24b3919d75fd626f9426950878e
                                                                    • Instruction ID: b0494f387f43060fa1a836c3b11b46de775e31352ecf1b6db1b88db343552a8b
                                                                    • Opcode Fuzzy Hash: 963867a03e292f7cfad4edf775e63180ab5fe24b3919d75fd626f9426950878e
                                                                    • Instruction Fuzzy Hash: 4312B432E4878285FB20AF24A4416B9FB65FFC4348FA41135DA4E57A95EF3CE546C720
                                                                    Function 00007FF787105800 Relevance: 51.0, APIs: 14, Strings: 15, Instructions: 226COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonlinet_ntoamalloc$_exitfree
                                                                    • String ID: %s,%s,%s$--ifconfig-pool address range is too large [%s -> %s]. Current maximum is %d addresses, as defined by IFCONFIG_POOL_MAX variable.$--ifconfig-pool start IP [%s] is greater than end IP [%s]$@$@$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\pool.c$buf_init(&in, 0)$ifconfig_pool_read(), in='%s'$pool: IPv4 (%s) and IPv6 (%s) have different offsets! Relying on IPv4$pool: IPv4 (%s) out of pool range for CN=%s$pool: IPv6 (%s) out of pool range for CN=%s$pool: invalid IPv4 (%s) for CN=%s$pool: invalid IPv6 (%s) for CN=%s$succeeded -> ifconfig_pool_set(hand=%d)
                                                                    • API String ID: 2635534324-923689359
                                                                    • Opcode ID: 154d702eb50b2afce556cbb564693237eed630efcc800d2d5dcad352e65c4461
                                                                    • Instruction ID: d9924e89c53d0330271709bcc94b0f4b1ea3a46607160afdd2e2abdd5c1da858
                                                                    • Opcode Fuzzy Hash: 154d702eb50b2afce556cbb564693237eed630efcc800d2d5dcad352e65c4461
                                                                    • Instruction Fuzzy Hash: 8D91B421F4974286FB11EF64A4413BCBB61BF88749FA44435CF0E66B85EE3CA55AC360
                                                                    Function 00007FF7871320C0 Relevance: 50.9, APIs: 5, Strings: 24, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: D_bytesmallocmemset
                                                                    • String ID: %s: failed to read length$%s: failed to read tag$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\tls_crypt.c$Can not locate tls-crypt-v2 client key$Can not read tls-crypt-v2 client key length$ERROR: could not write metadata to file$ERROR: no metadata type$OpenVPN tls-crypt-v2 server key$buf_inc_len(&metadata, decoded_len)$buf_inc_len(&plaintext, outlen)$buf_inc_len(&work, outlen)$buf_inc_len(buf, -(BLEN(&wrapped_client_key)))$buf_inc_len(dst, outlen)$buf_write(&dst, client_key.keys, sizeof(client_key.keys))$buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_TIMESTAMP, 1)$buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1)$buf_write(&metadata, &timestamp, sizeof(timestamp))$buf_write(&work, &net_len, sizeof(net_len))$cipher_ctx_final(cipher_ctx, BEND(&work), &outlen)$cipher_ctx_reset(cipher_ctx, tag)$reliable_ack_write (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote, max_ack, prepend_ack)$tls_crypt_v2_metadata_$tls_crypt_v2_unwrap_client_key$tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata, test_wrapped_client_key, &server_key)
                                                                    • API String ID: 3934451180-1528554916
                                                                    • Opcode ID: 28281e9dddb5d3ccd1d6e26cadaa78ed8b1aaf86a469be7b47d737f3814390b2
                                                                    • Instruction ID: 2b2b461a044c2d30ceea0d9036c212f22f9165dc7af574deda49e1d90e21f62c
                                                                    • Opcode Fuzzy Hash: 28281e9dddb5d3ccd1d6e26cadaa78ed8b1aaf86a469be7b47d737f3814390b2
                                                                    • Instruction Fuzzy Hash: 3571D322E58B8586E300EF24E8443BDABA1FB94344FA49235DB4E57A55EF3CE596C310
                                                                    Function 00007FF7871020C0 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Any_expkcs11h_certificate_sign$_exit
                                                                    • String ID: PKCS#11: Cannot initialize %ld-'%s'$PKCS#11: Cannot initialize system engine %ld-'%s'$PKCS#11: Cannot set Pcache period %ld-'%s'$PKCS#11: Cannot set fork mode %ld-'%s'$PKCS#11: Cannot set hooks %ld-'%s'$PKCS#11: Cannot set protected authentication mode %ld-'%s'$PKCS#11: pkcs11_initialize - entered$PKCS#11: pkcs11_initialize - return %ld-'%s'
                                                                    • API String ID: 1701562497-2041442361
                                                                    • Opcode ID: dde52242e299306392b4896a17b697389e40ef2269dd809d6d453ab9d70c453c
                                                                    • Instruction ID: d3be3f22e34cc262e905ec77bab20ad0728d19682e7d5ed758775a5fa9f5db72
                                                                    • Opcode Fuzzy Hash: dde52242e299306392b4896a17b697389e40ef2269dd809d6d453ab9d70c453c
                                                                    • Instruction Fuzzy Hash: 7161DD20E8860786FB9477A0B8553789AA6BFC4346FF44434C54F46AD5EE6CE98BD330
                                                                    Function 00007FF7870B1CC0 Relevance: 44.1, APIs: 7, Strings: 18, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$freehtonlinet_ntoa
                                                                    • String ID: %s$ %s$ address = %s$ address = %s:%s$ address = [%s]:%s$ dnssec = %s$ resolve domains:$ sni = %s$ transport = %s$ DNS search domains:$ DNS server #%d:$%hu$DoH$DoT$optional$plain$unset$yes
                                                                    • API String ID: 2730236656-895546441
                                                                    • Opcode ID: c3ee3a3b2d9848beab5940d8c9a7b20e4caf0ea0b3466d4511e56c0654a5cf62
                                                                    • Instruction ID: 6d646460cdbf5f3a7f2a9f6f70fc296e8ca1beaf679ba420ad5ec2c559227864
                                                                    • Opcode Fuzzy Hash: c3ee3a3b2d9848beab5940d8c9a7b20e4caf0ea0b3466d4511e56c0654a5cf62
                                                                    • Instruction Fuzzy Hash: 4CE1B221E8964385FA14BF54A5043B9A762BF84788FE44435CB0F9B795DF3CA68BC360
                                                                    Function 00007FF7870AD330 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c, xrefs: 00007FF7870AD554
                                                                    • The following ciphers and cipher modes are available for usewith OpenVPN. Each cipher shown below may be used as aparameter to the --data-ciphers (or --cipher) option. In static key mode only CBC mode is allowed., xrefs: 00007FF7870AD371
                                                                    • %s %d bit digest size, xrefs: 00007FF7870AD59C
                                                                    • See also openssl list -cipher-algorithms, xrefs: 00007FF7870AD37D
                                                                    • ciphername, xrefs: 00007FF7870AD548
                                                                    • The following ciphers have a block size of less than 128 bits, and are therefore deprecated. Do not use unless you have to., xrefs: 00007FF7870AD461
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_get0_nameprintf$R_fetch$R_freeR_get_nid$D_get0_nameD_get_sizeR_do_all_provided__acrt_iob_func__stdio_common_vfprintfmemsetqsort
                                                                    • String ID: The following ciphers have a block size of less than 128 bits, and are therefore deprecated. Do not use unless you have to.$%s %d bit digest size$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$See also openssl list -cipher-algorithms$The following ciphers and cipher modes are available for usewith OpenVPN. Each cipher shown below may be used as aparameter to the --data-ciphers (or --cipher) option. In static key mode only CBC mode is allowed.$ciphername
                                                                    • API String ID: 902595010-3006981748
                                                                    • Opcode ID: c1d33e6aed7cb8452ec9f744871e7288adbcf240437cdb544c2485c3599b70c0
                                                                    • Instruction ID: e5cf34ac851aeadf51b0f9349f00aa2c4e43b498edcc8b4041c487b58e753c9a
                                                                    • Opcode Fuzzy Hash: c1d33e6aed7cb8452ec9f744871e7288adbcf240437cdb544c2485c3599b70c0
                                                                    • Instruction Fuzzy Hash: A8512F21E9CA4641FA14BB22E4550B9E791BF88B80FE40435D94F93BA9EE3CE446C730
                                                                    Function 00007FF7870B0D00 Relevance: 42.4, APIs: 21, Strings: 3, Instructions: 376stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _errno$htonlhtons$strtoul$freefreeaddrinfoinet_ntoamallocmemcpymemsetstrchrstrncpystrrchr
                                                                    • String ID: @$Extracted DHCP router address: %s$[
                                                                    • API String ID: 2276591152-3936728288
                                                                    • Opcode ID: 2fc44ded3b16ad6db27e62fcee6bbdf3de91d672ec5eaa257c1550ea3b7240ba
                                                                    • Instruction ID: a47e805aba3b86e63ef49540fde841afae948b8d42fb8c76c8640646fed9f07d
                                                                    • Opcode Fuzzy Hash: 2fc44ded3b16ad6db27e62fcee6bbdf3de91d672ec5eaa257c1550ea3b7240ba
                                                                    • Instruction Fuzzy Hash: DCF1C722A4868286FB60AB14E44437AA761FF85785FF44531DB5F83790EF3DE686C720
                                                                    Function 00007FF7871278E0 Relevance: 42.3, APIs: 12, Strings: 12, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_clear_error$O_test_flagsR_get_error_all$D_get_typeO_readO_writeR_error_stringY_get0_type_nameY_get_bitsY_get_group_nameY_is_a
                                                                    • String ID: %d bits %s%s$(error getting curve name)$(error getting public key type)$(error getting type)$BIO read %s %d bytes$BIO write %s %d bytes$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_openssl.c$TLS ERROR: BIO write %s error$TLS ERROR: BIO write %s incomplete %d/%d$TLS_ERROR: BIO read %s error$buf->len >= 0$size >= 0
                                                                    • API String ID: 1898786375-3872497648
                                                                    • Opcode ID: 6f7af5c6db88070ce8c38aa76c3a5eaef490aa2031e1e66f9894eba5352499ca
                                                                    • Instruction ID: 9991ec166259fe6bc2798a11b02e2ad4a5d950f3a4c4f4aef8ddc7634e33c2bd
                                                                    • Opcode Fuzzy Hash: 6f7af5c6db88070ce8c38aa76c3a5eaef490aa2031e1e66f9894eba5352499ca
                                                                    • Instruction Fuzzy Hash: 07A1CE31E9864282E664AB15B4402A6EB62FFC4B90FE84034DB4F47F95DE3CE646C760
                                                                    Function 00007FF78713E820 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 145fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$FileUnmapViewfree$Cancel
                                                                    • String ID: Attempting CancelIO on %s adapter$Attempting CloseHandle on %s adapter$Attempting close of overlapped read event on %s adapter$Attempting close of overlapped write event on %s adapter$Warning: CancelIO failed on %s adapter$Warning: CloseHandle failed on %s adapter$Warning: CloseHandle failed on overlapped I/O event object$ovpn-dco$tap-windows6$unspecified$wintun
                                                                    • API String ID: 2372062577-3847859075
                                                                    • Opcode ID: 02c851123909b747ebf2581ccf9ea455bb02ae87896b604a53d454477ab177e0
                                                                    • Instruction ID: c5884ce1d8e7440db377a910ebaccaad6546c29a499db2235eb64bed502f8358
                                                                    • Opcode Fuzzy Hash: 02c851123909b747ebf2581ccf9ea455bb02ae87896b604a53d454477ab177e0
                                                                    • Instruction Fuzzy Hash: 51614F20D8D74281FB54BB61B4552B8AB52FFC4B89FF40075C90F5AAA5DE2CA58BC331
                                                                    Function 00007FF787105B40 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 334COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\pool.c, xrefs: 00007FF787106015, 00007FF78710602E, 00007FF78710604D
                                                                    • IPv6 pool size is too small (%d), must be at least 2, xrefs: 00007FF787105DE5
                                                                    • WARNING: IPv4 pool size is %d, IPv6 pool size is %d. IPv6 pool size limits the number of clients that can be served from the pool. This is likely a MISTAKE - please check your configuration, xrefs: 00007FF787105F2A
                                                                    • attempted allocation of excessively large array, xrefs: 00007FF787105FEC
                                                                    • IFCONFIG POOL IPv6: base=%s size=%d netbits=%d, xrefs: 00007FF787105EC5
                                                                    • start <= end && end - start < IFCONFIG_POOL_MAX, xrefs: 00007FF787106009
                                                                    • pool->size > 0, xrefs: 00007FF787106041
                                                                    • IFCONFIG POOL IPv4: base=%s size=%d, xrefs: 00007FF787105D09
                                                                    • IPv4 pool size is too small (%d), must be at least 2, xrefs: 00007FF787105C42
                                                                    • NOTE: IPv4 pool size is %d, IPv6 pool size is %d. IPv4 pool size limits the number of clients that can be served from the pool, xrefs: 00007FF787105F0C
                                                                    • IFCONFIG POOL IPv6: incrementing pool start to avoid ::0 assignment, xrefs: 00007FF787105D9E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintf_exitfreehtonlinet_ntoainet_ntopmemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\pool.c$IFCONFIG POOL IPv4: base=%s size=%d$IFCONFIG POOL IPv6: base=%s size=%d netbits=%d$IFCONFIG POOL IPv6: incrementing pool start to avoid ::0 assignment$IPv4 pool size is too small (%d), must be at least 2$IPv6 pool size is too small (%d), must be at least 2$NOTE: IPv4 pool size is %d, IPv6 pool size is %d. IPv4 pool size limits the number of clients that can be served from the pool$WARNING: IPv4 pool size is %d, IPv6 pool size is %d. IPv6 pool size limits the number of clients that can be served from the pool. This is likely a MISTAKE - please check your configuration$attempted allocation of excessively large array$pool->size > 0$start <= end && end - start < IFCONFIG_POOL_MAX
                                                                    • API String ID: 3170866382-237384953
                                                                    • Opcode ID: 61831cd8b75b603c46cdad256a88081956dd9aced3c3d1aa1b04909497ca9624
                                                                    • Instruction ID: 0c51afeb3d227f699864e5ad757e8d4df2690e624c2da74d760f6a5e9c8a41d8
                                                                    • Opcode Fuzzy Hash: 61831cd8b75b603c46cdad256a88081956dd9aced3c3d1aa1b04909497ca9624
                                                                    • Instruction Fuzzy Hash: 09E1C121E4968246FA10EB64A5443B8EBA1FFC5385FB04035DA5F57E96EE3CE587C320
                                                                    Function 00007FF7870B2D10 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 329stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: fprintf$freemalloc$ErrorLast__stdio_common_vfprintf__stdio_common_vsprintf_errnofflushstrerror
                                                                    • String ID: %d variation(s) on previous %d message(s) suppressed by --mute$%lli.%06ld %x %s%s%s%s$%s %s%s%s%s$%s%s%s$%s%s%s%s$%s: %s (errno=%d)$Exiting due to fatal error$NOTE: --mute triggered...$Options error: %s
                                                                    • API String ID: 2823709519-693231598
                                                                    • Opcode ID: aac27f8f85629e8160903a391073dd32c1392fba12c743ca6ed6b689570057e6
                                                                    • Instruction ID: 3839259b32c1246ae19af839b6ae10b2cf1eae6c24c4b7e17e90f8977b70dbc2
                                                                    • Opcode Fuzzy Hash: aac27f8f85629e8160903a391073dd32c1392fba12c743ca6ed6b689570057e6
                                                                    • Instruction Fuzzy Hash: E6E18C31E8878286F624AB11B841369FBA1FB84780FE44435D98E97BA5DF3CE547C724
                                                                    Function 00007FF78711DC30 Relevance: 37.1, APIs: 9, Strings: 12, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,0000009A,00007FF7870C5860), ref: 00007FF78711DC99
                                                                    • RAND_bytes.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,00000000,?,0000009A,00007FF7870C5860), ref: 00007FF78711DCC9
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,0000009A,00007FF7870C5860), ref: 00007FF78711DDBD
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,0000009A,00007FF7870C5860), ref: 00007FF78711DED6
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,0000009A,00007FF7870C5860), ref: 00007FF78711DF04
                                                                      • Part of subcall function 00007FF7870A2610: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870A2640
                                                                      • Part of subcall function 00007FF7870A2610: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A2690
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7870AC6F5), ref: 00007FF7870ACF45
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_error_string.LIBCRYPTO-3-X64 ref: 00007FF7870AD01A
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64 ref: 00007FF7870AD0AE
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF78711E07E
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF78711E0A4
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF78711E0B6
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF78711E0D6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$R_get_error_all$D_bytesR_error_string_exitcallocmallocmemcpymemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$RAND_bytes() failed$TLS: move_session: dest=%s src=%s reinit_src=%d$TLS: move_session: exit$TLS: tls_session_init: entry$TLS: tls_session_init: new session object, sid=%s$TLS_WRAP$dest >= 0 && dest < TM_SIZE$rand_bytes(output, len)$src != dest$src >= 0 && src < TM_SIZE
                                                                    • API String ID: 3536067934-2650966742
                                                                    • Opcode ID: 4815846f2b0cd161e1fa07040755a89c7ce0a74e137a2fc791ceace91797d81f
                                                                    • Instruction ID: c9c8fad37c68e14bb11595566c7a0ffad469455e0aeba4abe31d2fd65f65e67c
                                                                    • Opcode Fuzzy Hash: 4815846f2b0cd161e1fa07040755a89c7ce0a74e137a2fc791ceace91797d81f
                                                                    • Instruction Fuzzy Hash: 0BE1B662E49B4282EA14EF14F4053B9AB61FBC4B84FE45135DA4E17B56DF3CE586C320
                                                                    Function 00007FF7870AC740 Relevance: 36.8, APIs: 14, Strings: 7, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC774
                                                                    • EVP_CIPHER_get_key_length.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC780
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC790
                                                                    • printf.MSPDB140-MSVCRT ref: 00007FF7870AC7AB
                                                                    • printf.MSPDB140-MSVCRT ref: 00007FF7870AC7C9
                                                                    • printf.MSPDB140-MSVCRT ref: 00007FF7870AC7E4
                                                                      • Part of subcall function 00007FF7870A5580: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,?,?,00007FF7870AC7B0), ref: 00007FF7870A55A8
                                                                      • Part of subcall function 00007FF7870A5580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,?,?,00007FF7870AC7B0), ref: 00007FF7870A55C7
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC805
                                                                    • EVP_CIPHER_get_mode.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC816
                                                                    • EVP_CIPHER_get_flags.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC824
                                                                    • EVP_CIPHER_get_flags.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC833
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC842
                                                                    • printf.MSPDB140-MSVCRT ref: 00007FF7870AC87C
                                                                      • Part of subcall function 00007FF7870ADC50: EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADC85
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC84D
                                                                    • printf.MSPDB140-MSVCRT ref: 00007FF7870AC85A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: printf$R_fetchR_free$R_get_flags$R_get_key_lengthR_get_mode__acrt_iob_func__stdio_common_vfprintf
                                                                    • String ID: %d bit block$%s (%d bit key, $, %s$, TLS client/server mode only$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$ciphername$stream cipher
                                                                    • API String ID: 3923556344-1955877356
                                                                    • Opcode ID: aab3dd2bbe3495074c91f1bee46528b17ed82b02a9017268f7b41bcb03f1b191
                                                                    • Instruction ID: eb95652f233dfe6a537a3aefef7557343124a387de58e75d818cf1919a7679f2
                                                                    • Opcode Fuzzy Hash: aab3dd2bbe3495074c91f1bee46528b17ed82b02a9017268f7b41bcb03f1b191
                                                                    • Instruction Fuzzy Hash: 2F313021E9C60385FE18FB26B4550B9E652BF85B80FE55431D80F87AA5EE2CE447C371
                                                                    Function 00007FF78710D460 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 299stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strcmp$atoihtonlinet_ntoa
                                                                    • String ID: @$OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options$OpenVPN ROUTE: failed to parse/resolve route for host/network: %s$OpenVPN ROUTE: net_gateway undefined -- unable to get default gateway from system$OpenVPN ROUTE: remote_host undefined$OpenVPN ROUTE: route metric for network %s (%s) must be >= 0$OpenVPN ROUTE: vpn_gateway undefined$default$net_gateway$remote_host$vpn_gateway
                                                                    • API String ID: 1180672172-3708273783
                                                                    • Opcode ID: f7e7a24e9030cd5283bc8c2c9d7f9358f3ca78fcf43521248b2fafb31b21dc98
                                                                    • Instruction ID: 9a35a8c499a5c9693bccf8d952935b20fe603eded440ee330a0a5e2cc6699aa9
                                                                    • Opcode Fuzzy Hash: f7e7a24e9030cd5283bc8c2c9d7f9358f3ca78fcf43521248b2fafb31b21dc98
                                                                    • Instruction Fuzzy Hash: 13D17F61D8C64285EA64BB10B5052B9EBA5BFC5389FF44035DE8F46AD6DE3CE843C720
                                                                    Function 00007FF7871137F0 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,0000027C,00007FF787113E7F), ref: 00007FF78711382E
                                                                      • Part of subcall function 00007FF7870B3290: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF787100D21), ref: 00007FF7870B32FD
                                                                    • _lseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,0000027C,00007FF787113E7F), ref: 00007FF7871139A7
                                                                    • _chsize.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,0000027C,00007FF787113E7F), ref: 00007FF7871139B2
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00000000,0000027C,00007FF787113E7F), ref: 00007FF7871139DA
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00000000,0000027C,00007FF787113E7F), ref: 00007FF787113A06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _lseekfree$_chsize_exit
                                                                    • String ID: Auth read bytes,%llu$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\status.c$END$OpenVPN STATISTICS$TAP-WIN32 driver status,"%s"$TCP/UDP read bytes,%llu$TCP/UDP write bytes,%llu$TUN/TAP read bytes,%llu$TUN/TAP write bytes,%llu$Updated,%s$buf_init(&so->read_buf, 0)$post-compress bytes,%llu$post-decompress bytes,%llu$pre-compress bytes,%llu$pre-decompress bytes,%llu
                                                                    • API String ID: 1698134751-3195016593
                                                                    • Opcode ID: 951f9a20e5801cb63e248ab58d775817d396937795ca495110c679be2c20503b
                                                                    • Instruction ID: 5745ebde679f62f94da6425c8f7ecfa4d20630b24c3f8b2c3ec6b5209d7dddb0
                                                                    • Opcode Fuzzy Hash: 951f9a20e5801cb63e248ab58d775817d396937795ca495110c679be2c20503b
                                                                    • Instruction Fuzzy Hash: FE618E65E9874282EA18EF21F4401B9AB61FFC5B84FA85035DA4F0BE59DE3CE453C360
                                                                    Function 00007FF7870F37A0 Relevance: 34.7, APIs: 1, Strings: 22, Instructions: 177stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870F394C
                                                                      • Part of subcall function 00007FF7870F37A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870F32EC
                                                                      • Part of subcall function 00007FF7870F37A0: memcpy.VCRUNTIME140 ref: 00007FF7870F3316
                                                                      • Part of subcall function 00007FF7870F37A0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870F337B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: callocmallocmemcpystrncmp
                                                                    • String ID: "$"$#$%sOptions error: No closing quotation (") in %s:%d$%sOptions error: No closing single quotation (') in %s:%d$%sOptions error: Parameter at %s:%d is too long (%d chars max): %s$%sOptions error: Residual parse state (%d) in %s:%d$%sOptions warning: Bad backslash ('\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key"$'$'$;$</%s>$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\options.c$ERROR: $ERROR: Endtag %s missing$In %s:%d: Error opening configuration file: %s$In %s:%d: Maximum option line length (%d) exceeded, line starts with %s$In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.$SCRIPT-ARGV$\$buf_copy(&buf2, &buf)$stdin
                                                                    • API String ID: 2412885949-3525110638
                                                                    • Opcode ID: 2e9815ed737dd6589e9a33a43337f4f34ffa203b8f7f03baec26675d157176e5
                                                                    • Instruction ID: 43ca65912382572a064999dc552fbd65d2eab1e6fa4f2d9164c181dfb1f28505
                                                                    • Opcode Fuzzy Hash: 2e9815ed737dd6589e9a33a43337f4f34ffa203b8f7f03baec26675d157176e5
                                                                    • Instruction Fuzzy Hash: 7B617632E487858AE760DB25A8803A9B7A0F7547A8F601335DE5E93BD5DF3CD582CB10
                                                                    Function 00007FF78711F360 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 307COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_get_mode$R_fetchR_freeR_get_flags
                                                                    • String ID: "$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$Data Channel MTU parms$EXPORTER-OpenVPN-dynamic-tls-crypt$Error: negotiated cipher not allowed - %s not in %s$Fragmentation MTU parms$TLS_WRAP_RENEG$ciphername$dynamic tls-crypt
                                                                    • API String ID: 615240719-2381343970
                                                                    • Opcode ID: 9ad82ef36d84c1216f08d5367b7c7e757a197248f08d49fd7928ae91179a2ad6
                                                                    • Instruction ID: e1ff1dd5a5d034889d7a5666a5fa54f3ebb5b41f131a62f798fc0b81c01a7512
                                                                    • Opcode Fuzzy Hash: 9ad82ef36d84c1216f08d5367b7c7e757a197248f08d49fd7928ae91179a2ad6
                                                                    • Instruction Fuzzy Hash: 54E1B232D59B8582E714EB25E4003B9A7A1FB85B84FA45235DF8E47B65DF3CE186C320
                                                                    Function 00007FF7870BC500 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$htonlinet_ntoa
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\helper.c$network$route %s$route %s %s
                                                                    • API String ID: 3620171695-4170088803
                                                                    • Opcode ID: ab1b42ebaab1c7d4b96ad394b5624d3b37f9b0b561a5a3e0a8860301148c5d9a
                                                                    • Instruction ID: a1548d3911e00f1037e8538dcf43c1dc6209451b26662fa45e85277c05fd3a75
                                                                    • Opcode Fuzzy Hash: ab1b42ebaab1c7d4b96ad394b5624d3b37f9b0b561a5a3e0a8860301148c5d9a
                                                                    • Instruction Fuzzy Hash: 67918D61F89B5285FB01AF64E4403BDA7B1BF88744FA44839CE4E66B55EF3C9586C320
                                                                    Function 00007FF7870BFC10 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 206stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocmemsetstrncpy$_exit
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\proxy.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socks.c$ERROR: unknown HTTP authentication method: '%s'$HTTP_PROXY: server not specified$NTLM v1 authentication is deprecated and will be removed in OpenVPN 2.7$basic$none$ntlm$ntlm2$o->port$port
                                                                    • API String ID: 3785283947-524452808
                                                                    • Opcode ID: ba9309e5a7b7e096211691c08a9369e06e5daec10cd978f92e20a98c072821d2
                                                                    • Instruction ID: 2a76b492d93b7d8b2b2aebbb63f3ad80c7749b03c47775a7aaf13b6b3d529dd4
                                                                    • Opcode Fuzzy Hash: ba9309e5a7b7e096211691c08a9369e06e5daec10cd978f92e20a98c072821d2
                                                                    • Instruction Fuzzy Hash: 7FA1C322D486C282E755AB24A4003B8AB61FB95784FA49135CBCE47796DF7CF2D6C320
                                                                    Function 00007FF787109330 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 363COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$callocmemcpy
                                                                    • String ID: >PASSWORD:Verification Failed: '%s'$>PASSWORD:Verification Failed: '%s' ['%s']$AUTH: Received control message: %s$AUTH_FAI$Auth$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\push.c$LED,$TEMP$auth-failure$auth-failure (auth-token)$auth-temp-failure (server temporary reject)
                                                                    • API String ID: 603207647-2279852247
                                                                    • Opcode ID: 03f872f357cdd40b7dcc9e33ab05f4ddfb872f4916081e75ac3ff4adf590a516
                                                                    • Instruction ID: 5ae2856c8a9d42810d3e332fff7f2ef25d62da27d093886b5b581d528a5a27e7
                                                                    • Opcode Fuzzy Hash: 03f872f357cdd40b7dcc9e33ab05f4ddfb872f4916081e75ac3ff4adf590a516
                                                                    • Instruction Fuzzy Hash: 2FE1BF75E8C68286EA14AF15B464279AA62BBD4B95FF44131CA5F47F90DF3CE403C720
                                                                    Function 00007FF787115A50 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 272COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$_exit$closesocketfreeaddrinfo$ObjectSingleWaitlistenmallocselect
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$TCP NOTE: Rejected connection attempt from %s due to --remote setting$TCP: close socket failed (new_sd)$TCP: close socket failed (sd)$TCP: select() failed
                                                                    • API String ID: 98590881-1674241007
                                                                    • Opcode ID: 3042515a07605a7adbedd5b59c2bd450765f8dfaf684b57dd81892c79a05bf96
                                                                    • Instruction ID: 2277e34bd1c699cf0c107bfa7b5420356423f6f8935ff98a5623c37f1bcce972
                                                                    • Opcode Fuzzy Hash: 3042515a07605a7adbedd5b59c2bd450765f8dfaf684b57dd81892c79a05bf96
                                                                    • Instruction Fuzzy Hash: 76B1A031E4864286FB14EF25E4412B9AB61FF84B84FA45131DE4E0BA95DF3CE486C730
                                                                    Function 00007FF7871463F0 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF78714643B
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787146487
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF7871464D6
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787146526
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787146577
                                                                    • isdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787146593
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF7871465D4
                                                                    • isdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF7871465F0
                                                                    • tolower.API-MS-WIN-CRT-STRING-L1-1-0(?,FFFFFFFF,00000008,00007FF787104274,?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787146629
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: tolower$isdigit
                                                                    • String ID: aux$c$clock$$com$con$lpt$nul$prn
                                                                    • API String ID: 457228195-2369631663
                                                                    • Opcode ID: 08c8ad1b2919aa86f5e0b5082948d579eb065b3c28e01c83b48e002e565a0efd
                                                                    • Instruction ID: add6c23b6cd48387fa8e1e4afd216ef78f36ff64f2841831a912c75064a0f082
                                                                    • Opcode Fuzzy Hash: 08c8ad1b2919aa86f5e0b5082948d579eb065b3c28e01c83b48e002e565a0efd
                                                                    • Instruction Fuzzy Hash: 9B81D221D8859391EE61AA207456279EEE27F83B8CFA80071CD5B8BD91FD1DE847C670
                                                                    Function 00007FF7870AF630 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 239COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ControlDevice_exit
                                                                    • String ID: %s: peer-id %d$%s: peer-id %d, slot %d called but ignored$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\dco.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_common.h$DeviceIoControl(OVPN_IOCTL_SWAP_KEYS) failed$No encryption key found. Purging data channel keys$Swapping primary and secondary keys to primary-id=%d secondary-id=%d$Swapping primary and secondary keys toprimary-id=%d secondary-id=(to be deleted)$dco_del_key$dco_swap_keys$false$key->initialized$primary->dco_status != DCO_NOT_INSTALLED$secondary->dco_status == DCO_INSTALLED_PRIMARY
                                                                    • API String ID: 3898995826-869485562
                                                                    • Opcode ID: 046c67849926c6376f1a3f70ce6227df30776c92d01e846fc5d1764fa3942863
                                                                    • Instruction ID: 74fea368fd024fa9a6c11d40244a5e8b2c54d7bbc768ddb3cbf202d95c019c86
                                                                    • Opcode Fuzzy Hash: 046c67849926c6376f1a3f70ce6227df30776c92d01e846fc5d1764fa3942863
                                                                    • Instruction Fuzzy Hash: EAA19931E88642A2FA68BB11A4442B8E661FB84744FE40135DA4E97BA5DF3CF547C730
                                                                    Function 00007FF787145070 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 151processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandlecallocfreememcpy$CreateFileInfoModuleNameProcessStartupmemset
                                                                    • String ID: SystemRoot$fork_to_self: CreateProcess failed: %s$fork_to_self: CreateProcess failed: cannot get module name via GetModuleFileName$h
                                                                    • API String ID: 2744877749-1096927694
                                                                    • Opcode ID: a534eb0d2c1334da008c12c49629b631dd2c4b63ff811c64f041b96a7969aa09
                                                                    • Instruction ID: 73e1c4673bee40a9da70dbf0139979aead5cbd9fa953278991de3a0f35aead37
                                                                    • Opcode Fuzzy Hash: a534eb0d2c1334da008c12c49629b631dd2c4b63ff811c64f041b96a7969aa09
                                                                    • Instruction Fuzzy Hash: 5E614121E4CB8182E710EB51F4053AAE762FBC8B94FA44235DA9E47B95EF7CE146C710
                                                                    Function 00007FF7870AA880 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_free$R_get_mode$R_fetch$R_get_flagsR_get_nid_exit
                                                                    • String ID: --no-replay cannot be used with a CFB, OFB or AEAD mode cipher$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$ciphername
                                                                    • API String ID: 3462190298-3705925875
                                                                    • Opcode ID: 96a96505911938c6b2960afd7d4ba49534ffe2e0d9214702be6311149b277c26
                                                                    • Instruction ID: 0f445941ffa1e1d7488e0216fcde661d7610214a678eead291c093ffcc7c31b5
                                                                    • Opcode Fuzzy Hash: 96a96505911938c6b2960afd7d4ba49534ffe2e0d9214702be6311149b277c26
                                                                    • Instruction Fuzzy Hash: 9A317F61E8D60782FE58BB16B815678D651BF85BC0FF90435D91F86BE0EE2CE486D230
                                                                    Function 00007FF7871357E0 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintf_exitfreeinet_ntop
                                                                    • String ID: %s%s interface ipv6 set address %lu %s/%d store=active$%s: command failed$******** NOTE: Please manually set the IP/netmask of '%s' to %s/%s (if it is not already set)$******** NOTE: Please manually set the v6 IP of '%s' to %s (if it is not already set)$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\win32.c$ERROR: command failed$NETSH$\system32\netsh.exe$do_ifconfig, ipv4=%d, ipv6=%d$win_sys_path
                                                                    • API String ID: 2285947998-1887878019
                                                                    • Opcode ID: ebe38ff45c49990b50ac064d76390af77dfdb005ae656b67f4ffe13519da61a4
                                                                    • Instruction ID: e2a82e3f4e9e2a9242f7bac06209e382c2e3c40e665538dc01afee5c2632eba5
                                                                    • Opcode Fuzzy Hash: ebe38ff45c49990b50ac064d76390af77dfdb005ae656b67f4ffe13519da61a4
                                                                    • Instruction Fuzzy Hash: 2DA1B132E4868286F700EB70E9412E9BB71FF94744FA04135DA4E17A96EF3CE596C760
                                                                    Function 00007FF787145B90 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145837
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145846
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145855
                                                                      • Part of subcall function 00007FF7871457E0: VerifyVersionInfoW.KERNEL32 ref: 00007FF78714587A
                                                                      • Part of subcall function 00007FF7871457E0: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7871458A4
                                                                      • Part of subcall function 00007FF7871457E0: memset.VCRUNTIME140 ref: 00007FF7871458CA
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF7871458E0
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF7871458F1
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145902
                                                                      • Part of subcall function 00007FF7871457E0: VerifyVersionInfoW.KERNEL32 ref: 00007FF787145922
                                                                      • Part of subcall function 00007FF7871457E0: memset.VCRUNTIME140 ref: 00007FF78714594F
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145965
                                                                      • Part of subcall function 00007FF7871457E0: VerSetConditionMask.KERNEL32 ref: 00007FF787145976
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787145BD2
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787145C30
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ConditionMask$InfoVerifyVersionmallocmemset$_exit
                                                                    • String ID: (unknown)$ executable$ host$ running on $0.0%s$IsWow64Process2$Kernel32.dll$Unknown Windows version: %d$amd64$arm64
                                                                    • API String ID: 1733326153-632161243
                                                                    • Opcode ID: 395d3e10867b59a5f128397fa296848b8f6096fab6452b246f66955b62802163
                                                                    • Instruction ID: f990f688c622d5acf103ff282f10720a59b8277e6ecb84ff3d59e03f1e7a9d57
                                                                    • Opcode Fuzzy Hash: 395d3e10867b59a5f128397fa296848b8f6096fab6452b246f66955b62802163
                                                                    • Instruction Fuzzy Hash: 48517F22E49A4291EA11EF54F4512B9EB21FFC4784FE44035DA8F46EA5EF2CE587C720
                                                                    Function 00007FF7870C0BA0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 234stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmp$htonl$freemalloc
                                                                    • String ID: gateway$netmask$network$null$route_metric_%d$tap$tun
                                                                    • API String ID: 3240622695-287512959
                                                                    • Opcode ID: 2dbc1bbc8c899374edec7d92f3adf0a56c4d40e70d7995e7eb7bd73982e3c4c4
                                                                    • Instruction ID: d353f13d656a911753fa827be5270394937affbec5109c15494aba3af090076c
                                                                    • Opcode Fuzzy Hash: 2dbc1bbc8c899374edec7d92f3adf0a56c4d40e70d7995e7eb7bd73982e3c4c4
                                                                    • Instruction Fuzzy Hash: BC91E822B8874682EA25AB15A950779AB91FF85BD4FB44034CE9F47794DE3CE447C320
                                                                    Function 00007FF7870ADC50 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 125stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADC85
                                                                    • EVP_CIPHER_get_block_size.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADCB3
                                                                    • EVP_CIPHER_get0_name.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADCBF
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADD04
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADD20
                                                                    • strrchr.VCRUNTIME140(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADD2D
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADD82
                                                                    • EVP_CIPHER_get_block_size.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADD96
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADDA2
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADDAB
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870AC79E), ref: 00007FF7870ADDB4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_fetchR_freeR_get_block_size$R_get0_namecallocfreememcpystrrchr
                                                                    • String ID: -CBC$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$ciphername
                                                                    • API String ID: 1288903254-2026270469
                                                                    • Opcode ID: bcfad5677919b7be15bcb3907fc78b939def9cc993f096896bbb6b7e3aea94cd
                                                                    • Instruction ID: 6190fb0ff4cf2018041c0d7cd45ea46e31391d2179cf137b495e6b6d0e68f1a4
                                                                    • Opcode Fuzzy Hash: bcfad5677919b7be15bcb3907fc78b939def9cc993f096896bbb6b7e3aea94cd
                                                                    • Instruction Fuzzy Hash: F6418061A4D64286FA15AB26A415179FB91BF89F90FA84431CE1F47B94EE3CE447C330
                                                                    Function 00007FF787100760 Relevance: 24.2, APIs: 9, Strings: 7, Instructions: 164stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF7871007A7
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF7871007CA
                                                                    • strstr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF7871007DE
                                                                    • strstr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF787100803
                                                                    • strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF78710081A
                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF787100860
                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF7871008CD
                                                                    • strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF787100982
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7870B5C89), ref: 00007FF7871009C6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmpstrstrstrtok$freemallocmemcpy
                                                                    • String ID: WARNING: unknown AUTH_FAIL,TEMP flag: %s$addr$advance $backoff $backoff %d$invalid AUTH_FAIL,TEMP flag: %s$remote
                                                                    • API String ID: 3425329389-897137053
                                                                    • Opcode ID: f179310f647c928e28c31b644c8f763980b28908fa69028a7807ced76fb5cc73
                                                                    • Instruction ID: f1e2185032af4cb8ec8e161799ed9346f02bab4352fd0d6981a32ccde79402a5
                                                                    • Opcode Fuzzy Hash: f179310f647c928e28c31b644c8f763980b28908fa69028a7807ced76fb5cc73
                                                                    • Instruction Fuzzy Hash: 0861A221E8C68285FA55BB11B4042B4EFA1FF85B95FF84435CA5F06B95EE2CE487C320
                                                                    Function 00007FF7870AE030 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EVP_MD_fetch.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FF7870AA08E), ref: 00007FF7870AE04F
                                                                    • EVP_MD_get_size.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FF7870AA08E), ref: 00007FF7870AE08F
                                                                    • EVP_MD_get_size.LIBCRYPTO-3-X64(?,?,?,?,00000000,00007FF7870AA08E), ref: 00007FF7870AE0BF
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,00007FF7870AA08E), ref: 00007FF7870AE0E9
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7870AC6F5), ref: 00007FF7870ACF45
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_error_string.LIBCRYPTO-3-X64 ref: 00007FF7870AD01A
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64 ref: 00007FF7870AD0AE
                                                                    • EVP_MD_get0_name.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA08E), ref: 00007FF7870AE165
                                                                    • EVP_MD_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA08E), ref: 00007FF7870AE382
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: D_get_sizeR_get_error_all$D_fetchD_freeD_get0_nameR_error_string_exit
                                                                    • String ID: @$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$Message hash algorithm '%s' not found$Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than OpenVPN's current maximum hash size (%d bytes)$[null-digest]$digest$none
                                                                    • API String ID: 1095403366-1202525981
                                                                    • Opcode ID: 1792ae8cff2c73c2ae5023ce8f89b0baa38155ddc56fdab0aef840698437d269
                                                                    • Instruction ID: 0ee74cf2804fa875f6630e8487ba69bbcda04e96f40be8731e1877bae2ffc1b5
                                                                    • Opcode Fuzzy Hash: 1792ae8cff2c73c2ae5023ce8f89b0baa38155ddc56fdab0aef840698437d269
                                                                    • Instruction Fuzzy Hash: B991E721E5968644EB546B2694611B8FFA2BFD1B44FEC4439DA4F837A5EE2CA006C330
                                                                    Function 00007FF7870B63A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_clear_errorfree$malloc
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\forward.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_openssl.c$NULL != ks_ssl$SENT CONTROL [%s]: '%s' (status=%d)$UNDEF$session$tls_write_plaintext_const
                                                                    • API String ID: 1754130735-2516923794
                                                                    • Opcode ID: c720cc7a98c8bc8aeb7bcdf746481f9ef09fd5e5635755a3d7f953269c726240
                                                                    • Instruction ID: f27840e65ffaa3bded522e101ac4a30ab82c69b7726819cdaab398f280e69cea
                                                                    • Opcode Fuzzy Hash: c720cc7a98c8bc8aeb7bcdf746481f9ef09fd5e5635755a3d7f953269c726240
                                                                    • Instruction Fuzzy Hash: 6C71F232E49B8182EA04EF15E4402A9F760FB85BC0FA80135EE5E83B95DF3CE556C360
                                                                    Function 00007FF7870BAFB0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 375COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Eventfree$Reset_exit
                                                                    • String ID: !openvpn_gettimeofday(&tv, NULL)$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\shaper.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$I/O WAIT status=0x%04x$Warning: SetEvent/ResetEvent failed in net_event_win32_reset_write$event_wait$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 4282842009-3332842628
                                                                    • Opcode ID: 034d02e98b46d83a7f83da0f362fa87ea725c06709aa1a3159f28bb97ec11dda
                                                                    • Instruction ID: 22a77dcd426694bba15016ff4309516c49de67ee3852b6014b7f032076c24a6d
                                                                    • Opcode Fuzzy Hash: 034d02e98b46d83a7f83da0f362fa87ea725c06709aa1a3159f28bb97ec11dda
                                                                    • Instruction Fuzzy Hash: 5C02C225A8868283EA18AB15E5403B9F761FF84B48FE44435DA0FD7B91DF7CE556C320
                                                                    Function 00007FF7870CB800 Relevance: 21.2, APIs: 4, Strings: 10, Instructions: 215COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB844
                                                                      • Part of subcall function 00007FF7870B3310: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870B3319
                                                                      • Part of subcall function 00007FF7870B3310: fprintf.MSPDB140-MSVCRT ref: 00007FF7870B3329
                                                                      • Part of subcall function 00007FF7870B3310: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870B3333
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB85A
                                                                      • Part of subcall function 00007FF7870A33D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF78710423F,?,?,?,?,?,?,00000000), ref: 00007FF7870A33F8
                                                                      • Part of subcall function 00007FF7870A33D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF78710423F,?,?,?,?,?,?,00000000), ref: 00007FF7870A340D
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB902
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB918
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$malloc$__acrt_iob_funcexitfprintf
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$ERROR: The %s command is not currently available$ERROR: The '%s' command is not supported by the current daemon mode$ERROR: The certificate command is not currently available$ERROR: proxy command failed$ERROR: the '%s' command requires %s%d parameter%s$SUCCESS: proxy command succeeded$at least $p[0]$proxy
                                                                    • API String ID: 616886165-1529070907
                                                                    • Opcode ID: 0fe939d1ed723ec37df7492acc45c99cabe3921fe60d3e9576efbe06d195a4f0
                                                                    • Instruction ID: 3c7169c90ce6e8bff6240ddb4f7e7ab75a8ed6121bbe93107fb2c8f48633e503
                                                                    • Opcode Fuzzy Hash: 0fe939d1ed723ec37df7492acc45c99cabe3921fe60d3e9576efbe06d195a4f0
                                                                    • Instruction Fuzzy Hash: 8A71D071E5964281EA04AB14F5453B9A361FF85B88FE84035DB4E87791DF3CE687C720
                                                                    Function 00007FF7870B60C0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_clear_error$free$mallocmemcpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\forward.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$WARNING: Receive control message failed$len > 0$multi
                                                                    • API String ID: 2116544756-4026653125
                                                                    • Opcode ID: caf3e959514356ff83c52b88d999a10d7aec1a5c8995ff7b44a2ea9e895a7940
                                                                    • Instruction ID: 088f1b63b22ff2b440285e58cea4a6d43368e639997b85dacd7cb66324c1d5ad
                                                                    • Opcode Fuzzy Hash: caf3e959514356ff83c52b88d999a10d7aec1a5c8995ff7b44a2ea9e895a7940
                                                                    • Instruction Fuzzy Hash: E4718236E48A8282FA54EB14E410379E7A1FF85B44FA44535DA4E83B95EF3CE586C720
                                                                    Function 00007FF7871447E0 Relevance: 21.2, APIs: 3, Strings: 11, Instructions: 155stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmp$__stdio_common_vsprintfmalloc
                                                                    • String ID: "%s"$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\win32.c$PATH=$PATH=%s\System32;%s;%s\System32\Wbem$WARNING: Failed running command (%s)$env_block: add %s$env_block: default path truncated to %s$openvpn_execve: CreateProcess %ls failed$openvpn_execve: GetExitCodeProcess %ls failed$password$win_sys_path
                                                                    • API String ID: 442965982-2668939393
                                                                    • Opcode ID: 706601b7ff62a2c9f8d39e9fc0e181b74db2a5efb597cf2ad304f930467332e5
                                                                    • Instruction ID: 134478b44b11f2e3421c35a838a5e6703e9984ec26ce88ae91290841e2722011
                                                                    • Opcode Fuzzy Hash: 706601b7ff62a2c9f8d39e9fc0e181b74db2a5efb597cf2ad304f930467332e5
                                                                    • Instruction Fuzzy Hash: 2C617271E58A8281EA51AB11F4813B9EBA1FBC4B80FE44131CE8E53B95EF3CD546C720
                                                                    Function 00007FF78712B460 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF7870A12E0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A1308
                                                                      • Part of subcall function 00007FF7870B2780: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B27FF
                                                                      • Part of subcall function 00007FF7870B2780: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2825
                                                                      • Part of subcall function 00007FF7870B2780: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2867
                                                                      • Part of subcall function 00007FF7870B2780: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B288A
                                                                      • Part of subcall function 00007FF787104030: memset.VCRUNTIME140 ref: 00007FF787104068
                                                                      • Part of subcall function 00007FF787104030: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7871040DE
                                                                    • _close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78712B57D
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712B591
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712B5A1
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712B5B7
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712B6BA
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712B6E9
                                                                      • Part of subcall function 00007FF78712DDA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712DDE2
                                                                      • Part of subcall function 00007FF78712DDA0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712DE96
                                                                      • Part of subcall function 00007FF78712DDA0: memcpy.VCRUNTIME140 ref: 00007FF78712DEB2
                                                                      • Part of subcall function 00007FF78712DDA0: calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78712DEDD
                                                                      • Part of subcall function 00007FF78712DFC0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78712E032
                                                                      • Part of subcall function 00007FF78712DFC0: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78712E09C
                                                                      • Part of subcall function 00007FF78712DFC0: _write.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78712E0FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$malloc$memcpy$calloc$__stdio_common_vsprintf_close_errno_exit_writememset
                                                                    • String ID: --client-crresponse$TLS CR Response Error: could not write crtext challenge response to file: %s$WARNING: Failed running command (%s)$client-crresponse$creating file failed$script_type
                                                                    • API String ID: 3221992693-2265354738
                                                                    • Opcode ID: a92e95a42d677da105d82e27f275270fdab91f0ca99dd5ff0f781b0d53e6beba
                                                                    • Instruction ID: c4dc04bb209c391756fcf54d52455e3a1a58841b55cc51bbfeb169964f8b4313
                                                                    • Opcode Fuzzy Hash: a92e95a42d677da105d82e27f275270fdab91f0ca99dd5ff0f781b0d53e6beba
                                                                    • Instruction Fuzzy Hash: AF715061F59A8281EA60EB25F4543B9AB61FFC4B84FA44031CA4E57A55EF3CE486C720
                                                                    Function 00007FF7870D0BF0 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Event$Reset$freemalloc
                                                                    • String ID: >HOLD:Waiting for hold release:%d$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$Need hold release from management interface, waiting...$Warning: SetEvent/ResetEvent failed in net_event_win32_reset_write$man_standalone_ok(man)
                                                                    • API String ID: 1818452640-2828361868
                                                                    • Opcode ID: df8696b80a146fc88bc21b0407a2282a697dfae0576f73e6af3698d9265b766c
                                                                    • Instruction ID: 4291a22be646de8e0d52495f3024635d71f7858597ce9b3b80a034dd17d72018
                                                                    • Opcode Fuzzy Hash: df8696b80a146fc88bc21b0407a2282a697dfae0576f73e6af3698d9265b766c
                                                                    • Instruction Fuzzy Hash: 2DF18F36E8878285F710EF60E4993B9ABA1FB54748FB40135CE0E97A95DE39E447C360
                                                                    Function 00007FF7871187A0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 209networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonsmemcpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.c$STREAM: ADD length_added=%d$STREAM: ADD returned FALSE (have=%d need=%d)$STREAM: ADD returned TRUE, buf_len=%d, residual_len=%d$STREAM: RESET$WARNING: Bad encapsulated packet length from peer (%d), which must be > 0 and <= %d -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]$buf_copy_excess(&sb->residual, &sb->buf, sb->len)$buf_init(&sb->residual, 0)$buf_read(&sb->buf, &net_size, sizeof(net_size))
                                                                    • API String ID: 2240469833-561297206
                                                                    • Opcode ID: af7d7edb64a6f6389f71c89f39335e16eb3345fe252f115aceaf994d4fbfca21
                                                                    • Instruction ID: d34735cdb2fd640c3a61eaa5c13422096553e0ab41c8e8b00485386aa2404c04
                                                                    • Opcode Fuzzy Hash: af7d7edb64a6f6389f71c89f39335e16eb3345fe252f115aceaf994d4fbfca21
                                                                    • Instruction Fuzzy Hash: 7091B671E4860286E754BF24B480278AB51FFC1B98FB49135CA4F5BA89DF2DE482C770
                                                                    Function 00007FF7870AFE20 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 165stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Note: --data-ciphers-fallback with cipher '%s' disables data channel offload., xrefs: 00007FF7870AFE82
                                                                    • Consider using the '--compress migrate' option., xrefs: 00007FF7870B005E
                                                                    • Note: cipher '%s' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload., xrefs: 00007FF7870AFF92
                                                                    • , xrefs: 00007FF7870B003A
                                                                    • Note: '--allow-compression' is not set to 'no', disabling data channel offload., xrefs: 00007FF7870B001C
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$AlgorithmCryptProvidermemcpystrtok$CloseOpen_exitcallocmallocstrcspn
                                                                    • String ID: $Consider using the '--compress migrate' option.$Note: '--allow-compression' is not set to 'no', disabling data channel offload.$Note: --data-ciphers-fallback with cipher '%s' disables data channel offload.$Note: cipher '%s' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
                                                                    • API String ID: 1214369452-4032083594
                                                                    • Opcode ID: 3fb55b561e6f2be0c9a4df7f7df5cd9534b60b3ba9e0100fbb8d5954a2eff8c1
                                                                    • Instruction ID: 787af5218f16dd78e1e789a3bcd50928764f9d8f8f03a718bd9afe97acf98048
                                                                    • Opcode Fuzzy Hash: 3fb55b561e6f2be0c9a4df7f7df5cd9534b60b3ba9e0100fbb8d5954a2eff8c1
                                                                    • Instruction Fuzzy Hash: 96517B21A8C64286FA55BB11A5413B8E792BF85B94FE80030DA5F877C6EF2DF543C270
                                                                    Function 00007FF787100F30 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitmalloc
                                                                    • String ID: 0 <= x && x < mod && -mod <= y && y <= mod$Assertion Failed: Array index=%d out of bounds for array size=%d in %s:%d$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\packet_id.c$PID_ERR large diff$PID_ERR replay$PID_ERR replay-window backtrack occurred$PID_ERR time backtrack$PID_TEST$p->initialized
                                                                    • API String ID: 1026295379-4204939988
                                                                    • Opcode ID: 73aebd0973610831a8f4b3673103389dd49dff89628b06df73a22523295d063d
                                                                    • Instruction ID: d0f9af2afe2a22d0f08c403f701d7207df9983f981aa6cd40da18aa0b97965a4
                                                                    • Opcode Fuzzy Hash: 73aebd0973610831a8f4b3673103389dd49dff89628b06df73a22523295d063d
                                                                    • Instruction Fuzzy Hash: A151C071E4824286E728AF21A54017DFAA1BBC4784FF0413AD64F43E99DF7DE983D620
                                                                    Function 00007FF7870B4810 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memset$_exit
                                                                    • String ID: *maxevents > 0$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\event.c$WE_INIT maxevents=%d capacity=%d$WE_INIT maxevents=%d flags=0x%08x$attempted allocation of excessively large array
                                                                    • API String ID: 171174049-2757034343
                                                                    • Opcode ID: 4797dd9dc1137d3957ed0928d21138b4a6a32a4a35eaaad0bba58de146ca4821
                                                                    • Instruction ID: cacf1fb2de5fab5c6fccca0201a29715565ab1bb90ca4e00e6e61d9fbf8182bc
                                                                    • Opcode Fuzzy Hash: 4797dd9dc1137d3957ed0928d21138b4a6a32a4a35eaaad0bba58de146ca4821
                                                                    • Instruction Fuzzy Hash: 8E51CF31A49B0386FB18AB64E440378BAA5FF84B44FE04135DA5F87791EE3CE646C320
                                                                    Function 00007FF7870C3080 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: %s: peer-id %d, fd %d$Cannot set parameters for DCO peer (id=%u): %s$ERROR: Failed to apply DCO keepalive or MSS fix parameters$ERROR: Failed to apply P2P negotiated protocol options$ERROR: Failed to apply push options$ERROR: failed to negotiate cipher with peer and --data-ciphers-fallback not enabled. No usable data channel cipher$ERROR: failed to set crypto cipher$OPTIONS ERROR: failed to import crypto options$dco_new_peer
                                                                    • API String ID: 1475443563-3667031374
                                                                    • Opcode ID: cb2b8b61e830193cd2347674f59a0cce507d8a2f67b4aeb7fe4c6c292e5a98fb
                                                                    • Instruction ID: e9ba81f34fd65b3d146a5397fab5396aaef947a6f4fa251e42a4afe400bb7fd2
                                                                    • Opcode Fuzzy Hash: cb2b8b61e830193cd2347674f59a0cce507d8a2f67b4aeb7fe4c6c292e5a98fb
                                                                    • Instruction Fuzzy Hash: D4C18E31E9868285FB64AB2094053F8E791FB85B58FE84035CA4E8B395DF7CA486D731
                                                                    Function 00007FF7870A37D0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$malloc$free$_wfopen_wstat64i32
                                                                    • String ID: !ol->head$@$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$buf_inc_len(&ret, (int)read_size)$client-nat: type must be 'snat' or 'dnat'$dnat$snat
                                                                    • API String ID: 668702269-3341278675
                                                                    • Opcode ID: e44b8c12fc42ebc2af1b4bf750c37e3a6ebdfb781c3698fb40ec67043472e91a
                                                                    • Instruction ID: 78afbb9f6667c19334053105b404106c9d61b7d1113863cffd0fe3cdf51c95a7
                                                                    • Opcode Fuzzy Hash: e44b8c12fc42ebc2af1b4bf750c37e3a6ebdfb781c3698fb40ec67043472e91a
                                                                    • Instruction Fuzzy Hash: 8D71B322E8868185FA50EB11B8013B9FBA1FB84B94FE44135DE4E57B95DE3CE497C720
                                                                    Function 00007FF7870D2480 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$D_bytes
                                                                    • String ID: %02x$%s.%s$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto.c$RAND_bytes() failed$rand_bytes(output, len)
                                                                    • API String ID: 1282830771-399443464
                                                                    • Opcode ID: 175758b68b3e3960387b75e77a59609e302ccec5b18d000f465a1272f7cb441d
                                                                    • Instruction ID: 9de15be7a1093b49c9720a860759dee585ecbc7e2835051b31915322df525d34
                                                                    • Opcode Fuzzy Hash: 175758b68b3e3960387b75e77a59609e302ccec5b18d000f465a1272f7cb441d
                                                                    • Instruction Fuzzy Hash: 0461B621F4575285FB15AFA4A8543BCAB61BF84744FA44635CE4E9AB85EF3CE483C320
                                                                    Function 00007FF7870C88E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7870D945F), ref: 00007FF7870C8913
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7870D945F), ref: 00007FF7870C897F
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7870D945F), ref: 00007FF7870C89F5
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D945F), ref: 00007FF7870C8A84
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D945F), ref: 00007FF7870C8AAB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemalloc$_exit
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\list.c$attempted allocation of excessively large array$n_buckets > 0$ret > 0
                                                                    • API String ID: 1168006677-1341338459
                                                                    • Opcode ID: 102234f1d23fda941137d378d3de8da60ec6496bcad870b19c61ffbe88f4f35a
                                                                    • Instruction ID: 88c36b4bb4c05a3a38b477586d0751bfb651eea2a8e3829dac356dbe32d7da45
                                                                    • Opcode Fuzzy Hash: 102234f1d23fda941137d378d3de8da60ec6496bcad870b19c61ffbe88f4f35a
                                                                    • Instruction Fuzzy Hash: B851C232A59B4286E714EF15E440279B7A0FBC4B94FA84535DA8F83B94DF3CE482C714
                                                                    Function 00007FF7870C03B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870C04CE
                                                                      • Part of subcall function 00007FF7870AC920: RAND_bytes.LIBCRYPTO-3-X64 ref: 00007FF7870AC9BA
                                                                      • Part of subcall function 00007FF7870AC920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870ACB33
                                                                      • Part of subcall function 00007FF7870AC920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870ACB64
                                                                    Strings
                                                                    • Using --genkey type with --secret filename is not supported. Use --genkey type filename instead., xrefs: 00007FF7870C040F
                                                                    • OpenVPN auth-token server key, xrefs: 00007FF7870C058F
                                                                    • WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead., xrefs: 00007FF7870C0484
                                                                    • Failed to write key file, xrefs: 00007FF7870C04B8
                                                                    • You must provide a filename to either --genkey or --secret, not both, xrefs: 00007FF7870C045B
                                                                    • OpenVPN tls-crypt-v2 server key, xrefs: 00007FF7870C0520
                                                                    • WARNING: mlockall call failed (function not implemented), xrefs: 00007FF7870C03D6
                                                                    • Randomly generated %d bit key written to %s, xrefs: 00007FF7870C04F6
                                                                    • --genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key, xrefs: 00007FF7870C0551
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$D_bytes_exit
                                                                    • String ID: --genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key$Failed to write key file$OpenVPN auth-token server key$OpenVPN tls-crypt-v2 server key$Randomly generated %d bit key written to %s$Using --genkey type with --secret filename is not supported. Use --genkey type filename instead.$WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.$WARNING: mlockall call failed (function not implemented)$You must provide a filename to either --genkey or --secret, not both
                                                                    • API String ID: 1843738735-1306471859
                                                                    • Opcode ID: 6aa3005905530fc736b7bb66942a2f401fc2188cad07a05cfe974d753848f027
                                                                    • Instruction ID: 5b2c5a0ceab62a9f5005f809348ba647bf5716916294a4388572f7bb889c0ebc
                                                                    • Opcode Fuzzy Hash: 6aa3005905530fc736b7bb66942a2f401fc2188cad07a05cfe974d753848f027
                                                                    • Instruction Fuzzy Hash: DE517061E8824245FB50BB6094403BAD352FF81798FF40035DA1E8B2C6EE6DA987C331
                                                                    Function 00007FF7870F3CB0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 124stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmp$isspace
                                                                    • String ID: Offending option received from server$Pushed option accepted by filter: '%s'$Pushed option rejected by filter: '%s'. Restarting.$Pushed option removed by filter: '%s'$buf_copy(&buf2, &buf)
                                                                    • API String ID: 880961867-1881576087
                                                                    • Opcode ID: f04c1002a51d10289233de24631ff55a9c23dd9208d29967e93d8c12abf7a7be
                                                                    • Instruction ID: ecce4d36a81a179728b81bf191ecf0afca732910a0bda1e8e08d2675d44a767b
                                                                    • Opcode Fuzzy Hash: f04c1002a51d10289233de24631ff55a9c23dd9208d29967e93d8c12abf7a7be
                                                                    • Instruction Fuzzy Hash: BB519031A4864281EB64AB15E581779F7A1FF40B98FE44036CA0F876D5DE3CE447C720
                                                                    Function 00007FF7870CE230 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 123stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$ErrorLast_errnocallocmallocsendstrerror
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$MANAGEMENT: TCP %s error: %s$buf_advance(buf, n)$send
                                                                    • API String ID: 3384834515-2442098923
                                                                    • Opcode ID: fc02c23f5018610476744ac2de773239deab5830e6a38e51f9ac75327b9c01c0
                                                                    • Instruction ID: c86c08f33556576e7f789840bc2a23da57cf0f6a582f3cc781a6d0bf8346c451
                                                                    • Opcode Fuzzy Hash: fc02c23f5018610476744ac2de773239deab5830e6a38e51f9ac75327b9c01c0
                                                                    • Instruction Fuzzy Hash: 46518031A4978282EA24AF25E4482B8E761FFC4B54FB44535DA5E976A0DF3CF496C320
                                                                    Function 00007FF7870D1FC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7870D95C9), ref: 00007FF7870D1FD1
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7870D95C9), ref: 00007FF7870D2015
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7870D95C9), ref: 00007FF7870D2056
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D95C9), ref: 00007FF7870D20D9
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D95C9), ref: 00007FF7870D20EE
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D95C9), ref: 00007FF7870D2104
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D95C9), ref: 00007FF7870D210D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$malloc$_exit
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$attempted allocation of excessively large array$ret > 0
                                                                    • API String ID: 964013721-1229036220
                                                                    • Opcode ID: 11cecad8e8c9e63a91624519117bd77ee9e806f0bc49698f5b5a9d7e4fa3f5f3
                                                                    • Instruction ID: 03ed8859d8da45f74a01fd20d95e84671e3e45d29d160da0bc6220f0751ca7f8
                                                                    • Opcode Fuzzy Hash: 11cecad8e8c9e63a91624519117bd77ee9e806f0bc49698f5b5a9d7e4fa3f5f3
                                                                    • Instruction Fuzzy Hash: C341A331A49B4282EB18EB24E444279EAA1FF94B40FA48535DB5F82795EF3CE4D2C250
                                                                    Function 00007FF787143CB0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Warning: close_net_event_win32: WSAEventSelect call failed, xrefs: 00007FF787143CF3
                                                                    • Warning: CloseHandle (read) failed in close_net_event_win32, xrefs: 00007FF787143D51
                                                                    • Warning: ResetEvent (write) failed in close_net_event_win32, xrefs: 00007FF787143D8A
                                                                    • Warning: ResetEvent (read) failed in close_net_event_win32, xrefs: 00007FF787143D1F
                                                                    • Warning: CloseHandle (write) failed in close_net_event_win32, xrefs: 00007FF787143DBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Event$CloseHandleReset$Select
                                                                    • String ID: Warning: CloseHandle (read) failed in close_net_event_win32$Warning: CloseHandle (write) failed in close_net_event_win32$Warning: ResetEvent (read) failed in close_net_event_win32$Warning: ResetEvent (write) failed in close_net_event_win32$Warning: close_net_event_win32: WSAEventSelect call failed
                                                                    • API String ID: 3828575580-1130693431
                                                                    • Opcode ID: 5ce1daeb4815fc224e3375df78d7f768122360f5d16a7e6a4882a868ec7cc1d9
                                                                    • Instruction ID: e61f73d33599d17b30bacda4e3936cf1f699c6748c7b6c5194f09d7dd90fc021
                                                                    • Opcode Fuzzy Hash: 5ce1daeb4815fc224e3375df78d7f768122360f5d16a7e6a4882a868ec7cc1d9
                                                                    • Instruction Fuzzy Hash: D2318F20E8860241FF54BB21E4427B4D752BFC4B95FF44034DA2F56AE5EE2CE846C2B1
                                                                    Function 00007FF787125830 Relevance: 16.8, APIs: 4, Strings: 7, Instructions: 280COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787125A25
                                                                      • Part of subcall function 00007FF7870B3290: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF787100D21), ref: 00007FF7870B32FD
                                                                      • Part of subcall function 00007FF787118AB0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787118B02
                                                                      • Part of subcall function 00007FF787118AB0: memset.VCRUNTIME140 ref: 00007FF787118B4C
                                                                      • Part of subcall function 00007FF787118AB0: getnameinfo.WS2_32 ref: 00007FF787118C50
                                                                      • Part of subcall function 00007FF787118AB0: FormatMessageA.KERNEL32 ref: 00007FF787118C87
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787125AB0
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787125B96
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787125BC4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$free$FormatMessage__stdio_common_vsprintf_exitgetnameinfomemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_common.h$TLS: tls_update_remote_addr from IP=%s to IP=%s$false$ks->crypto_options.key_ctx_bi.initialized$tbs
                                                                    • API String ID: 1953596131-561856474
                                                                    • Opcode ID: d7f75ecd4bcecb1f379adb264236f29bd19ce30d9ff03c085ac6bf7cda7b2581
                                                                    • Instruction ID: 5cae8cc5e1e5ed886935be8ab65c73562525b8e50b3ea250c53c35b2fb797488
                                                                    • Opcode Fuzzy Hash: d7f75ecd4bcecb1f379adb264236f29bd19ce30d9ff03c085ac6bf7cda7b2581
                                                                    • Instruction Fuzzy Hash: E5B1AF26E59642C5FB10EB25E4812BDABB1BB84758FA48075CE0E17E95DF3CE587C320
                                                                    Function 00007FF7870C8328 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 245COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: mallocmemcpymemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\plugin.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$pl->common$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 1097350464-2681198422
                                                                    • Opcode ID: e6c5a5db77b3b6c513ee704ac0bfccf08ef4262adfd7e56a4a47ecc05408bafd
                                                                    • Instruction ID: d6fdf1553bc4e26efec077ff2984e842b1c9cee15acbac92561f0bb951786b05
                                                                    • Opcode Fuzzy Hash: e6c5a5db77b3b6c513ee704ac0bfccf08ef4262adfd7e56a4a47ecc05408bafd
                                                                    • Instruction Fuzzy Hash: BEB1AB22D08BC181E761DF24D9403E87360FB99B48F699236DF8D5B65AEF38A1C1C320
                                                                    Function 00007FF7870B2780 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B27FF
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2825
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2867
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B288A
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2905
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                      • Part of subcall function 00007FF7870B2320: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B2373
                                                                      • Part of subcall function 00007FF7870B2320: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B23B7
                                                                      • Part of subcall function 00007FF7870B2320: memcpy.VCRUNTIME140(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B241B
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B29BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memcpy$__stdio_common_vsprintffree
                                                                    • String ID: %s=%s$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\env_set.c$name$name && strlen(name) > 1$str
                                                                    • API String ID: 844290722-3505699284
                                                                    • Opcode ID: ff450688aae4f2c1db346d3d1fd42e619331d5eac9952dca274f13867ef3f3b1
                                                                    • Instruction ID: 4ed77880ba64c100c3f303af065bbea49919527ba0bc259d11ee2b9c1eb7d1e5
                                                                    • Opcode Fuzzy Hash: ff450688aae4f2c1db346d3d1fd42e619331d5eac9952dca274f13867ef3f3b1
                                                                    • Instruction Fuzzy Hash: 9971D221E89A8246EB55EF10A4113B9E750FF85B90FE84531DA4F87B95DF3CE686C320
                                                                    Function 00007FF78710C420 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonl
                                                                    • String ID: ACK write ID %u (ack->len=%d, n=%d)$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\reliable.c$ack->len >= n$buf_write(&ctx->work, &header, sizeof(header))$buf_write(&sub, &net_pid, sizeof(net_pid))$buf_write_u8(&sub, total_acks)$session_id_defined(sid)$session_id_write(sid, &sub)
                                                                    • API String ID: 2009864989-342039051
                                                                    • Opcode ID: 70ff3f5aafe6d0c3e608be4bcc3d60016af7eb8a5785f2a077ae66c4da1ac179
                                                                    • Instruction ID: 022308b8808120615df4a69811667892487171ffc3157872c8a7920a7827be4b
                                                                    • Opcode Fuzzy Hash: 70ff3f5aafe6d0c3e608be4bcc3d60016af7eb8a5785f2a077ae66c4da1ac179
                                                                    • Instruction Fuzzy Hash: 5FB1AF36E4869286E720EF14E4446B9BBA1FB84785FB08031DA4E47F55DF3DE946CB20
                                                                    Function 00007FF7870B9030 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 273networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$__acrt_iob_funcfprintfhtonsmalloc
                                                                    • String ID: Recursive routing detected, drop tun packet to %s$TUN READ [%d]$[NULL]
                                                                    • API String ID: 3903222774-2675889498
                                                                    • Opcode ID: 63d34ef77cd91b1ba0c10f91e9a4bdef5d7e429bfd58355ff0d593a7de93a102
                                                                    • Instruction ID: 27134742c511883cb04c5b4e24d71a1fe05dc0c18d52b7059cc0cbac4c5ed7f9
                                                                    • Opcode Fuzzy Hash: 63d34ef77cd91b1ba0c10f91e9a4bdef5d7e429bfd58355ff0d593a7de93a102
                                                                    • Instruction Fuzzy Hash: 16C1B331E58A82C5EA24AB54D0803B9B361FFA4B84FA44135DB4F87795DF2DE646C720
                                                                    Function 00007FF7870CD800 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 196COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • closesocket.WS2_32 ref: 00007FF7870CD875
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7870CE3C7), ref: 00007FF7870CD8F0
                                                                      • Part of subcall function 00007FF787143CB0: WSAEventSelect.WS2_32 ref: 00007FF787143CDB
                                                                      • Part of subcall function 00007FF787143CB0: ResetEvent.KERNEL32(?,?,FFFFFFFF,00007FF7870CD860), ref: 00007FF787143D07
                                                                      • Part of subcall function 00007FF787143CB0: CloseHandle.KERNEL32(?,?,FFFFFFFF,00007FF7870CD860), ref: 00007FF787143D39
                                                                      • Part of subcall function 00007FF787143CB0: ResetEvent.KERNEL32(?,?,FFFFFFFF,00007FF7870CD860), ref: 00007FF787143D72
                                                                      • Part of subcall function 00007FF787143CB0: CloseHandle.KERNEL32(?,?,FFFFFFFF,00007FF7870CD860), ref: 00007FF787143DA5
                                                                    • pkcs11h_certificate_signAny_ex.LIBPKCS11-HELPER-1(?,00000000,?,00007FF7870CE3C7), ref: 00007FF7870CD934
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00007FF7870CE3C7), ref: 00007FF7870CD979
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Event$CloseHandleResetfree$Any_exSelectclosesocketpkcs11h_certificate_sign
                                                                    • String ID: MANAGEMENT: Client disconnected$MANAGEMENT: Triggering management exit$MANAGEMENT: Triggering management signal$management-disconnect$management-exit
                                                                    • API String ID: 3472691461-2089480344
                                                                    • Opcode ID: 39ae9d9a82c9bd800dbf03112b369a2cbffbd71b41f7e527b6339952b6648c2a
                                                                    • Instruction ID: cb5d9d00d918179240db3dab8e3d9e528defda5a1d4c973cc4d764406ffba26e
                                                                    • Opcode Fuzzy Hash: 39ae9d9a82c9bd800dbf03112b369a2cbffbd71b41f7e527b6339952b6648c2a
                                                                    • Instruction Fuzzy Hash: 2B915131E8C74681F624AB15A944679BB92FBC4B50FE80035CA9F83B91DE7CE457C720
                                                                    Function 00007FF78710B4C0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78710B53B
                                                                      • Part of subcall function 00007FF7870A30B0: isalnum.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A30E9
                                                                      • Part of subcall function 00007FF7870A30B0: isalpha.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A30FE
                                                                      • Part of subcall function 00007FF7870A30B0: iscntrl.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A3122
                                                                      • Part of subcall function 00007FF7870A30B0: isdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A3137
                                                                      • Part of subcall function 00007FF7870A30B0: ispunct.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A3161
                                                                      • Part of subcall function 00007FF7870A30B0: isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A3177
                                                                      • Part of subcall function 00007FF7870A30B0: isxdigit.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7870A318D
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78710B5B7
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78710B5C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$_exitisalnumisalphaiscntrlisdigitispunctisspaceisxdigit
                                                                    • String ID: !push_list->tail$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\push.c$PUSH OPTION FAILED (illegal comma (',') in string): '%s'$push_list->tail$str
                                                                    • API String ID: 499372264-3458957402
                                                                    • Opcode ID: 3d168319d197b9385ecc075073af28d29e7be0d5b159e38d2ee26df6ce49c654
                                                                    • Instruction ID: ebd264bbfb079ae9b22b1c575beb9c9278497cbb91c48d5bb9c77c66a558bba0
                                                                    • Opcode Fuzzy Hash: 3d168319d197b9385ecc075073af28d29e7be0d5b159e38d2ee26df6ce49c654
                                                                    • Instruction Fuzzy Hash: 1F519121E8874281EA64AB01B8503B9EBA0FFC4785FF44435DA9E57B95DE3CE946C720
                                                                    Function 00007FF7870BC370 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$htonlinet_ntoa
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\helper.c$route-gateway %s$route_gateway
                                                                    • API String ID: 3620171695-409064628
                                                                    • Opcode ID: 8cca3516a00bd30ea56dc0b36d42e02a4ba2bb15d9e0224e3e7cde3dbb3002e8
                                                                    • Instruction ID: e4af3268eb1d309b12b744514b074536c5d427a724c0232ccd85eb4f8527b989
                                                                    • Opcode Fuzzy Hash: 8cca3516a00bd30ea56dc0b36d42e02a4ba2bb15d9e0224e3e7cde3dbb3002e8
                                                                    • Instruction Fuzzy Hash: ED41A022F45B5285FB00AF64D4402BDA771BF44B84FA48839CA4E56B55EF7C9A46C320
                                                                    Function 00007FF7870E68E0 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF7870B2780: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B27FF
                                                                      • Part of subcall function 00007FF7870B2780: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2825
                                                                      • Part of subcall function 00007FF7870B2780: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2867
                                                                      • Part of subcall function 00007FF7870B2780: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B288A
                                                                      • Part of subcall function 00007FF7870A28B0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A28FD
                                                                      • Part of subcall function 00007FF7870B2780: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B2905
                                                                      • Part of subcall function 00007FF7870B2780: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF78711913E), ref: 00007FF7870B29BA
                                                                    • _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7870E69A9
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00007FF7870E69DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memcpy$CurrentProcess__stdio_common_vsprintf_time64free
                                                                    • String ID: %lli$config$daemon$daemon_log_redirect$daemon_pid$daemon_start_time$verb
                                                                    • API String ID: 2839251880-805105325
                                                                    • Opcode ID: 2afe0341ae483b0559f8abe0b923886b8d1d4796520687f8efd3627df63a4e5a
                                                                    • Instruction ID: 8b95f4b1cec9c6f46ccc044b3065cb51f425ddb12e8fa50d38a29f066f195905
                                                                    • Opcode Fuzzy Hash: 2afe0341ae483b0559f8abe0b923886b8d1d4796520687f8efd3627df63a4e5a
                                                                    • Instruction Fuzzy Hash: FC41D265E4868296EB10EB61F4013EAE721FB84780FE48036DB4F87A55DF7CE50AC760
                                                                    Function 00007FF78711F110 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: X_get_iv_length$R_get_flagsX509_Y_get_objectmemcpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$TLS Error: key_state not authenticated$cipher_ctx_iv_length(ctx->cipher) >= OPENVPN_AEAD_MIN_IV_LEN$impl_iv_len <= OPENVPN_MAX_IV_LENGTH
                                                                    • API String ID: 1461605756-1230769003
                                                                    • Opcode ID: 37b23c6766837c3aa39fa4814754199588c55890a044f5c4c5ef1e2766eff095
                                                                    • Instruction ID: d28eac0a23cb97eb0d397f02709bca04ee1c95928cc0f04fdbc706d8be5d7506
                                                                    • Opcode Fuzzy Hash: 37b23c6766837c3aa39fa4814754199588c55890a044f5c4c5ef1e2766eff095
                                                                    • Instruction Fuzzy Hash: 8D319C21E69A4181FA10AB15F8141B9A762FBC4BC4FE44031DA4F47AA9DF3CD986C320
                                                                    Function 00007FF7870AE420 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EVP_PKEY_CTX_new_id.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE457
                                                                    • EVP_PKEY_derive_init.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE473
                                                                    • EVP_md5_sha1.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE47D
                                                                    • EVP_PKEY_CTX_set_tls1_prf_md.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE489
                                                                    • EVP_PKEY_CTX_set1_tls1_prf_secret.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE49C
                                                                    • EVP_PKEY_CTX_add1_tls1_prf_seed.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE4AF
                                                                    • EVP_PKEY_derive.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE4D1
                                                                    • EVP_PKEY_CTX_free.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,00007FF7870AA07E), ref: 00007FF7870AE4EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: P_md5_sha1X_add1_tls1_prf_seedX_freeX_new_idX_set1_tls1_prf_secretX_set_tls1_prf_mdY_deriveY_derive_init
                                                                    • String ID: authname
                                                                    • API String ID: 2490367723-2175095425
                                                                    • Opcode ID: 5a1e9b2602f428c6c9f60f4ea7ed1d7647e9b02976b5a3e4d8b420d2571cd78d
                                                                    • Instruction ID: 7ef2564a278b357a007cecc824082d0ebb885fde4bcabab511d2afa1bd7128fc
                                                                    • Opcode Fuzzy Hash: 5a1e9b2602f428c6c9f60f4ea7ed1d7647e9b02976b5a3e4d8b420d2571cd78d
                                                                    • Instruction Fuzzy Hash: 8C217421B4865141FA60AB23B85567AE796BFC4FD0F980035DD4F86B64EE3CD04BC720
                                                                    Function 00007FF7870CB440 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: __stdio_common_vsscanf
                                                                    • String ID: %lu$ERROR: The '%s' command is not supported by the current daemon mode$ERROR: cannot parse %s$ERROR: cannot parse CID$ERROR: client-deny command failed$KID$SUCCESS: client-deny command succeeded$client-deny
                                                                    • API String ID: 3384879002-1508161416
                                                                    • Opcode ID: 97276d3129f16ec78e2f702c308d638d6f119418f6005ca91b8eee5709fecf5e
                                                                    • Instruction ID: f08e981a3775bf52851a30c79c7a3ff95e7140d00b9bcfe1025c937d336219f0
                                                                    • Opcode Fuzzy Hash: 97276d3129f16ec78e2f702c308d638d6f119418f6005ca91b8eee5709fecf5e
                                                                    • Instruction Fuzzy Hash: 8D616C21A9C64281EA10BB20F4513B8E761FF85B98FE44036DE4E8B795DF3DE646C720
                                                                    Function 00007FF7870E9340 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__acrt_iob_funcexitfprintfmemcpymemset
                                                                    • String ID: DISABLED$ENABLED$[INLINE]$[UNDEF]
                                                                    • API String ID: 4172297799-3928344206
                                                                    • Opcode ID: 99b99aa1a7166f74e4c3045a292b333bd7b65c210abdda05db7b1652229d4010
                                                                    • Instruction ID: 054cd1bf4800e0c1d4a3febba9e1a2577fed55a5fdeb14efeb4cdbb6e1f0dfc7
                                                                    • Opcode Fuzzy Hash: 99b99aa1a7166f74e4c3045a292b333bd7b65c210abdda05db7b1652229d4010
                                                                    • Instruction Fuzzy Hash: 37518D72A59B8581EB11AF61E4043A9B3A1FB94B88FA88135DF8E47755EF3CD092C311
                                                                    Function 00007FF78711D380 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$_exit
                                                                    • String ID: [key#%d state=%s auth=%s id=%d sid=%s]$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_common.h$KS_????$KS_AUTH_DEFERRED$KS_AUTH_FALSE$KS_AUTH_TRUE$[NULL]$false
                                                                    • API String ID: 223925368-2039215336
                                                                    • Opcode ID: 4beefc99bb5c8064c22daf8bb0ddf1531fb7a7d5973c80b98de46eaf6cfc3671
                                                                    • Instruction ID: b3cf88cf66ba6e1d4bc01f923b48c05f3afb9a29ca62782ce37140b31e915339
                                                                    • Opcode Fuzzy Hash: 4beefc99bb5c8064c22daf8bb0ddf1531fb7a7d5973c80b98de46eaf6cfc3671
                                                                    • Instruction Fuzzy Hash: AF416F32E4CB4686E615AB18F4402A9EB60FBC5780FA45135DA8E4BF98DF3CF456C760
                                                                    Function 00007FF7870BF7C0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • freeaddrinfo.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7870BF84B
                                                                      • Part of subcall function 00007FF7870B3290: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF787100D21), ref: 00007FF7870B32FD
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7870BFA06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exit$freeaddrinfo
                                                                    • String ID: All connections have been connect-retry-max (%d) times unsuccessful, exiting$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\init.c$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$No usable connection profiles are present$c->c1.link_socket_addr.current_remote == NULL$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 1126526534-496913841
                                                                    • Opcode ID: a8ac9ce0c51e151ff2257f435da88e249651d408c73ff58dbca2df75d68f8f66
                                                                    • Instruction ID: 083297677cb715327f358c2bc7fca58dbe528573a41ed85b10f967369c2ae213
                                                                    • Opcode Fuzzy Hash: a8ac9ce0c51e151ff2257f435da88e249651d408c73ff58dbca2df75d68f8f66
                                                                    • Instruction Fuzzy Hash: 70818172D48AC186E744AF24D5503B8B760FB94B48F689235CF8E97756DF28B6D1C320
                                                                    Function 00007FF78711EB60 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 170stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitstrerror
                                                                    • String ID: %s: peer_id=%d keyid=%d, currently %d keys installed$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto.c$Data Channel$FATAL: DCO does not support --auth$Impossible to install key material in DCO: %s$dco_install_key
                                                                    • API String ID: 2999858406-1935302525
                                                                    • Opcode ID: 8fdfc84968cf95a9241f879bb275cb8fc65ddca6b6b5e5a945b4d7aa2feb0540
                                                                    • Instruction ID: e25ccffa966fb351d0fe7b3810ad37d2a0a5bb089091cec55b98724a938ac61e
                                                                    • Opcode Fuzzy Hash: 8fdfc84968cf95a9241f879bb275cb8fc65ddca6b6b5e5a945b4d7aa2feb0540
                                                                    • Instruction Fuzzy Hash: 2E61F772E4878286EB24EB15E4003A9B7A0FB84788FA45135DB8E4BF95DF3CE556C710
                                                                    Function 00007FF7870BA750 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorEventLast$FileResetWrite__acrt_iob_func__stdio_common_vfprintffprintfhtonsmemcpy
                                                                    • String ID: TUN WRITE [%d]$TUN/TAP packet was destructively fragmented on write to %s (tried=%d,actual=%d)$tun packet too large on write (tried=%d,max=%d)$write to TUN/TAP
                                                                    • API String ID: 3932388399-2871165756
                                                                    • Opcode ID: 27b7a45a0cbd63923fc9e9c24061c874009e6b1c10d04973f332970c89823d53
                                                                    • Instruction ID: 285ce78a11a9f420daf5a5d382b350b9ae613acaa8ccf59d5817ba174676c415
                                                                    • Opcode Fuzzy Hash: 27b7a45a0cbd63923fc9e9c24061c874009e6b1c10d04973f332970c89823d53
                                                                    • Instruction Fuzzy Hash: 8681D771E8C68292E618BB20A5402F8F7A1FB44780FA04435DB5E83A95DF3DF5A3D760
                                                                    Function 00007FF787112500 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: inet_ptonstrncpy
                                                                    • String ID: IPv6 route %s via service %s$addition$deletion$failed because route exists$fe80::8$succeeded
                                                                    • API String ID: 2240044981-3542334874
                                                                    • Opcode ID: 6ab7d6a95ff79d01ec057e323377859442ccd9b3c672a3db551d166113cd8552
                                                                    • Instruction ID: 91b8c48c670e23ced5dbb366bdee5f9da2abbee51e06edf201b358c297f76b78
                                                                    • Opcode Fuzzy Hash: 6ab7d6a95ff79d01ec057e323377859442ccd9b3c672a3db551d166113cd8552
                                                                    • Instruction Fuzzy Hash: 5651D072E147C28AE750DF24E8413A8B7A0F7D9358FA01335EA8946D98EF78D585CB50
                                                                    Function 00007FF787126C80 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 99stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00007FF78711C189), ref: 00007FF787126D0D
                                                                    • SSL_CTX_set_ciphersuites.LIBSSL-3-X64(?,?,00007FF78711C189), ref: 00007FF787126D66
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00007FF78711C189), ref: 00007FF787126DA8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: X_set_ciphersuites_exitstrncpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_openssl.c$Failed to set restricted TLS 1.3 cipher list, too long (>%d).$Failed to set restricted TLS 1.3 cipher list: %s$NULL != ctx$_
                                                                    • API String ID: 52668442-3140465670
                                                                    • Opcode ID: fee5b040037e2ff91fbff0099542831c3b0ccd76b33e231e10cd42e5ec0b5184
                                                                    • Instruction ID: 38bb5b324e4d4cf61eba37d11efc5bda93282a7b1a61e846066005e469f8757b
                                                                    • Opcode Fuzzy Hash: fee5b040037e2ff91fbff0099542831c3b0ccd76b33e231e10cd42e5ec0b5184
                                                                    • Instruction Fuzzy Hash: 5131CE61E9858A81FA60B720E4003B4EA51BF853A4FE00730D5AF02ED5EE2CE956C320
                                                                    Function 00007FF787104030 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.VCRUNTIME140 ref: 00007FF787104068
                                                                      • Part of subcall function 00007FF7870AC6A0: RAND_bytes.LIBCRYPTO-3-X64(?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870AC6BD
                                                                      • Part of subcall function 00007FF7870A28B0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A28FD
                                                                      • Part of subcall function 00007FF7871041A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF7871041FB
                                                                      • Part of subcall function 00007FF7871041A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF787104224
                                                                      • Part of subcall function 00007FF7871041A0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,?,?,00007FF7871040BE), ref: 00007FF7871042C6
                                                                      • Part of subcall function 00007FF787103E60: MultiByteToWideChar.KERNEL32 ref: 00007FF787103EA7
                                                                      • Part of subcall function 00007FF787103E60: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787103EBE
                                                                      • Part of subcall function 00007FF787103E60: MultiByteToWideChar.KERNEL32 ref: 00007FF787103EF2
                                                                      • Part of subcall function 00007FF787103E60: _wopen.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF787103F01
                                                                      • Part of subcall function 00007FF787103E60: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787103F16
                                                                    • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7871040DE
                                                                    • _close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF787104138
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$ByteCharMultiWide$D_bytes__stdio_common_vsprintf_close_errno_wopenfreememcpymemset
                                                                    • String ID: Could not create temporary file '%s'$ERROR: temporary filename too long$Failed to create temporary file after %i attempts$Failed to create temporary filename and path$openvpn_%.*s_%08lx%08lx.tmp
                                                                    • API String ID: 2358830433-1228773596
                                                                    • Opcode ID: 7316762ab04186718baadfd261e2a91ec3064222fddb52315ddd0c1f62c6a8e9
                                                                    • Instruction ID: 671a401234e89d28b2f6650424133501d989cee82ff97c632f31f7414591455b
                                                                    • Opcode Fuzzy Hash: 7316762ab04186718baadfd261e2a91ec3064222fddb52315ddd0c1f62c6a8e9
                                                                    • Instruction Fuzzy Hash: 7231A061E8860241FA50BB51B8813B99A51BFC6781FF04031DE0F5BBD6EE3CB947C221
                                                                    Function 00007FF7871154E0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 93networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: socket
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.c$SOCKS$TCP/UDP$addrinfo->ai_socktype == SOCK_DGRAM$addrinfo->ai_socktype == SOCK_STREAM
                                                                    • API String ID: 98920635-2676201798
                                                                    • Opcode ID: f1c6ba66c7c2ddfab39a2257a9d0e31be517bda3467ad5295e6d084e0c0a539d
                                                                    • Instruction ID: 00af3d405b640e625341566277bc3c499d2d10284d0084bc6dedefe4c8778757
                                                                    • Opcode Fuzzy Hash: f1c6ba66c7c2ddfab39a2257a9d0e31be517bda3467ad5295e6d084e0c0a539d
                                                                    • Instruction Fuzzy Hash: A4419476E48686D5E360DF14E0042A8BB71FB84B44FA49132DB4E47E58DF3CE986C760
                                                                    Function 00007FF7870C8FC6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitfreemalloc
                                                                    • String ID: !(compctx->flags & COMP_F_SWAP)$0$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\lzo.c$Cannot initialize LZO compression library (lzo_init() returns %d)$LZO compression initializing
                                                                    • API String ID: 1270427896-686791244
                                                                    • Opcode ID: b39e45e575254caf258601cc2a2dfa6c1260b80f100a7ab0dc2a800c7daf6355
                                                                    • Instruction ID: 730538d2bffb886c7688073f075813d754814d9b865cda34ec1ac7fe2852bd58
                                                                    • Opcode Fuzzy Hash: b39e45e575254caf258601cc2a2dfa6c1260b80f100a7ab0dc2a800c7daf6355
                                                                    • Instruction Fuzzy Hash: F93105A295864287F740AF50E4143A8BB62FF94B48FA04139CB8E47781DF3DE49AC750
                                                                    Function 00007FF7870D1D00 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7870D1DEB), ref: 00007FF7870D1D5B
                                                                    • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7870D1DEB), ref: 00007FF7870D1D77
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870D1E32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitmallocmemset
                                                                    • String ID: 0 <= x && x < mod && -mod <= y && y <= mod$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$attempted allocation of excessively large array$capacity > 0
                                                                    • API String ID: 1198423990-458266078
                                                                    • Opcode ID: f969d6308fd081ac9cef798b3c2ed954c83a64a42c3a3fe6571f1acd3367c007
                                                                    • Instruction ID: c5ed07ec15f0ab6ee7a6401bded71cb9db3a0c41672e31942404690c17d7997d
                                                                    • Opcode Fuzzy Hash: f969d6308fd081ac9cef798b3c2ed954c83a64a42c3a3fe6571f1acd3367c007
                                                                    • Instruction Fuzzy Hash: C321AC21E8874242FA08BB54A4852B9EA61BF84786FF18635D65E42BD5DE3CE543C360
                                                                    Function 00007FF787126B70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SSL_CTX_set_cipher_list.LIBSSL-3-X64(0000000100000000,?,00007FF787126BEE,?,00007FF78711C189), ref: 00007FF787126BA3
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7870AC6F5), ref: 00007FF7870ACF45
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_error_string.LIBCRYPTO-3-X64 ref: 00007FF7870AD01A
                                                                      • Part of subcall function 00007FF7870ACF10: ERR_get_error_all.LIBCRYPTO-3-X64 ref: 00007FF7870AD0AE
                                                                      • Part of subcall function 00007FF7870B3290: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF787100D21), ref: 00007FF7870B32FD
                                                                    • SSL_CTX_set_cipher_list.LIBSSL-3-X64(?,00007FF78711C189), ref: 00007FF787126BFB
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00007FF787126BEE,?,00007FF78711C189), ref: 00007FF787126C3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_get_error_allX_set_cipher_list_exit$R_error_string
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl_openssl.c$DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA$Failed to set default TLS cipher list.$Failed to set restricted TLS cipher list: %s$NULL != ctx
                                                                    • API String ID: 2375525635-765103804
                                                                    • Opcode ID: 394b44d09b96f8e9a9425b1b6a90f7feb17f1af539dfc97d234b8111af01dfde
                                                                    • Instruction ID: f6637c8345dc5efccad4202c6bc6a082b50c15f73ef904684b25d58b7c047b05
                                                                    • Opcode Fuzzy Hash: 394b44d09b96f8e9a9425b1b6a90f7feb17f1af539dfc97d234b8111af01dfde
                                                                    • Instruction Fuzzy Hash: 31217C20EA864281FA54FB20E8513F9D655FFC4784FF44435D94F4AAE6EE2CEA46C220
                                                                    Function 00007FF7870D7050 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_freeR_get_flags$R_fetchR_get_mode
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$ciphername
                                                                    • API String ID: 715063678-1112096609
                                                                    • Opcode ID: 8845ca7f6731cdd291132470a3a0749f533c83a7e3be9d5822a6932e5e35eee2
                                                                    • Instruction ID: 20cf2eda67a2002ca213ff4a433e2f1751bad09d372c4daf9de10d3e3de77647
                                                                    • Opcode Fuzzy Hash: 8845ca7f6731cdd291132470a3a0749f533c83a7e3be9d5822a6932e5e35eee2
                                                                    • Instruction Fuzzy Hash: EC21B525B9874281FA14BB15A849179EB91BF85B80FEC5631DD0F83B95DE3CE487C320
                                                                    Function 00007FF78711E370 Relevance: 13.8, APIs: 4, Strings: 5, Instructions: 316COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintffree
                                                                    • String ID: %02x$%s pre_master: %s$%s random1: %s$%s random2: %s$TLS Error: key already initialized
                                                                    • API String ID: 3318139537-2944913860
                                                                    • Opcode ID: 42e10074f791eacc084582b8667e2549cd0c58176e508782b4027def9c45ca67
                                                                    • Instruction ID: b7e5f0750e7bc9416c071839111b8fcd7d114da910a1a6dec713a215dbc834ee
                                                                    • Opcode Fuzzy Hash: 42e10074f791eacc084582b8667e2549cd0c58176e508782b4027def9c45ca67
                                                                    • Instruction Fuzzy Hash: 8AD1EF21F8865285FB04AFA4A5401B8AFB1BF84758FE45536DE0E57AA5EE3CE446C330
                                                                    Function 00007FF7870C6870 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$mallocmemset
                                                                    • String ID: [CONFIG-STRING]$config
                                                                    • API String ID: 2682772760-1041147310
                                                                    • Opcode ID: 2e1101ccff736f3771e331c375d9349640165a33fcdd84cb7113b8e76760d344
                                                                    • Instruction ID: 800caafa7117af966f0531ad802d6f3e4483c0f7a99283aa7727e85bf190621f
                                                                    • Opcode Fuzzy Hash: 2e1101ccff736f3771e331c375d9349640165a33fcdd84cb7113b8e76760d344
                                                                    • Instruction Fuzzy Hash: CEA18176A59A8182EB20EB01A104769F761FB86BE4FA84031CE9E47B55DF3DE446C710
                                                                    Function 00007FF78711E810 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78711E86A
                                                                    • memcpy.VCRUNTIME140 ref: 00007FF78711E8EA
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78711EA9C
                                                                      • Part of subcall function 00007FF7870B3290: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF787100D21), ref: 00007FF7870B32FD
                                                                      • Part of subcall function 00007FF7870A2610: _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870A2640
                                                                      • Part of subcall function 00007FF7870A2610: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870A2690
                                                                      • Part of subcall function 00007FF7870B3310: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870B3319
                                                                      • Part of subcall function 00007FF7870B3310: fprintf.MSPDB140-MSVCRT ref: 00007FF7870B3329
                                                                      • Part of subcall function 00007FF7870B3310: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7870B3333
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exit$__acrt_iob_funccallocexitfprintffreemallocmemcpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\ssl.c$buf_write(&seed, client_seed, client_seed_len)$buf_write(&seed, client_sid->id, SID_SIZE)$buf_write(&seed, label, strlen(label))$buf_write(&seed, server_seed, server_seed_len)$buf_write(&seed, server_sid->id, SID_SIZE)
                                                                    • API String ID: 4148537450-1787283480
                                                                    • Opcode ID: 2650bb3fbaf213049b268901b54fd3493438d21fb76e8792f9431e8d2f689eb6
                                                                    • Instruction ID: 1bc15dfdc494f7ae5f2b07593db016e9f4089566b5305a962653be0e4a411756
                                                                    • Opcode Fuzzy Hash: 2650bb3fbaf213049b268901b54fd3493438d21fb76e8792f9431e8d2f689eb6
                                                                    • Instruction Fuzzy Hash: EF91EA22E4968641FA149F54F5002B9EB51BF94B81FA85132CE4F57AA5EF3CF546C330
                                                                    Function 00007FF7870BC800 Relevance: 13.6, APIs: 9, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$htonlinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 3620171695-0
                                                                    • Opcode ID: 10eaef6022dd912c5987964535a32e6fe1b46fec7c074d663837a341a1ea8ede
                                                                    • Instruction ID: 1a2bdbf7b2b9ca6ce5290f07d039782f14212502da64a1c99d2784e7c1396d7f
                                                                    • Opcode Fuzzy Hash: 10eaef6022dd912c5987964535a32e6fe1b46fec7c074d663837a341a1ea8ede
                                                                    • Instruction Fuzzy Hash: 44515A32E45B4285EB019F60E45136D77B5FB88B44F688839CE8EA7B58EF38D595C320
                                                                    Function 00007FF7870CAF40 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: atoi$free
                                                                    • String ID: %u,%s$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$END$ERROR: The '%s' command is not supported by the current daemon mode$all$remote-entry-get
                                                                    • API String ID: 2401627053-4242093385
                                                                    • Opcode ID: ec14b4c165c9f7597c29d7fe388bd1f7ab1a1e3b692f56635e71c462cb3c5eed
                                                                    • Instruction ID: 23bb242254b727d2b407b869312ee09c1e31dc3f06835dba64628783ae88c1fb
                                                                    • Opcode Fuzzy Hash: ec14b4c165c9f7597c29d7fe388bd1f7ab1a1e3b692f56635e71c462cb3c5eed
                                                                    • Instruction Fuzzy Hash: 88419E61A5CA4281FA20BB11B440279E7A1FBC5B94FF44435DA4F87B95EF3CE647C620
                                                                    Function 00007FF7871158D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemalloc$FormatMessage__stdio_common_vsprintfgetnameinfomemsetselect
                                                                    • String ID: TCP connection established with %s$TCP: select() failed$[NULL]
                                                                    • API String ID: 1445296572-636655359
                                                                    • Opcode ID: 035fa19e43ec3b68393c5302fa05d6617634575ba03c4576347e51a8d35b93a3
                                                                    • Instruction ID: d1c8a825ff814182af975f95efd779b2ffa7d1616f2e3d429261b5256c24441b
                                                                    • Opcode Fuzzy Hash: 035fa19e43ec3b68393c5302fa05d6617634575ba03c4576347e51a8d35b93a3
                                                                    • Instruction Fuzzy Hash: 7A718F31E48B4286E710EF21F4402A9BB61FB88B84FA45135DE4E17B55EF3CE446C760
                                                                    Function 00007FF787112D00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF787144D80: MultiByteToWideChar.KERNEL32 ref: 00007FF787144E2B
                                                                      • Part of subcall function 00007FF787144D80: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787144E42
                                                                      • Part of subcall function 00007FF787144D80: MultiByteToWideChar.KERNEL32 ref: 00007FF787144E76
                                                                      • Part of subcall function 00007FF787144D80: GetStartupInfoW.KERNEL32 ref: 00007FF787144EAA
                                                                      • Part of subcall function 00007FF787144D80: CreateProcessW.KERNEL32 ref: 00007FF787144EFC
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF787112D72
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,?,00000000,?,00000000,00007FF787131B7C), ref: 00007FF787112E2E
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,?,00000000,?,00000000,00007FF787131B7C), ref: 00007FF787112E46
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidemalloc$CreateInfoProcessStartup__stdio_common_vsprintf_exitfree
                                                                    • String ID: %s: %s$disallowed by script-security setting$external program did not execute -- $returned error code %d
                                                                    • API String ID: 364472425-2576239307
                                                                    • Opcode ID: 30aa50b1cc64e4c9aa32d38aef4916a46f110dea9d5845b03e2ad2b759705571
                                                                    • Instruction ID: d68c667a3ff37bd8fce5502cb6b2c587dbce0ea998a3e991c4c1f797e12f4772
                                                                    • Opcode Fuzzy Hash: 30aa50b1cc64e4c9aa32d38aef4916a46f110dea9d5845b03e2ad2b759705571
                                                                    • Instruction Fuzzy Hash: 1231D522F4964245EA91AB14F841379AA51BFC07A0FA45230DE5F1AAD1FE3CE8C7C370
                                                                    Function 00007FF7871013E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _lseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7870B739E), ref: 00007FF78710143F
                                                                    • _write.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7870B739E), ref: 00007FF787101459
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7870B739E), ref: 00007FF7871014C7
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF7870B739E), ref: 00007FF7871014F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$_lseek_write
                                                                    • String ID: Cannot seek to beginning of --replay-persist file %s$Cannot write to --replay-persist file %s$PID Persist Write to %s: %s
                                                                    • API String ID: 125306588-1022700147
                                                                    • Opcode ID: 507c9921a6bf259edab28b467e75d4402c693576ec4276d9871235bd2cb955bc
                                                                    • Instruction ID: 5dff800810389ec8602e80c1e0c16777dc9e9936f0366dcbc62ff10d5ec15f66
                                                                    • Opcode Fuzzy Hash: 507c9921a6bf259edab28b467e75d4402c693576ec4276d9871235bd2cb955bc
                                                                    • Instruction Fuzzy Hash: 38417C71E4864282EA54EB54E451168F7A2FB89B89BB40035DA4F4BA95EE2CE442C760
                                                                    Function 00007FF787118FC0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: inet_ntoa$__stdio_common_vsprintfgetnameinfohtons
                                                                    • String ID: %s_ip$%s_ip6$%s_port
                                                                    • API String ID: 1258181430-2106722284
                                                                    • Opcode ID: 1b7130d6b215a8b6779ff709217f3c4be457873b4132bb16e10ffe9d66be98e5
                                                                    • Instruction ID: 293ca53481b29125393397be2fa998abfc8fa77f3c64bfbb66d417626b90c135
                                                                    • Opcode Fuzzy Hash: 1b7130d6b215a8b6779ff709217f3c4be457873b4132bb16e10ffe9d66be98e5
                                                                    • Instruction Fuzzy Hash: F241BF21E4868295F760BB51F4053E9A761FBC4344FE08032DA4E57E95EF7CD98AC7A0
                                                                    Function 00007FF787115240 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: getsockopt$setsockopt
                                                                    • String ID: NOTE: setsockopt SO_RCVBUF=%d failed$NOTE: setsockopt SO_SNDBUF=%d failed$Socket Buffers: R=[%d->%d] S=[%d->%d]
                                                                    • API String ID: 3142024770-1536000541
                                                                    • Opcode ID: 8735954be9da3298aca2f64a27a7531be04eedcaec9579e02c0490b71f94e219
                                                                    • Instruction ID: 680a25e38d685d154f24002cd0db193da6ee3ccd94d875027d77acf96ffb7393
                                                                    • Opcode Fuzzy Hash: 8735954be9da3298aca2f64a27a7531be04eedcaec9579e02c0490b71f94e219
                                                                    • Instruction Fuzzy Hash: 5A417371A5868286EB60EB11B44066AF761FBC4784FA41035EA8F4BF95DF7CE446CB20
                                                                    Function 00007FF7870AA770 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_fetchR_freeR_get_key_length
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_backend.h$CRYPTO INFO: WARNING: zero key detected$ciphername$none
                                                                    • API String ID: 2653218591-707570341
                                                                    • Opcode ID: b742ac3b4ea5c35ce71dc01d767bf757d50c55d1363c96f70e415341710a629f
                                                                    • Instruction ID: 8972c0ea5639107a5e1f7de3b52042ce517f2e2a79d1ce703f412433f9288920
                                                                    • Opcode Fuzzy Hash: b742ac3b4ea5c35ce71dc01d767bf757d50c55d1363c96f70e415341710a629f
                                                                    • Instruction Fuzzy Hash: C9212561E9CA4285EB14AB05A5402B9E761FF85BC0FE45031DA4F43BD5DE2CD483C330
                                                                    Function 00007FF7870ADB80 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,00007FF7870AC79E,?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870ADBDE
                                                                    • EVP_CIPHER_get0_name.LIBCRYPTO-3-X64(?,?,?,00007FF7870AC79E,?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870ADBFA
                                                                    • EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,00007FF7870AC79E,?,?,?,?,?,?,?,?,?,?,00007FF787104077), ref: 00007FF7870ADC06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_fetchR_freeR_get0_name
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\crypto_openssl.c$[null-cipher]$ciphername$none
                                                                    • API String ID: 930983880-2307395759
                                                                    • Opcode ID: dd6ff5b34a7285609ebadf772bfa506c4423dd4946aca141b2833688d69c2d3c
                                                                    • Instruction ID: e17f0539ad8ede075f1153583e2b560d139fcd47d5d0fc62fc0a81d72a5d3999
                                                                    • Opcode Fuzzy Hash: dd6ff5b34a7285609ebadf772bfa506c4423dd4946aca141b2833688d69c2d3c
                                                                    • Instruction Fuzzy Hash: E2119351EAD74681EE58AB16A410178E751FF89B90FDC5031CD0F43B95EE2CE486C330
                                                                    Function 00007FF7870F23B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strcmp
                                                                    • String ID: --auth-retry method must be 'interact', 'nointeract', or 'none'$interact$nointeract$none
                                                                    • API String ID: 1004003707-2579202298
                                                                    • Opcode ID: 53ae4a750ad4f2f12b61c367d01a8b45ca3bd570a9ebc984454c925fbbd3364d
                                                                    • Instruction ID: 1fa8cb67d374b4dcd09439bf23e4bfbf7d8948df86cea145ccd85f434f1d48ad
                                                                    • Opcode Fuzzy Hash: 53ae4a750ad4f2f12b61c367d01a8b45ca3bd570a9ebc984454c925fbbd3364d
                                                                    • Instruction Fuzzy Hash: DE21A161F5C14281EB54BB05B5C12B8A751BF84784FE45030DA5F86AD6DEACE4D7CB20
                                                                    Function 00007FF7870B8CE0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: TUN/TAP I/O operation aborted, restarting$TUN/TAP interface has been stopped, exiting$Wintun read error, restarting$read from TUN/TAP$tun-abort$tun-stop
                                                                    • API String ID: 1452528299-1065770873
                                                                    • Opcode ID: b65dd028b4a01c0c1ecef52cbdb649a562fec86fa313eb3c398e44466420914d
                                                                    • Instruction ID: b6ce99d0686448bf8d3afff7f7b27979cf06c358f5f0297f9b445cd13c8bf847
                                                                    • Opcode Fuzzy Hash: b65dd028b4a01c0c1ecef52cbdb649a562fec86fa313eb3c398e44466420914d
                                                                    • Instruction Fuzzy Hash: 3C91D232A68A4286EB14AB18D4443A9B361FB94748FF00132DB5E877E2DF7EE547C750
                                                                    Function 00007FF7870C57C0 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\init.c$Control Channel MTU parms$TLS-Auth MTU parms$c->c2.tls_multi->opt.frame.buf.payload_size <= c->c2.frame.buf.payload_size
                                                                    • API String ID: 2803490479-1686647437
                                                                    • Opcode ID: 3cc821615a7bbed5806c2d98cff0304c998a3a0bfe8fd136ee9d229b5b2638d2
                                                                    • Instruction ID: 44c564024d78c87905c08d477b6f4973df70156edae1ee49bfa1f81b4860474f
                                                                    • Opcode Fuzzy Hash: 3cc821615a7bbed5806c2d98cff0304c998a3a0bfe8fd136ee9d229b5b2638d2
                                                                    • Instruction Fuzzy Hash: F181BE36A09B8287E718DF14E0403B9B7A0FB94B54FA88035DB8E47745DF3CA156CB60
                                                                    Function 00007FF78713FD10 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$__stdio_common_vsprintfmallocmemset
                                                                    • String ID: %s,%s$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\push.c$PUSH_REPLY$auth-token %s$e && e->enable
                                                                    • API String ID: 971417895-3553449491
                                                                    • Opcode ID: 80243b0d90376ffe768bfb201f58b5b064922485182c003fa0abf4c7e14ea798
                                                                    • Instruction ID: 945487643dfce4cb581f6da4fde3fa2d9b726d13fda2aed1ecd40be9c4c76a77
                                                                    • Opcode Fuzzy Hash: 80243b0d90376ffe768bfb201f58b5b064922485182c003fa0abf4c7e14ea798
                                                                    • Instruction Fuzzy Hash: CC518D26A58B8182EB10EF15F4443AABB64FB88B80FA94136DB8E17B55DF3DD446C710
                                                                    Function 00007FF7870B2320 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B2373
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B23B7
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B23DA
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B2404
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000008,00007FF7870B29AC,?,?,?,?,?,?,?,?), ref: 00007FF7870B241B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$callocmemcpy
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\env_set.c$list$str
                                                                    • API String ID: 258562675-949558271
                                                                    • Opcode ID: 050beb66ddd5be4ede705e225eee73163c4114f4037eb574dd47514ab24f0317
                                                                    • Instruction ID: 767488dfda6b9523d582629c6b24f3458e118c2cb1348791fce223a6aed3fee6
                                                                    • Opcode Fuzzy Hash: 050beb66ddd5be4ede705e225eee73163c4114f4037eb574dd47514ab24f0317
                                                                    • Instruction Fuzzy Hash: AC316221A49B4585EA15AF01E950378A7A0FB88FA0FE94630CB6E47BD1EF3CD586C310
                                                                    Function 00007FF787109890 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID: >NOTIFY:%s,%s,%s$Connection reset command was pushed by server ('%s')$Halt command was pushed by server ('%s')$info$server-pushed-connection-reset$server-pushed-halt
                                                                    • API String ID: 1294909896-3463766527
                                                                    • Opcode ID: 029bf467e3e5cb06b569839f9923e658ca042fae4751e0f6ece5772a5083a5d7
                                                                    • Instruction ID: 4d82fa235fa21ddb60713dd7a331f15d5e3fb012445d931d98201c1c3f8fc42f
                                                                    • Opcode Fuzzy Hash: 029bf467e3e5cb06b569839f9923e658ca042fae4751e0f6ece5772a5083a5d7
                                                                    • Instruction Fuzzy Hash: 5D91DD71E8C64281EA14AB14B460379AB66BFE5B85FF44131CA8F47A95DF2DE843C320
                                                                    Function 00007FF7870A30B0 Relevance: 10.7, APIs: 7, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: isalnumisalphaiscntrlisdigitispunctisspaceisxdigit
                                                                    • String ID:
                                                                    • API String ID: 689186670-0
                                                                    • Opcode ID: 3d8b7ea4e5b55e451fddadbf5c48f5859d27f9ebf1422fb9d5763c3d302006d5
                                                                    • Instruction ID: 8686934969561415ff7a4c9946ff7227530f3914a22e954fcb6e17dddc96739f
                                                                    • Opcode Fuzzy Hash: 3d8b7ea4e5b55e451fddadbf5c48f5859d27f9ebf1422fb9d5763c3d302006d5
                                                                    • Instruction Fuzzy Hash: 43510A31E8824306FEB4A61BD45A338C1917F65765EF92835E80F811E2DE2CA88BC375
                                                                    Function 00007FF7870B4C30 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Eventmemcpy
                                                                    • String ID: ($write_wintun(): drop invalid IP packet$write_wintun(): head/tail value is over capacity$write_wintun(): ring is full
                                                                    • API String ID: 2633924020-835648617
                                                                    • Opcode ID: 9c976046d321c5daaabef31ea2fd9b7f2d4379b3e3fc48bb774411c72165f352
                                                                    • Instruction ID: c8ba39efac262c552e74526414473dda74d8d36ae001a2b3e14065439e73d16f
                                                                    • Opcode Fuzzy Hash: 9c976046d321c5daaabef31ea2fd9b7f2d4379b3e3fc48bb774411c72165f352
                                                                    • Instruction Fuzzy Hash: F4516171A5864286EAA5AF15D040378E3A1FF40B44FF48535EA1FCA685DE3DEB42C770
                                                                    Function 00007FF7870EF7E0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 141stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strncmp
                                                                    • String ID: Flag 'def1' added to --redirect-gateway (iservice is in use)$null$tap$tun
                                                                    • API String ID: 1114863663-4091244182
                                                                    • Opcode ID: e3bf40da37610f597e57e7937d6aacc2db90c095ea5dc2726a38caf3cf7a895b
                                                                    • Instruction ID: 7fe71241a74a58d71b2fd4d79c9ea551a5df64c00e2deaa1a31ee967143d089f
                                                                    • Opcode Fuzzy Hash: e3bf40da37610f597e57e7937d6aacc2db90c095ea5dc2726a38caf3cf7a895b
                                                                    • Instruction Fuzzy Hash: 89517523A5C6CA85FBA5AB2091443B9A790FB45B44FA80035CA8F97385CF2DB486C731
                                                                    Function 00007FF78710CB60 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemalloc
                                                                    • String ID: %u$ACK %u breaks sequentiality: %s$ACK RWBS rel->size=%d rel->packet_id=%08x id=%08x ret=%d$[%u]$false
                                                                    • API String ID: 3061335427-2821648719
                                                                    • Opcode ID: a66d603154bdd942a759280c5d23629f84d3ac85edca1b287b39207f22b54bcc
                                                                    • Instruction ID: 9dea3a24423bbdce904349a5683c56d03fce30ffd42f8d53ebedc2257b9e234e
                                                                    • Opcode Fuzzy Hash: a66d603154bdd942a759280c5d23629f84d3ac85edca1b287b39207f22b54bcc
                                                                    • Instruction Fuzzy Hash: 1741C032E5864286EA20AF04F5046B9FB61FBC5795FB45030DA8F17A45DF3DE982CB20
                                                                    Function 00007FF7870D1B30 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D1DEB), ref: 00007FF7870D1B73
                                                                    • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF7870D1DEB), ref: 00007FF7870D1C84
                                                                    • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF7870D1DEB), ref: 00007FF7870D1C9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: callocfreememcpy
                                                                    • String ID: 0 <= x && x < mod && -mod <= y && y <= mod$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\integer.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\manage.c$h->size >= 0 && h->size <= h->capacity
                                                                    • API String ID: 2244791875-967843649
                                                                    • Opcode ID: 90e94c793622a452a3d846b158c3e739294b1197ad1622f753be3f83ed23ee82
                                                                    • Instruction ID: 5f1f47519c826ae96bd0cf8a528a2afbb93551a15d9865c6601d748b8bf8379c
                                                                    • Opcode Fuzzy Hash: 90e94c793622a452a3d846b158c3e739294b1197ad1622f753be3f83ed23ee82
                                                                    • Instruction Fuzzy Hash: 9141B522E58B8283E314DB24D5441B8A760FB94744FA5E335DB5E43A92EF39F5E6C310
                                                                    Function 00007FF7870CB0E0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB132
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7870CB17E
                                                                      • Part of subcall function 00007FF7870A33D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF78710423F,?,?,?,?,?,?,00000000), ref: 00007FF7870A33F8
                                                                      • Part of subcall function 00007FF7870A33D0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,00007FF78710423F,?,?,?,?,?,?,00000000), ref: 00007FF7870A340D
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF7870CE05C), ref: 00007FF7870CB27A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID: ERROR: The '%s' command is not supported by the current daemon mode$ERROR: client-auth command failed$SUCCESS: client-auth command succeeded$client-auth
                                                                    • API String ID: 1294909896-1509162132
                                                                    • Opcode ID: 5c90ae9984ec12559021e3c70a4e09242f63b21fc7beebda96b26991b49c3cdf
                                                                    • Instruction ID: 88e0c4c28799a7305a4452ad565954359162c05b964c99ac7e748c4eda327845
                                                                    • Opcode Fuzzy Hash: 5c90ae9984ec12559021e3c70a4e09242f63b21fc7beebda96b26991b49c3cdf
                                                                    • Instruction Fuzzy Hash: 07418E32A4869181EB50AF21F1542BCE365FB85BD8FA84035DF4E87B89CF38E546C320
                                                                    Function 00007FF787137BE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: InfoInterfacemalloc
                                                                    • String ID: GetInterfaceInfo #1 failed (status=%u) : %s$GetInterfaceInfo #2 failed (status=%u) : %s
                                                                    • API String ID: 1160929981-4053537578
                                                                    • Opcode ID: 20ea687225693985b825d9f675db70599eb7bd0e2c59c3b1f424d79819cbb345
                                                                    • Instruction ID: a6868ae7e0cde0147f10a49fa505fccd1b72ed9f6bdea863122a5539ff88e82e
                                                                    • Opcode Fuzzy Hash: 20ea687225693985b825d9f675db70599eb7bd0e2c59c3b1f424d79819cbb345
                                                                    • Instruction Fuzzy Hash: 4031C031E4860246EA24AB14B491279EB91FFC4BA4FE84435CA5F57F91EE3CE447C220
                                                                    Function 00007FF7870B50A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 1452528299-2292894683
                                                                    • Opcode ID: f3f3453fa029a2a40a7c200f6fd1cb57bcb53efb1d2c9ff07f3f322976bbecfa
                                                                    • Instruction ID: 61a2654d3958f508c1319f2117c2bc9e8d48e0642a2365e92828138b5c8a06ba
                                                                    • Opcode Fuzzy Hash: f3f3453fa029a2a40a7c200f6fd1cb57bcb53efb1d2c9ff07f3f322976bbecfa
                                                                    • Instruction Fuzzy Hash: E031A232E5864682F614AB59A4043B9F761FBC4B84FB44530DA8E86BA4DF3CE587C760
                                                                    Function 00007FF7870C07C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exit
                                                                    • String ID: NOTE: UID/GID downgrade %s$NOTE: chroot %s$Sorry but I can't chroot to '%s' because this operating system doesn't appear to support the chroot() system call$Unable to retain capabilities$will be delayed because of --client, --pull, or --up-delay
                                                                    • API String ID: 3375166485-2645831157
                                                                    • Opcode ID: 4b62217afb8101fed7bbf5bcae204793e650bb1ed60d810250466e60fac4f71d
                                                                    • Instruction ID: 9e37ba53b2b65d17259a95370430b8f80d8694f4d251bcd6f764f6e839251271
                                                                    • Opcode Fuzzy Hash: 4b62217afb8101fed7bbf5bcae204793e650bb1ed60d810250466e60fac4f71d
                                                                    • Instruction Fuzzy Hash: F4318521D8C68245FB54B71099043B4E651FF80794FF85036DAAF466D6CE6DA48BC3B1
                                                                    Function 00007FF787103B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$_waccessfreemalloc
                                                                    • String ID: o->connection_list
                                                                    • API String ID: 977454629-3458432272
                                                                    • Opcode ID: eba281e2074c6e0111925e716ccd6c771764a0604f8fe87de62c4982988ff021
                                                                    • Instruction ID: c52b61769917f53699910da3d8ffd97b7b78ed1624a6032abbc4c6af89e515dd
                                                                    • Opcode Fuzzy Hash: eba281e2074c6e0111925e716ccd6c771764a0604f8fe87de62c4982988ff021
                                                                    • Instruction Fuzzy Hash: 5911A535A44B4042E710EB12B910325EA62FB88BF0F580634DE6E57BE4DF3CD446C700
                                                                    Function 00007FF78712E380 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF7870ADA50: EVP_CIPHER_fetch.LIBCRYPTO-3-X64(?,?,?,?,?,00007FF7870AC86C), ref: 00007FF7870ADA90
                                                                      • Part of subcall function 00007FF7870ADA50: EVP_CIPHER_free.LIBCRYPTO-3-X64(?,?,?,?,?,00007FF7870AC86C), ref: 00007FF7870ADB47
                                                                    • EVP_MD_fetch.LIBCRYPTO-3-X64 ref: 00007FF78712E3FB
                                                                    • EVP_MD_free.LIBCRYPTO-3-X64 ref: 00007FF78712E407
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: D_fetchD_freeR_fetchR_free
                                                                    • String ID: AES-256-CTR$ERROR: --%s requires %s support.$SHA256$tls-crypt
                                                                    • API String ID: 4008786340-1936882018
                                                                    • Opcode ID: b3877b76341385eb262f73eb3c9927de54b84512149314b64434567f4e66eb42
                                                                    • Instruction ID: 63faba2ba6530e34780cfd7cfd4e872558268b3ec5f353773f46eb76dbcdb4a0
                                                                    • Opcode Fuzzy Hash: b3877b76341385eb262f73eb3c9927de54b84512149314b64434567f4e66eb42
                                                                    • Instruction Fuzzy Hash: 20219521E5C64281EB50AB11B5411A9E751FFC4BC4FA44131EF4E27FA9DE3CE59AC720
                                                                    Function 00007FF7870AE3A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: C_fetchC_freeX_newmallocmemset
                                                                    • String ID: HMAC
                                                                    • API String ID: 272670847-17948467
                                                                    • Opcode ID: 5c7601f2e00a850d336f7d6e802dab3d356ec544ae1c0cf9711bf130daea1f1f
                                                                    • Instruction ID: 1684b25d73eed23d327261494ced756884defba71baeb0cf56bdab8ece227a27
                                                                    • Opcode Fuzzy Hash: 5c7601f2e00a850d336f7d6e802dab3d356ec544ae1c0cf9711bf130daea1f1f
                                                                    • Instruction Fuzzy Hash: 17F09611F49B0281FE58B726B45A2399692BF88B80FA84434CE0F47F65FD3CD086C320
                                                                    Function 00007FF7870C6060 Relevance: 10.1, APIs: 8, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 7c5113afac96eb19fc914e4bf02e69e2104bcba19fda6e9a5f5128be0f8e1733
                                                                    • Instruction ID: 9e8b891e15ece203d94bd7afbe1ffa3c61acbea22b9a01c70e3993a4fd831a29
                                                                    • Opcode Fuzzy Hash: 7c5113afac96eb19fc914e4bf02e69e2104bcba19fda6e9a5f5128be0f8e1733
                                                                    • Instruction Fuzzy Hash: 062139A2E65A5186E740DF35E844239A7B1FFE9B08F655331DA4E96224FF34D4D5C300
                                                                    Function 00007FF7870EF420 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memset
                                                                    • String ID: WARNING: client-nat table overflow (max %d entries)
                                                                    • API String ID: 3081043919-3323060333
                                                                    • Opcode ID: a0c93abc6a6e11a9b24bd8e6f8d1d7df6c48477f75ac9a8cf5fbb92833b25f8d
                                                                    • Instruction ID: fcc44153b7b6c9887ba7d1e5c7db08485e6b1e338df43d8f4c2bee14d77b7f30
                                                                    • Opcode Fuzzy Hash: a0c93abc6a6e11a9b24bd8e6f8d1d7df6c48477f75ac9a8cf5fbb92833b25f8d
                                                                    • Instruction Fuzzy Hash: 01B15D63A09BC592E7599F28E5402ADB3A0FB98744F949225DB9D53712EF38F1E6C300
                                                                    Function 00007FF7870E1F70 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7870E1FF2
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7870E2156
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemalloc
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\multi.c$GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d$buf_init(&buf, m->top.c2.frame.buf.headroom)$buf_write_u8(&buf, get_random() & 0xFF)
                                                                    • API String ID: 3061335427-2176266049
                                                                    • Opcode ID: c0d45c73d7ab3223406bd46799c8214a941097066b95a10896f831bbd4067af9
                                                                    • Instruction ID: 0906b3a73552eb1f0cff54a9bc688e93b4b3e3f85d7e3bc94e9ad84d3cefc30d
                                                                    • Opcode Fuzzy Hash: c0d45c73d7ab3223406bd46799c8214a941097066b95a10896f831bbd4067af9
                                                                    • Instruction Fuzzy Hash: AB918032A48A8686E754EF15E440379B7A1FF88B84FA45134DA4E97B95DF3CE482C720
                                                                    Function 00007FF7870A4BC0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: buf_prepend(&work, 2)
                                                                    • API String ID: 2803490479-2162127207
                                                                    • Opcode ID: 5b0501c642e8c21f605fd522c7a3a02e0e811010814cddcf44b629ab6fcda811
                                                                    • Instruction ID: 40841c2ca277a33e881dd97c15249af3a34238e64ae2a8b138272e11741e632a
                                                                    • Opcode Fuzzy Hash: 5b0501c642e8c21f605fd522c7a3a02e0e811010814cddcf44b629ab6fcda811
                                                                    • Instruction Fuzzy Hash: EC613216D68BC283E341DF389911278A3A1FBE9B0CF65E325EE4D15625FF68B5D1C210
                                                                    Function 00007FF78710A390 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF787142E80: strstr.VCRUNTIME140(?,?,?,?,?,?,00007FF787140C29), ref: 00007FF787142E9F
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00000007,00000000,00000008,00000000), ref: 00007FF78710A412
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,-00000001,00000007,00000000,00000008,00000000), ref: 00007FF78710A4B6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocstrstr
                                                                    • String ID: AUTH_PENDING$AUTH_PENDING,timeout $PUSH: Received control message: '%s'$UEST
                                                                    • API String ID: 898642337-877231023
                                                                    • Opcode ID: cd3cbd29d13d2d8bd1a9d1603bdef1f534341ecc30010e74903390412a37c9bf
                                                                    • Instruction ID: 1ae1d976eda1ba387b21b8b69f309f54315f09c70520be7c04aaffae7986950b
                                                                    • Opcode Fuzzy Hash: cd3cbd29d13d2d8bd1a9d1603bdef1f534341ecc30010e74903390412a37c9bf
                                                                    • Instruction Fuzzy Hash: DB312732F4565149FB01AF25A9407BDAB60BF84BA8FA40130DE0E67E85EE3C9483D320
                                                                    Function 00007FF787100BF0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: mallocmemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\packet_id.c$MIN_SEQ_BACKTRACK <= seq_backtrack && seq_backtrack <= MAX_SEQ_BACKTRACK$MIN_TIME_BACKTRACK <= time_backtrack && time_backtrack <= MAX_TIME_BACKTRACK$PID packet_id_init seq_backtrack=%d time_backtrack=%d
                                                                    • API String ID: 2882185209-412962153
                                                                    • Opcode ID: 384e1fb786ed3cdc3a157dc024e459d28760f29e56fd23c049699e1575036a6f
                                                                    • Instruction ID: fe1992e268748cb8801e969836ecafeb617613d819bc3451315ba09979754393
                                                                    • Opcode Fuzzy Hash: 384e1fb786ed3cdc3a157dc024e459d28760f29e56fd23c049699e1575036a6f
                                                                    • Instruction Fuzzy Hash: 21319132D58B458AE790EF25F840268BBE4FB88B44FB44035DA5E47B59DF38D982C750
                                                                    Function 00007FF7870CE430 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$callocmemset$socket
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\event.c$ret
                                                                    • API String ID: 4103175331-3667186013
                                                                    • Opcode ID: 0160ade5daa60a738f4dd0327ed283789c38edf44960a95a8149995deb072d18
                                                                    • Instruction ID: d4e909795003b73ee695eb718e1fd749b520190b69a93445d054dab3630e247d
                                                                    • Opcode Fuzzy Hash: 0160ade5daa60a738f4dd0327ed283789c38edf44960a95a8149995deb072d18
                                                                    • Instruction Fuzzy Hash: 4B418172C18BC182E611DF10A0443AAB760FBE8758F645335EB9E16A95EF7CE1D6C710
                                                                    Function 00007FF78713B470 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • write_dhcp_search_str: search domain string must be <= 255 bytes, xrefs: 00007FF78713B5A0
                                                                    • write_search_dhcp_str: buffer overflow building DHCP options, xrefs: 00007FF78713B69C
                                                                    • write_dhcp_search_str: temp buffer overflow building DHCP options, xrefs: 00007FF78713B5C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htonlmemcpy
                                                                    • String ID: write_dhcp_search_str: search domain string must be <= 255 bytes$write_dhcp_search_str: temp buffer overflow building DHCP options$write_search_dhcp_str: buffer overflow building DHCP options
                                                                    • API String ID: 337393518-1235938852
                                                                    • Opcode ID: 7c4742c5b7df6e8eb6f55428c0d9cd0793deaf074766c42f3eda5de0b09285b6
                                                                    • Instruction ID: 0c42d384e46c59de66b765856dd7aa53c7856bb5e3053d3c7a2dc7eff1061366
                                                                    • Opcode Fuzzy Hash: 7c4742c5b7df6e8eb6f55428c0d9cd0793deaf074766c42f3eda5de0b09285b6
                                                                    • Instruction Fuzzy Hash: 52E1A272F4868586EB64DF14E1547B8BBA1FB80B4CFA48035C74E47A86EB3DE452C760
                                                                    Function 00007FF78711B4A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 310networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: htons
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socks.c$buf_defined(&head)$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 4207154920-3027400032
                                                                    • Opcode ID: 455a7c7ea4c064d778df8365da264beb6f86a9c02c94e59e624a49fe23858ee9
                                                                    • Instruction ID: b45a16667cfb4e8cc7eea0e6795da544a43994142e1e25b5c86fe242aeb23fbd
                                                                    • Opcode Fuzzy Hash: 455a7c7ea4c064d778df8365da264beb6f86a9c02c94e59e624a49fe23858ee9
                                                                    • Instruction Fuzzy Hash: 6CC1C772F4968581EB749B08E051178A7A5FF94748FF49135D60E4BA94EF3DE882C730
                                                                    Function 00007FF7871444F0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleReleaseSemaphore
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\win32.c$Closing Win32 semaphore '%s'$ReleaseSemaphore failed on Win32 semaphore '%s'$Releasing Win32 semaphore '%s'$s->locked
                                                                    • API String ID: 68019002-658150072
                                                                    • Opcode ID: 720a034c20255792a515b2946f9d8e5cb05d4c4fd822a8ae39b7843f9631d128
                                                                    • Instruction ID: d5f0cbb521651ca297d3f4fdb3347aef7d7bae31e5d96bde51d3e1ecd811f296
                                                                    • Opcode Fuzzy Hash: 720a034c20255792a515b2946f9d8e5cb05d4c4fd822a8ae39b7843f9631d128
                                                                    • Instruction Fuzzy Hash: A8F0FF60D9C60391FA187B14B985370AE637FD0744FF40035C88F5AAA6EE6C6847C320
                                                                    Function 00007FF78710C820 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF78712642C), ref: 00007FF78710C852
                                                                      • Part of subcall function 00007FF7870A26F0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870A277A
                                                                    • htonl.WS2_32 ref: 00007FF78710C932
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF78712642C), ref: 00007FF78710C9C2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintfhtonl
                                                                    • String ID: %u$ sid=%s
                                                                    • API String ID: 1710430790-3964053920
                                                                    • Opcode ID: a1ef33902491787b4374af9695ae4122edfc81a0093763fd5932bab84abe29d4
                                                                    • Instruction ID: c9678996bccffa3f27c99d5d5d6e74539e26530184e1a21c78e9070be30d7d4a
                                                                    • Opcode Fuzzy Hash: a1ef33902491787b4374af9695ae4122edfc81a0093763fd5932bab84abe29d4
                                                                    • Instruction Fuzzy Hash: E551B772E4968185DB11EF24E4402A9FB61FF94B45F748131DA8E86A59FF3CD445CB20
                                                                    Function 00007FF787110900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintffreeinet_ntop
                                                                    • String ID: @$delete_route_ipv6(%s/%d)
                                                                    • API String ID: 3268905867-3818792123
                                                                    • Opcode ID: a6c1f1feb41d1ecd8edfe366e3c8c5bfd026d9a49b06dd1f553660c26a5f599a
                                                                    • Instruction ID: 3263ec7ef3bd218592a4dd945cf925d82236801c47cf7e6e2c667843e06d5e5d
                                                                    • Opcode Fuzzy Hash: a6c1f1feb41d1ecd8edfe366e3c8c5bfd026d9a49b06dd1f553660c26a5f599a
                                                                    • Instruction Fuzzy Hash: 9741C622E48A4589F710AF64E4512EDB770FB58B88F945135CE4E2BA46EF38E597C320
                                                                    Function 00007FF7870ACBA0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: D_bytes
                                                                    • String ID: ERROR: could not generate random key$OpenVPN auth-token server key$RAND_bytes() failed$Using random %s.
                                                                    • API String ID: 2806743269-4148329901
                                                                    • Opcode ID: e3897115fa14fdd8be10feff2b09bf808a875aade94f59ae94107db9914f5eff
                                                                    • Instruction ID: 468f31940452be71ce924ca8ce2592f5b783c52192b248f52d32005220ac24e2
                                                                    • Opcode Fuzzy Hash: e3897115fa14fdd8be10feff2b09bf808a875aade94f59ae94107db9914f5eff
                                                                    • Instruction Fuzzy Hash: 934170319886428AEB54AF15D044379E751FB44B88FE55035CA0F9B289CE3DE987C771
                                                                    Function 00007FF7870C6C20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free$FreeLibrary
                                                                    • String ID: PLUGIN_CLOSE: %s$PLUGIN_CLOSE: FreeLibrary() failed on plugin: %s
                                                                    • API String ID: 2580233958-3225011692
                                                                    • Opcode ID: a7350fe77e6b6e6283432febc3bbefbb59c2f7bda292c285a89789768139ac9f
                                                                    • Instruction ID: ef0547adfbe3e2a853611f3a0786c9f3e349d7f68dacc019dc52a42454e877be
                                                                    • Opcode Fuzzy Hash: a7350fe77e6b6e6283432febc3bbefbb59c2f7bda292c285a89789768139ac9f
                                                                    • Instruction Fuzzy Hash: 5A51C422E58A8286F760EF10E4443B9A761FBC1B98FA85135DB8E47659DF3CE496C310
                                                                    Function 00007FF7870F3F20 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exit
                                                                    • String ID: Option '%s' in %s:%d is ignored by previous <connection> blocks $Option '%s' is ignored by previous <connection> blocks$option '%s' cannot be used in this context (%s)$option '%s' is not expected to be inline (%s:%d)
                                                                    • API String ID: 3375166485-2082166433
                                                                    • Opcode ID: 341c306029d0428c647ad62b3e07f06cfc2130e0e67befcc71d0b42cc54bf774
                                                                    • Instruction ID: eb75b1fbe1f23ec1a3e243791497d5d0b86ff46846e3b3bf88102e99c059fd88
                                                                    • Opcode Fuzzy Hash: 341c306029d0428c647ad62b3e07f06cfc2130e0e67befcc71d0b42cc54bf774
                                                                    • Instruction Fuzzy Hash: CB315E21A8824242FB54BB05A4813B8E761FB807D0FE40535EE4E97BE6DE3CE946C620
                                                                    Function 00007FF78713F7C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: X_get_mac_size
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\auth_token.c$hmac_ctx_size(ctx) == 256/8
                                                                    • API String ID: 1083930163-3320193972
                                                                    • Opcode ID: a20067927529ae20d286d1b227213302bb9ce452d9a573db410c59e5e6195ffb
                                                                    • Instruction ID: 852f9ab7c2a3eedfd4d1b5d81f3fe4414fe971562ff75f293350045148fec72b
                                                                    • Opcode Fuzzy Hash: a20067927529ae20d286d1b227213302bb9ce452d9a573db410c59e5e6195ffb
                                                                    • Instruction Fuzzy Hash: EA21D831E5868151E660AB12F8543A5AA61FF88BC0FF44032FD4E47B69EE3CD947C350
                                                                    Function 00007FF7870F24A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF7870E5E00: memset.VCRUNTIME140 ref: 00007FF7870E5E2A
                                                                      • Part of subcall function 00007FF7870E5E00: GetTempPathW.KERNEL32 ref: 00007FF7870E6064
                                                                    • fprintf.MSPDB140-MSVCRT ref: 00007FF7870F256B
                                                                      • Part of subcall function 00007FF7870B2BE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,?,00000801,00007FF7870B332E), ref: 00007FF7870B2C17
                                                                    • fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7870F2573
                                                                    Strings
                                                                    • OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024, xrefs: 00007FF7870F24C7
                                                                    • %sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho, xrefs: 00007FF7870F24D6
                                                                    • , xrefs: 00007FF7870F253E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp__stdio_common_vfprintffflushfprintfmemset
                                                                    • String ID: $%sGeneral Options:--config file : Read configuration options from file.--help : Show options.--version : Show copyright and version information.Tunnel Options:--local host : Local host name or ip address. Implies --bind.--remote ho$OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
                                                                    • API String ID: 2153335021-244214391
                                                                    • Opcode ID: 523f44a048e2eb64dcbe477bb2bb229fee1c123e573c61d05e3c761f36aa6f12
                                                                    • Instruction ID: 6c86443ad3f6409e62048a4c7aed5991bf2fa57d4edd0d65e9d6c882fde0f7b0
                                                                    • Opcode Fuzzy Hash: 523f44a048e2eb64dcbe477bb2bb229fee1c123e573c61d05e3c761f36aa6f12
                                                                    • Instruction Fuzzy Hash: 0321D076A0C7858AD764DF14F49079ABBA1F788344F50002AEA8E83B59DF3CE145CF44
                                                                    Function 00007FF787114490 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7870C7485), ref: 00007FF7871145AD
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7870C7485), ref: 00007FF7871145D7
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7870C7485), ref: 00007FF787114656
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\buffer.c$Preresolving failed
                                                                    • API String ID: 2803490479-2531191563
                                                                    • Opcode ID: c18a7bd34b089a4fb2f71ad907e2fc46a61c30bf33f048dc9070a761aa0c9f11
                                                                    • Instruction ID: 51da2b8799d55636eb269e3e5bfa26d0fc961d02d3eb8ada9ad3d3a3552638d1
                                                                    • Opcode Fuzzy Hash: c18a7bd34b089a4fb2f71ad907e2fc46a61c30bf33f048dc9070a761aa0c9f11
                                                                    • Instruction Fuzzy Hash: CDC17E72E48682C5EA549F11F490679BBA5FB84F88FA49135DE4E4BB94EF3CD442C320
                                                                    Function 00007FF7870EF060 Relevance: 7.7, APIs: 6, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memset
                                                                    • String ID:
                                                                    • API String ID: 3081043919-0
                                                                    • Opcode ID: 6671b83725ad276d22e188a111a49b980f637e8cec1f8ba0b20ecea24c3995a3
                                                                    • Instruction ID: ae4bd8a79cac4220ea8d0fb10ac93457ddcc26a79d791b86472c03f57b0426dc
                                                                    • Opcode Fuzzy Hash: 6671b83725ad276d22e188a111a49b980f637e8cec1f8ba0b20ecea24c3995a3
                                                                    • Instruction Fuzzy Hash: E1B13927A05FC582E7498F28D6453ACB3A0FBA9B48F199225DF8D53312EF35A1E5C300
                                                                    Function 00007FF7870D4FF0 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: R_freeR_get_flags$R_fetchR_get_mode
                                                                    • String ID:
                                                                    • API String ID: 715063678-0
                                                                    • Opcode ID: a7636b4a08d2fda248d3df7e9bf78498008631cfaf5482156904806eca4258cc
                                                                    • Instruction ID: 4edeb1336e298a6be43f869955e62bebb05d875ac89b42044a0fc8bf3506cd29
                                                                    • Opcode Fuzzy Hash: a7636b4a08d2fda248d3df7e9bf78498008631cfaf5482156904806eca4258cc
                                                                    • Instruction Fuzzy Hash: 88513B61E4934246EB14FF269449779AA91FF44BC4FA84630DE8F87B88DE3CD442C760
                                                                    Function 00007FF78713ACF0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF787145E10: WriteFile.KERNEL32(?,00007FF7870B3267,?,?,?,00007FF7870A12AC), ref: 00007FF787145E50
                                                                      • Part of subcall function 00007FF787145E10: ReadFile.KERNEL32(?,00007FF7870B3267,?,?,?,00007FF7870A12AC), ref: 00007FF787145E6E
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78713AE29
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78713AE64
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Filefree$ReadWrite
                                                                    • String ID: DHCP enabled on interface %d using service$Enable_dhcp$TUN: enabling dhcp using service failed: %s [status=%u if_index=%d]
                                                                    • API String ID: 1469289904-3833270484
                                                                    • Opcode ID: 68d7a48dc26e9a6f03159c6897f5a83c7f424bc4741068462995dcd3378e8ef6
                                                                    • Instruction ID: cc3bd57da45d08a4099f258e6007c89b154149863be465e76b92fc3e1d65eb92
                                                                    • Opcode Fuzzy Hash: 68d7a48dc26e9a6f03159c6897f5a83c7f424bc4741068462995dcd3378e8ef6
                                                                    • Instruction Fuzzy Hash: 99519C32E48B818AE710DF24E8413B9B7A1FBC9784F641235EACA56E55DFBCD142CB50
                                                                    Function 00007FF787116000 Relevance: 7.6, APIs: 5, Instructions: 94networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_exitconnectioctlsocketselect
                                                                    • String ID:
                                                                    • API String ID: 3428930917-0
                                                                    • Opcode ID: ff3b1bf0c682e44ef4a7d97732b1ea5b0121c8b9e8ad9c42f0bb43c2d872aade
                                                                    • Instruction ID: 6e77de29c00598f0a42f219c5361260bc171476d68d2414452abfa5cd6f7119c
                                                                    • Opcode Fuzzy Hash: ff3b1bf0c682e44ef4a7d97732b1ea5b0121c8b9e8ad9c42f0bb43c2d872aade
                                                                    • Instruction Fuzzy Hash: 5C31D272E4C65286F661AB11B44077AABA1BBC5B50FA05034EE4F4AE94DF3ED446CA20
                                                                    Function 00007FF7870A1000 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: CountTick$_time64
                                                                    • String ID:
                                                                    • API String ID: 193071332-0
                                                                    • Opcode ID: c4c8d58dbe67eb1a06a492c19cda36664e235adad6a62d961967234e892c1df3
                                                                    • Instruction ID: dce639d1c846ee44bbc94801b8714310d322c753144080d43daed0d935bd00ec
                                                                    • Opcode Fuzzy Hash: c4c8d58dbe67eb1a06a492c19cda36664e235adad6a62d961967234e892c1df3
                                                                    • Instruction Fuzzy Hash: F3315131E497428AF754EF15B841229FAA6BB88750FF44039D54F87B90DE7CE486C720
                                                                    Function 00007FF78710CA50 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: callocmemset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\reliable.c$buf_init(&e->buf, offset)$false
                                                                    • API String ID: 1123775719-3038326879
                                                                    • Opcode ID: c72b178b93dbaf0407428e8883f79e44ada8837a2733324502e9df5ce530386c
                                                                    • Instruction ID: ed5ab56decd0275b27a7cdb5aa80682c20cad78997226578c08b28fea1f1bfe3
                                                                    • Opcode Fuzzy Hash: c72b178b93dbaf0407428e8883f79e44ada8837a2733324502e9df5ce530386c
                                                                    • Instruction Fuzzy Hash: 0021A032D08B9186E710DF11B4042AAFBA5FB84B84FA48535EF8A07A59DF3CE542CB50
                                                                    Function 00007FF787140640 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 76stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: strstr
                                                                    • String ID: AES-256-GCM:AES-128-GCM$IV_CIPHERS=
                                                                    • API String ID: 1392478783-1533209391
                                                                    • Opcode ID: 0c379d4acc7e38c2fe5dcdd9139522316bb4a4775c8722f3bc3d20fe7e12f127
                                                                    • Instruction ID: 4dc28ff9413c7874442a4897b51f0dfe744ee7a935a15ab9ee513329edac5a81
                                                                    • Opcode Fuzzy Hash: 0c379d4acc7e38c2fe5dcdd9139522316bb4a4775c8722f3bc3d20fe7e12f127
                                                                    • Instruction Fuzzy Hash: 3121A221F48A4255EA14AB12B801176EF61BF84FD4FA84630DEAE07FA5EE3CE447C710
                                                                    Function 00007FF787103F50 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$_wstat64i32freemalloc
                                                                    • String ID:
                                                                    • API String ID: 570839556-0
                                                                    • Opcode ID: ad2ec37127fac276a05f72a77a7c846f79011f51600c755d631229a9945bc388
                                                                    • Instruction ID: 3b5012e0827674038733d9395e7db9f94a6d35de385ee87136066a71fa2a16d0
                                                                    • Opcode Fuzzy Hash: ad2ec37127fac276a05f72a77a7c846f79011f51600c755d631229a9945bc388
                                                                    • Instruction Fuzzy Hash: 0B116D35A48B4186E710EB12B914329EAA2FB88BE0F584634DE9E57BA4DF3CD146C710
                                                                    Function 00007FF787103C40 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103C7D
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103C94
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CC8
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CD1
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CE6
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$DeleteFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4114541613-0
                                                                    • Opcode ID: 54bd685a69d3287877dd9866dbdafea6b2af2066d623355ce621e622b9b3feac
                                                                    • Instruction ID: c6d38b40889034db3410552cc3f379cad07168f5e6df9793cd22008fb24de081
                                                                    • Opcode Fuzzy Hash: 54bd685a69d3287877dd9866dbdafea6b2af2066d623355ce621e622b9b3feac
                                                                    • Instruction Fuzzy Hash: 65115E35A48B5186E710EB12B51032AAAA1FB88FE0F980635DE9E17FA4DF3CD546C714
                                                                    Function 00007FF7870C88C0 Relevance: 7.6, APIs: 5, Instructions: 56fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103C7D
                                                                    • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103C94
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CC8
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CD1
                                                                    • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7870B3A00), ref: 00007FF787103CE6
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$DeleteFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4114541613-0
                                                                    • Opcode ID: 01aaafa44253ba012cd191dae0e5b021d2bb3cae24bfce0ae514e8e509b112cb
                                                                    • Instruction ID: 5dd34c6b0dd36d5737f6f49858fa15608b69bea16d7bfc5210d6dcc24521123c
                                                                    • Opcode Fuzzy Hash: 01aaafa44253ba012cd191dae0e5b021d2bb3cae24bfce0ae514e8e509b112cb
                                                                    • Instruction Fuzzy Hash: 2D214935A48B5186EB20DB12B510329AAA1FB88FE0F980635DE9E17FA4DF3CD546C714
                                                                    Function 00007FF7870B0780 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ControlDevice
                                                                    • String ID: %s: peer-id %d, keepalive %d/%d, mss %d$DeviceIoControl(OVPN_IOCTL_SET_PEER) failed$dco_set_peer
                                                                    • API String ID: 2352790924-1354079961
                                                                    • Opcode ID: 15c2d65d72e031ee407a92d47f2d535a1dbeddb83a46f0de353d6e68ba543359
                                                                    • Instruction ID: 9dd2cf129f71ae8ea0f951e591aaba0c2bb281f72ef692dc20d26097fd83944e
                                                                    • Opcode Fuzzy Hash: 15c2d65d72e031ee407a92d47f2d535a1dbeddb83a46f0de353d6e68ba543359
                                                                    • Instruction Fuzzy Hash: 5021C572D4864186E720EF15B84116AFBA0FBC8794FE04035EA5E87764EF3CD542CB10
                                                                    Function 00007FF7871157C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: acceptclosesocket
                                                                    • String ID: TCP: Received strange incoming connection with unknown address length=%d$TCP: accept(%d) failed
                                                                    • API String ID: 635517647-1481401153
                                                                    • Opcode ID: ed7c1431c51c093124d515df3fc0d5f151abc9b16ff06f259d7420c0bbffc4ba
                                                                    • Instruction ID: c8103652df969d79fdc889971180be9d15f96ea8827a377efe010660b66aa9bb
                                                                    • Opcode Fuzzy Hash: ed7c1431c51c093124d515df3fc0d5f151abc9b16ff06f259d7420c0bbffc4ba
                                                                    • Instruction Fuzzy Hash: 7221C230E4864181EA20EB15B401175AB51FFC4BA4FE41335E9AE0BBD5EE6CE583C760
                                                                    Function 00007FF7870D3F20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: isalnumisprintisspace
                                                                    • String ID: n >= 0 && n + base + 1 <= max_parms
                                                                    • API String ID: 3704409219-3287072990
                                                                    • Opcode ID: 9eddcfac2edcef13336d78527af5c47d8088c141012637a8565d4157ae65afa5
                                                                    • Instruction ID: 5e5ef8d1878ff5697d822ab293d84f5eb602a33bc073cc37247b7c278595868b
                                                                    • Opcode Fuzzy Hash: 9eddcfac2edcef13336d78527af5c47d8088c141012637a8565d4157ae65afa5
                                                                    • Instruction Fuzzy Hash: A9219862ECC74AC1FE646A2594993B9EAA1BB40780FB80235D58F836D5DD2DD447C620
                                                                    Function 00007FF7871043C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000000,00000003,00007FF787105330), ref: 00007FF787104410
                                                                    • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,00000003,00007FF787105330), ref: 00007FF787104485
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitstrncmp
                                                                    • String ID: %s[%d] = '%s'$password
                                                                    • API String ID: 4142068672-2461356184
                                                                    • Opcode ID: a031e2f54aaa55eaafd3fd44119b7a876506f84d54ae2dea2b4f19b7393de99f
                                                                    • Instruction ID: b5180c847187a327a9513bf612030e8116e9616c1249596376575eb6a55b003c
                                                                    • Opcode Fuzzy Hash: a031e2f54aaa55eaafd3fd44119b7a876506f84d54ae2dea2b4f19b7393de99f
                                                                    • Instruction Fuzzy Hash: 8F11A232F4865185EA00AF16F8C0368EB94FBC5B84FA50439DE5E87BA1DE7CD446C320
                                                                    Function 00007FF7870B1510 Relevance: 6.4, APIs: 5, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$memset
                                                                    • String ID:
                                                                    • API String ID: 3081043919-0
                                                                    • Opcode ID: 3517eabb75d3eab992f18b9f652c73f5bc7d3ea1773b06e1aab2ac9e694b6190
                                                                    • Instruction ID: a0faf178ef4cbc1baeee48d422a414d6e36447f9c19db792e5800e6e2fa6e03b
                                                                    • Opcode Fuzzy Hash: 3517eabb75d3eab992f18b9f652c73f5bc7d3ea1773b06e1aab2ac9e694b6190
                                                                    • Instruction Fuzzy Hash: 1D519522E19FC582E751DF24A5113B86360FBA8B88F59D225DF8D12716EF38E2D5C310
                                                                    Function 00007FF7870A2B60 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: %02X$%02x
                                                                    • API String ID: 2803490479-1089151225
                                                                    • Opcode ID: d71519299d5c9130c4bf4fbf72e123021da541dab55c5b77faa2ef667d3cb76b
                                                                    • Instruction ID: 54c449a87cf75f29a8822c1504a00165c7bfc254a630bd3edbbfa84a59d8df28
                                                                    • Opcode Fuzzy Hash: d71519299d5c9130c4bf4fbf72e123021da541dab55c5b77faa2ef667d3cb76b
                                                                    • Instruction Fuzzy Hash: 19510822A48B8245EA25EF16B54077AEBA0FFC4B84FA54135DE4F87A45DE3CD4C2C720
                                                                    Function 00007FF7870B8380 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\socket.h$proto >= 0 && proto < PROTO_N
                                                                    • API String ID: 0-2292894683
                                                                    • Opcode ID: 8559e744027f0922e5d117631027d31ff8acb1fa341a7ba8e43b3d7816632485
                                                                    • Instruction ID: 428053c7b74235b07adce0e0b5882ab7b27317f726b1634a571132b50b888be2
                                                                    • Opcode Fuzzy Hash: 8559e744027f0922e5d117631027d31ff8acb1fa341a7ba8e43b3d7816632485
                                                                    • Instruction Fuzzy Hash: 30518132B45A8196FB18DF21D5843F8A7A1FB48784F984035CF4E576A0DF38E6A6D350
                                                                    Function 00007FF78712DFC0 Relevance: 6.1, APIs: 4, Instructions: 120stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: __stdio_common_vsprintf_exit_writestrchr
                                                                    • String ID:
                                                                    • API String ID: 2615646571-0
                                                                    • Opcode ID: cd5c15d4eafd76b8efeebf3e158245b71550d77b880f36bb438fe1d6414890c4
                                                                    • Instruction ID: 98b2f31fe099016c4b0e45101c9ae093d29991b5c21b2c7f3bd906d51e9db8d7
                                                                    • Opcode Fuzzy Hash: cd5c15d4eafd76b8efeebf3e158245b71550d77b880f36bb438fe1d6414890c4
                                                                    • Instruction Fuzzy Hash: 76518032E5868695FB10EB14E548378BBA0FBC4B44FA41175CA5E43AA1DF3DE49BC360
                                                                    Function 00007FF7871183C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc$__stdio_common_vsprintf
                                                                    • String ID: @$S%s
                                                                    • API String ID: 1056972871-4270127029
                                                                    • Opcode ID: d5ae3be8a798c4a1028a0ecc2689ab26ace41c77e15f6a3be023109f6db23809
                                                                    • Instruction ID: e9077fd57985cabc99703da70e8ab234a0e27fb76eefa7da3893852cf8a2a2ba
                                                                    • Opcode Fuzzy Hash: d5ae3be8a798c4a1028a0ecc2689ab26ace41c77e15f6a3be023109f6db23809
                                                                    • Instruction Fuzzy Hash: AB51C131E8D78285EB54AB14F5902B9EB60FF80390FE49136D64F1AEA5DF2CE546C720
                                                                    Function 00007FF787113350 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: %02x$false
                                                                    • API String ID: 2803490479-225604209
                                                                    • Opcode ID: 10a4ab73b1ee84dd3a161da85d82e2957cc1fa79bbff6f2a76c61b95a76622a2
                                                                    • Instruction ID: 42a3e1729a454f7b4b3af58f80c3e812c0e6da94bd7cfb29a55895139fa3482d
                                                                    • Opcode Fuzzy Hash: 10a4ab73b1ee84dd3a161da85d82e2957cc1fa79bbff6f2a76c61b95a76622a2
                                                                    • Instruction Fuzzy Hash: D341B235E58B8285E725AF15B440139FBA1FBC5780F945234EA8E47E99DF3CE046C720
                                                                    Function 00007FF7870D23A0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\console.c$i < QUERY_USER_NUMSLOTS$prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL
                                                                    • API String ID: 2221118986-3009440023
                                                                    • Opcode ID: 59fa8a1790128c9d8ab88c127bc62b3aca7c7a1c1b8745fcc3cd65d9808cb20a
                                                                    • Instruction ID: 3dc1aacdf3cd009a5574c09c68927a37db17a09659598111e4b4633f64a42b50
                                                                    • Opcode Fuzzy Hash: 59fa8a1790128c9d8ab88c127bc62b3aca7c7a1c1b8745fcc3cd65d9808cb20a
                                                                    • Instruction Fuzzy Hash: BF219831A5878180EA05E705E4483B4EB65FB84781FF44135DE5E83B99DEBCD143C320
                                                                    Function 00007FF7870B40A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID: C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\event.c$index >= 0 && index < wes->n_events
                                                                    • API String ID: 1294909896-2505472677
                                                                    • Opcode ID: 970591b22d8e40a2aeb051dc066626432922240b69d5fba4a2f187c3203d1a31
                                                                    • Instruction ID: 10fc6d002a72107ed031c030c56706115dc20543bb90d5932982cc42dae5d08d
                                                                    • Opcode Fuzzy Hash: 970591b22d8e40a2aeb051dc066626432922240b69d5fba4a2f187c3203d1a31
                                                                    • Instruction Fuzzy Hash: A4117F32E55A4592E744EB55E4846BCB761F798B88FF04132DA0E83760EF39E28AC710
                                                                    Function 00007FF78711B8A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID: PID packet_id_free
                                                                    • API String ID: 1294909896-3852019670
                                                                    • Opcode ID: 4d773465c714df3a594f7c5098b4539e72969713fe1acfd2c09bfc3b91145048
                                                                    • Instruction ID: 83bb8c3c976f43263a6abc95d4a104e545b4c8f7b4f9f95c3cf328620ba74344
                                                                    • Opcode Fuzzy Hash: 4d773465c714df3a594f7c5098b4539e72969713fe1acfd2c09bfc3b91145048
                                                                    • Instruction Fuzzy Hash: 2921D662E5878192E750EF30D5413F8A760FFD4B48FA46335DA4E0A955EF28E0E2C320
                                                                    Function 00007FF7870B9390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: __acrt_iob_funcfprintf
                                                                    • String ID: TUN READ [%d]
                                                                    • API String ID: 3693261709-361772232
                                                                    • Opcode ID: 1449100b91546307ce8176e93f0a7566c37c5c1d9ed346514727656fc2eb6e50
                                                                    • Instruction ID: 201714d5437684cb9633203beab482abc50616c87635df2c7bf9d59ce1e96a1a
                                                                    • Opcode Fuzzy Hash: 1449100b91546307ce8176e93f0a7566c37c5c1d9ed346514727656fc2eb6e50
                                                                    • Instruction Fuzzy Hash: D4219631D9C682C1EB58AF95A1513F9A364FF54B88FE80135DB4F8A285DF6C9682C730
                                                                    Function 00007FF7870B0B80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: ControlDevice
                                                                    • String ID: @$DeviceIoControl(OVPN_IOCTL_GET_STATS) failed
                                                                    • API String ID: 2352790924-2939315757
                                                                    • Opcode ID: 1033fa98a3fdfeafc72bbc2ab2f8b052daa16e3babc8f8adcfdad4f3c4a83774
                                                                    • Instruction ID: 9763d1ecfe0332a6bf7b603da3cfdb177a18073f91d5921fe91296b8354bad7a
                                                                    • Opcode Fuzzy Hash: 1033fa98a3fdfeafc72bbc2ab2f8b052daa16e3babc8f8adcfdad4f3c4a83774
                                                                    • Instruction Fuzzy Hash: 7221B532A19B8186E760DF25E4453BD73A0FBC9744FA40235DA9D47B65EF38D582C710
                                                                    Function 00007FF787115420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: setsockopt
                                                                    • String ID: NOTE: setsockopt TCP_NODELAY=%d failed$Socket flags: TCP_NODELAY=%d succeeded
                                                                    • API String ID: 3981526788-1966526966
                                                                    • Opcode ID: f2d51c3faeb0ef994622ecf9fd5b1b6e99529f6841e7687d903d6ff432f72fc3
                                                                    • Instruction ID: 52d103ab2732a8d5e02e3986869037dbcf410e4c02a055d432c0605dba4136ae
                                                                    • Opcode Fuzzy Hash: f2d51c3faeb0ef994622ecf9fd5b1b6e99529f6841e7687d903d6ff432f72fc3
                                                                    • Instruction Fuzzy Hash: 4E116071E582424AFA40BB10E4527A9A752FBC4384FE02435E64F5BA96EE3CE507CB20
                                                                    Function 00007FF7870B4A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: _exitioctlsocket
                                                                    • String ID: Set socket to non-blocking mode failed
                                                                    • API String ID: 303948527-1532958630
                                                                    • Opcode ID: 30d4dcb3cd1f865d7342167a3d0bb13113fa00a939cc4e53341bd9a26c24f331
                                                                    • Instruction ID: f18a3d0acf4310c713b1445f7b1ef82a9020482a52a0ed32fd549fb04709eda1
                                                                    • Opcode Fuzzy Hash: 30d4dcb3cd1f865d7342167a3d0bb13113fa00a939cc4e53341bd9a26c24f331
                                                                    • Instruction Fuzzy Hash: F4F0B430E8854251FB24BF10E4123B5AB51FFC8348FE00135DA4E467A1EE3CE247C620
                                                                    Function 00007FF7870C0100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.1974445073.00007FF7870A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF7870A0000, based on PE: true
                                                                    • Associated: 00000008.00000002.1974273154.00007FF7870A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1974825392.00007FF78714E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976332486.00007FF787195000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                    • Associated: 00000008.00000002.1976497088.00007FF78719F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7ff7870a0000_openvpn.jbxd
                                                                    Similarity
                                                                    • API ID: Any_expkcs11h_certificate_sign
                                                                    • String ID: PKCS#11: pkcs11_terminate - entered$PKCS#11: pkcs11_terminate - return
                                                                    • API String ID: 269981986-519299666
                                                                    • Opcode ID: a37c4929f3130f56d5c23432b3e0c90acba2e17d26f8d785d593eee860b1a68e
                                                                    • Instruction ID: e536ad349661414a886ec2b02d95d950a75ea9477616c21e492d1e7cd2a8e2c8
                                                                    • Opcode Fuzzy Hash: a37c4929f3130f56d5c23432b3e0c90acba2e17d26f8d785d593eee860b1a68e
                                                                    • Instruction Fuzzy Hash: 76F05820D8D20399F858BB407C09270E692BFC5368FF800B0C86F9A796EE9C2587C331